Weekly Solaris Security Digest
2000/10/30 to 2000/11/06

By Seán Boran (sean at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html

To receive this digest via Email:
http://securityportal.com/subscribe.html


The Rundown


Advisories and Security Bulletins

Sun / CERT bulletins

none

Bugtraq vulnerabilities this week - Solaris:

none

Bugtraq vulnerabilities this week - 3rd party applications:

2000-11-01: SAMBA SWAT Symlink Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1872

2000-11-01: SAMBA SWAT Logging Failure Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1873

2000-11-01: SAMBA SWAT Logfile Permissions Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1874

2000-10-31: Netscape Servers Suite Heap Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1865

2000-10-31: Netscape Servers Suite Denial of Service Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1867

2000-10-31: tcpdump AFS ACL Packet Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1870

2000-10-30: Inktomi Search Software DoS Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1866

2000-10-31: Unify eWave ServletExec File Upload Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1876

2000-10-30: Unify eWave ServletExec DoS Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1868

2000-10-29: CatSoft FTP Serv-U Brute-Force Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1860

2000-10-29: Pagelog.cgi File Disclosure/Creation Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1864

2000-10-29: KW Whois Remote Command Execution Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1883

2000-10-27: bftpd Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1858

2000-10-27: Padl Software nss_ldap Local Denial of Service Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1863

2000-10-27: CGI Script Center News Update Password Changing Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1881

2000-10-27: ICS 'host' (Bind 8.1) Remote Buffer Overflow Vulnerability
http://www.securityfocus.com/frames/?content=/vdb/bottom.html?vid=1887%3Fvid%3D1887


Patches

The latest Solaris Recommended / Security Patch clusters are as follows:

Solaris 8       Sep/07/00
Solaris 7       Oct/03/00
Solaris 2.6    Oct/09/00
Solaris 2.5.1 Oct/09/00


News & Articles

Sun

Installing Solaris Over The Network, by John Richardson
http://www.sunhelpdesk.com/users/john/001.htm

Discussion: Backup and Restore Practices for Sun Enterprise Servers
http://mysun-mail.sun.com:9613/cgi-bin/forums?14@@.eeefc10

Useful tools for Sun workstations and Solaris
http://www.squirrel.com/squirrel/sun-stuff.html

Dr.Dobbs Journal

Strangers In the Night, Finding the purpose of an unknown program, by Wietse Venema
http://www.ddj.com/articles/2000/0011/0011g/0011g.htm

The story is about analyzing an unknown program that was left behind by an intruder. The fact that the computer systems involved were running UNIX is only of marginal importance.
Comment: A useful article from one of the masters of Computer Forensics.

 

Security Analysis & Design, by Uttara Nerurkar
http://www.ddj.com/articles/2000/0011/0011d/0011d.htm

....I put together a security analysis and design/modelling technique that closely couples the security and functional model of the product. While the model is based on my experience with financial software, it is sufficiently generic to be suitable for other business applications as well.

Sysadmin Magazine

Solaris Administration Supplement
http://www.sysadminmag.com/supplement/web_feature.shtml

The special supplement contains several security relevant articles:

SecurityFocus

Hardening Solaris: Creating a Diamond in the Rough Pt. II, by Hal Flynn
http://www.securityfocus.com/frames/?focus=sun&content=/focus/sun/articles/harden2.html

Security Tools News

All tools are now summarised in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html


Mailing Lists

FOCUS-Sun discussions

No messages in the archive, but there were some minor discussions on /etc/ftpusers.

YASSP (the Solaris hardening tool) Developers' list discussions

rpc.meta* Summary
http://www.theorygroup.com/Archive/YASSP/2000/msg00666.html

See also :
http://www.yassp.org


Tip of the Week: Resources for Hardening Solaris

Over the last two years or so, several (free) useful tools and papers on hardening Solaris have appeared. Here we present a list with some comments.

My favourites are Titan and Yassp, but the idea is to provide a decent list of alternatives here, so you can learn from the various papers and pick an appropriate tool for your needs.
Titan and Yassp have different approaches and are useful in different situations. I would prefer Yassp for DMZ/bastion host hardening, but Titan is probably more useful for securing general Workstations and multi-user servers. Also, each has features not found in the other.

Yassp (yet another solaris security package)

Yassp
http://www.yassp.org
The goal is to install Solaris and have a good host security without having to spend hours in modification. According to Alan Paller, director of research at the SANS Institute, 'When these scripts have been field tested, they will become the recommended solution for hardening Solaris systems and we will promote them widely.'
Yassp is in final beta, the final release should be published very soon.

Hardening Solaris (based on Yassp beta11)
http://www.securityportal.com/topnews/solaris_hardening20000523.html
This article presents a concise step-by-step approach to securely installing Solaris for use in a firewall DMZ or other sensitive environment, using the Yassp tool - beta11. For Solaris 8, the Sunscreen EFS lite firewall is also presented.

Interview with Jean Chouanard (main developer behind Yassp)
http://securityportal.com/cover/coverstory20000821.html

Titan

The Titan project
http://www.fish.com/titan/
http://www.fish.com/titan/TITAN_documentation.html
Titan is a collection of programs, each of which either fixes or tightens one or more potential security problems with a particular aspect in the setup or configuration of a Unix system. Conceived and created by Brad Powell, it was written in Bourne shell, and its simple modular design makes it trivial for anyone who can write a shell script or program to add to it, as well completely understand the internal workings of the system.

Hardening Solaris - Compass Security Draft 0.82, by Ivan Butler 
http://www.csnc.ch/download/sources/Hardening-Solaris V0.82.pdf  
This PDF document provides a step by step tutorial to creating a Solaris system resistant to various method of attack, based on the Titan scripts.

Sun

Sun's hardening tool, Jass
http://www.sun.com/blueprints/tools
Jass has a restrictive license and is still in beta. It was tested a few weeks back in 'Tip of the Week' and didn't seem ready for prime time.

Sun's hardening documentation:

More Hardening Papers

SecurityFocus, list of Sun relevant articles
http://www.securityfocus.com/focus/sun/menu.html?fm=0&action=unfold

Lance Spitzner's white papers
http://ww.enteract.com/~lspitz/papers.html
This papers are useful and referenced by many people. Worth a read.

Securing Solaris Servers - A Checklist Approach, by Paul D. J. Vandenberg and Susan D. Wyess
http://www.usenix.org/sage/sysadmins/solaris/index.html#host

This material is excerpted from an internal U.S. Government document on web security, which the authors played leading roles in preparing. This material has been officially reviewed, and the authors have been granted permission to use this material in a non-official publication.

Hardening Solaris (pre Yassp), by Seán Boran
http://www.securityportal.com/coverstory19991025.html
This article presents a step-by-step approach to securely installing Solaris for use in a firewall DMZ. It's a bit old now and not as comprehensive as it should be, but it is useful for those who wish to 'manually harden' their system.

tcp tuning under solaris, by Jens-S. Vöckler
http://www.rvs.uni-hannover.de/people/voeckler/tune/EN/tune.html

Security: How to Documents, Information Systems and Technology, University of Waterloo
http://ist.uwaterloo.ca/security/howto/

Wietse Venema's tools and papers (tcp wrapper, rpcbind/portmapper, postfix, Satan, ....)
ftp://ftp.porcupine.org/pub/security/index.html

Solaris Security Guide, Sabernet
http://www.sabernet.net/papers/Solaris.html

Solaris Security Step by Step, from SANS
http://www.sans.org
This available in paper or PDF form, is quite useful, but it's not free.

Sunworld

Softpanorama University Pages: Solaris Hardening and Security
http://www.softpanorama.org/Security/sos.shtml
This site is an index to many Solaris security papers and tools

Securiteam: Hardening Solaris SPARC/x86 security for Firewall usage - a step by step guide
http://www.securiteam.com/unixfocus/Hardening_Solaris_SPARC_x86_security_for_Firewall_usage_-_a_step_by_step_guide.html

More hardening Tools

New Approaches to Making Solaris More Secure, by Rich Teer (including hardening scripts)
http://www.sysadminmag.com/supplement/web_feature1.shtml

Securing Solaris, by Ido Dubrawsky
http://www.sysadminmag.com/supplement/913secsol.shtml

Casper Dik's fixmode (improves Solaris file permissions)
ftp.wins.uva.nl:/pub/solaris

Chris Calabrese's Harden script
ftp://ftp.freebird.org/unixware/freebird/internet/systools/harden  

Alberto Begliomini's SECUR
ftp://ftp.coldstone.com/secur

If you have any security tips/scripts you'd like to share with others, contact sean at boran.com.


References and Resources

For brevity, the list of Solaris resources and references is kept in a separate document:
securityportal.com/topnews/weekly/solarisref.html


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 10 November, 2000