By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html
To receive this digest via Email:
http://securityportal.com/subscribe.html
Sun Bulletin Number #00198, "Browser Certificates"
http://sunsolve.sun.com/securitySun advises of a potential compromise of 2 specific security certificates which had limited distribution. Sun recommends that you follow the directions found at http://sunsolve5.sun.com/secbull/certificate_howto.html
to determine if your web browser has accepted any of the potentially compromised certificates.
Comment: These two certificates could be used by a browser to unwittingly trust malicious Java applets. It is unclear how widely these certificates were distributed by Sun.
CERT/CC Current Activity (October 19: updated one topic)
http://www.cert.org/current/current_activity.htmlThe CERT/CC Current Activity page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities currently being reported to the CERT/CC.
CERT Statistics (October 19)
http://www.cert.org/stats/cert_stats.htmlThe CERT/CC statistics on incident and vulnerability reports, security alerts and notes, hotline calls, and email messages have been updated with information from the third quarter of 2000.
The number of vulnerabilities and incidents seems set to double in the last year.
2000-10-25: Sun HotJava Browser Arbitrary DOM Access Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1837A malicious website operator may be able to obtain cookies from a target system browsing with Sun HotJava Browser. The Document Object Model (DOM) of arbitrary URLs can be accessed if a specially formed javascript is launched from a named window. Cookies that may contain sensitive information can be acquired through this method.
Fix: none yet, disable javascript as a temporary workaround.
2000-10-26: iPlanet Webserver .shtml Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=18482000-10-26: pam_mysql Authentication Input Validation Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=18502000-10-23: MySQL Authentication Algorithm Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=18262000-10-23: Allaire JRun 3.0 Directory Disclosure Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=18302000-10-23: Allaire JRun 2.3 Arbitrary Code Execution Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=18312000-10-23: Allaire JRun 2.3 File Source Code Disclosure Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=18332000-10-18: Oracle Internet Directory 2.0.6 oidldap Vulnerability
http://www.securityfocus.com/frames/?content=/vdb/bottom.html?vid=1828%3Fvid%3D1828
The latest Solaris Recommended / Security Patch clusters are as follows:
Solaris 8 Sep/07/00
Solaris 7 Oct/03/00
Solaris 2.6 Oct/09/00
Solaris 2.5.1 Oct/09/00
Security basics, Part 1: Understanding file attribute bits and modes
http://www.sunworld.com/sunworldonline/swol-10-2000/swol-1020-unix101.html
Hardening Solaris - Compass Security Draft 0.82, by Ivan Butler
http://www.csnc.ch/download/sources/Hardening-Solaris V0.82.pdfThis PDF document provides a step by step tutorial to creating a Solaris system resistant to various methods of attack, based on the Titan scripts.
Advanced Networking Security, by Raul Gonzalez Barron , Eric Daniel , Ralph Akram Gholmieh , Ajay Kumar Gummmadi , Faisal Karim and Rehan Ayyub Sheikh
http://www.securityfocus.com/external/http://security.tsu.ru/info/unix/report.html#CThis interesting 1996 report contains the details of a hacking test exercise.
The report includes the hacking techniques that learned, the attacks, and some suggestions for future versions of this class. All in all this course has been a very good learning ground for the future System Administrators having been able to get a view of what the bad guys can do to penetrate through the system. The practical aspect of the course brings in enthusiasm and helps learn and practice more.
An Unofficial Xinetd Tutorial, by Curator
http://www.macsecurity.org/resources/xinetd/tutorial.shtmlxinetd is a secure replacement for inetd, and a more efficient replacement for inetd and tcp_wrappers. It sports a number of features that make it a good choice for securing a server. These include access control (based on source address, destination address, and time), extensive logging, and the ability to bind services to specific interfaces. This tutorial will attempt to give an administrator the necessary tools to install, configure, and maintain xinetd.
Unix Password Management, by Elmo Recio
http://www.securityfocus.com/external/http://linux.com/sysadmin/newsitem.phtml?sid=113&aid=10935Part of the neatness of UNIX is that you can just about do everything programmatically in the same way that you do it by hand. For example, you ever wonder why chmod() is called such? Well, in writing my admintool program, I found out that if I wanted to change the mode of a directory or ownership programmatically I would just call a function named chmod(). So I started to explore other aspects of the system calls and came across some really useful ones.
All tools are now summarised in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html
10/21/00 Expiration of your subscription to the FOCUS-SUN list
http://www.securityfocus.com/templates/archive.pike?tid=140734&list=92&fromthread=0&threads=1&end=2000-10-21&start=2000-10-15&10/20/00 locale exploit
http://www.securityfocus.com/templates/archive.pike?tid=140730&list=92&fromthread=0&threads=1&end=2000-10-21&start=2000-10-15&10/20/00 unique character match for a password...
http://www.securityfocus.com/templates/archive.pike?tid=140731&list=92&fromthread=0&threads=1&end=2000-10-21&start=2000-10-15&
FYI: New keyboard-interactive draft available
http://www.theorygroup.com/Archive/YASSP/2000/msg00663.htmlOpenssh and SecurID
http://www.theorygroup.com/Archive/YASSP/2000/msg00661.htmlRe: package removing
http://www.theorygroup.com/Archive/YASSP/2000/msg00660.html
See also :
http://www.yassp.org
Disksuite is a tool bundled with Solaris that allows disks to be mirrored or gathered into RAID sets. This is useful and a nice feature to have in the system. The problem is that Disksuite uses RPC (specifically: two programs rpc.metamhd and rpc.metad which run from inetd). RPC is a protocol that one tries to avoid having on sensitive servers, such as those on the Internet or in a DMZ. RPC uses dynamic ports and provides no standard access control methods.
How can disksuite security be improved?
Doug Hughes has documented tips & links on Disksuite, VxVM and the
SPARC Storagearray:
http://www.eng.auburn.edu/pub/mail-lists/ssastuff
If you have any security tips/scripts you'd like to share with others, contact sean at boran.com.
For brevity, the list of Solaris resources and references is kept in a separate
document:
securityportal.com/topnews/weekly/solarisref.html
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.
© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 27 October, 2000 |