Weekly Solaris Security Digest
2000/11/13 to 2000/11/20

By Seán Boran (sean at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html

NEW! Sign up to get this digest by email.


The Rundown


Advisories and Security Bulletins

Sun / CERT bulletins

CA-2000-20 Multiple Denial-of-Service Problems in ISC BIND
http://www.cert.org/advisories/CA-2000-20.html

The CERT/CC has not received any direct reports of either of these vulnerabilities being exploited to date.

The "zxfr bug": The problem occurs in the Compressed Zone Transfer (ZXFR) functionality of BIND. A default installation of BIND does not support the transfer of compressed zone files. However, issuing a request for a compressed zone file transfer to a name server without
this functionality produces unpredictable results. Such a transfer request leads to a crash of the daemon. This could result in a name resolution Denial of Service for all users and systems depending upon nameservers using the affected software.

The "srv bug": can cause affected DNS servers running named to go into an infinite loop, thus preventing further name requests to be handled. This can happen if an SRV record (defined in RFC2782) is sent to the vulnerable server.

 

CERT: Current activity [ Reviewed: 16 Nov 2000 ]
http://www.cert.org/current/current_activity.html

Compromises via rpc.statd Vulnerability   
Compromises via 'SITE EXEC' Vulnerability in FTPD
Scans and Probes

Bugtraq vulnerabilities this week - Solaris:

none

Bugtraq vulnerabilities this week - 3rd party applications:

2000-11-16: joe Text Editor Symbolic Link Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1959

2000-11-14: DC Scripts DCForum cgforum.cgi Arbitrary File Disclosure Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1951

2000-11-14: ABiSoft Baxter Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1947

2000-11-13: Midnight Commander cons.saver Arbitrary File Write Vulnerability
http://www.securityfocus.com/frames/?content=/vdb/bottom.html?vid=1945%3Fvid%3D1945

2000-11-13: OpenSSH Client Unauthorized Remote Forwarding Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1949
The problem occurs in the OpenSSH Client. The client does not sufficiently check for the ssh-agent and X11 forwarding options after an SSH session has been negotiated. This allows the server end of the SSH session to gain access to either of these two resources on the client side. This could result in a malicious server gaining access to the X11 display and remotely watching the desktop and keystokes. This problem can also allow a malicious server access to the local ssh-agent.
Workaround: If connecting to suspect SSH servers, unset the $DISPLAY and $SSH_AUTH_SOCK environment variables.
Fix: No patches are available yet.

2000-11-10: McMurtrey/Whitaker & Associates Cart32 Path Disclosure Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1932

2000-11-10: McMurtrey/Whitaker & Associates Cart32 DoS Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1934

2000-11-10: gbook.cgi Remote Command Execution Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1940

2000-11-10: Gaim Remote Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1948

2000-11-10: Multiple Vendor UNIX adduser/useradd Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1950
Comment: It is unclear what the exact problem is and no exploits are listed.


Patches

The latest Solaris Recommended / Security Patch clusters are as follows:

Solaris 8       Sep/07/00
Solaris 7       Nov/02/00
Solaris 2.6    Nov/03/00
Solaris 2.5.1 Nov/02/00


News & Articles

SecurityPortal

Foiling DNS Attacks, by Jay Beale
http://securityportal.com/cover/coverstory20001113.html

Python: Security Aspects, by Ronald Mendell
http://securityportal.com/articles/python20001116.html

 

Security Tools News

All tools are now summarised in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html


Mailing Lists

FOCUS-Sun discussions

11/16/00 Bind (3Tk)
http://www.securityfocus.com/templates/archive.pike?fromthread=0&start=2000-11-12&end=2000-11-18&tid=145408&threads=1&list=92&

11/15/00 any patch for libc locale vulnerability?
http://www.securityfocus.com/templates/archive.pike?threads=0&end=2000-11-18&mid=145092&start=2000-11-12&fromthread=0&list=92&

11/15/00 Bind (3Tk)
http://www.securityfocus.com/templates/archive.pike?threads=0&end=2000-11-18&mid=145087&start=2000-11-12&fromthread=0&list=92&

11/15/00 Re: any patch for libc locale vulnerability?
http://www.securityfocus.com/templates/archive.pike?threads=0&end=2000-11-18&mid=145111&start=2000-11-12&fromthread=0&list=92&

11/15/00 Re: Bind (3Tk)
http://www.securityfocus.com/templates/archive.pike?threads=0&end=2000-11-18&mid=145086&start=2000-11-12&fromthread=0&list=92&

11/14/00 Re: djbdns
http://www.securityfocus.com/templates/archive.pike?threads=0&end=2000-11-18&mid=144867&start=2000-11-12&fromthread=0&list=92&

11/14/00 djbdns
http://www.securityfocus.com/templates/archive.pike?threads=0&end=2000-11-18&mid=144826&start=2000-11-12&fromthread=0&list=92&

YASSP (the Solaris hardening tool) Developers' list discussions

Yassp beta 12 and beta 13 were released this week. Initial testing shows that it works well.

Beta 13 changes:

Beta 12 changes:

Discussions:

beta#13 problems
http://www.theorygroup.com/Archive/YASSP/2000/msg00705.html

yassp: beta#13 out
http://www.theorygroup.com/Archive/YASSP/2000/msg00704.html

Re: Beta#12: could you include siggen?
http://www.theorygroup.com/Archive/YASSP/2000/msg00702.html

PARCdaily fails unless GNUgzip is also selected
http://www.theorygroup.com/Archive/YASSP/2000/msg00695.html

OpenSSH question
http://www.theorygroup.com/Archive/YASSP/2000/msg00692.html

typos + suggestion
http://www.theorygroup.com/Archive/YASSP/2000/msg00691.html

scp problem: solution
http://www.theorygroup.com/Archive/YASSP/2000/msg00685.html

ssh problems
http://www.theorygroup.com/Archive/YASSP/2000/msg00684.html

PARCdaily beta#12 bugs
http://www.theorygroup.com/Archive/YASSP/2000/msg00672.html

Beta#12 out
http://www.theorygroup.com/Archive/YASSP/2000/msg00670.html

See also :
http://www.yassp.org


Tip of the Week: Yassp beta#13

This week, I would like to shamelessly plug a project that I contribute to, which is a major benefit to the Solaris community. I would like to see many more of you involved in testing / reviewing /giving feedback. Below is an overview of Yassp, its features, disadvantages and advantages.

Now that the licensing issues have been sorted out, Yassp beta 12 and 13 were released this week, with the hope for releasing V1.0 very soon. The changes in the last two betas are documented in the previous section.

What is needed now, is testers for Solaris 2.6/2.7 SPARCE and especially on Intel (nudge, nudge..).

Yassp Overview

Jean Chouanard of Xerox and a host of Solaris experts have developed the Yassp (Yet Another Solaris Security Package) [1] scripts for hardening Solaris and which includes many useful precompiled security tools .

The first version appeared in summer 1999 and adhered pretty closely to the SANS Solaris Hardening Guide. We now have an improved Yassp beta#12 (Nov.2000) that now goes  further and is a final release candidate. It's been tested by admins, has received much input from experts and tries to pull together all known issues of Solaris hardening into one bundle. Yassp includes scripts and binaries for key tools and allows individual tuning, so that it can be used for bastion hosts, servers and workstations.

The core hardening features are in the SECclean package in Yassp:

There is also a tarball available in addition to SECclean. This tarball also includes "GNUgzip GNUrcs OPENssh WVtcpd PARCdaily" i.e. binary packages for SPARC and X86. The tools are installed in /opt/local, except tripwire which goes in /secure/tripwire.

Yassp installation logs:

YASSP Advantages
Yassp disadvantages
Yassp - suggested improvements
Yassp - References:
[1] www.yassp.org :YASSP (yet another solaris security package) for Solaris 2.6/7/8
The list of SECclean hardening actions is documented at www.yassp.org/internal.html
Express installation guide: www.yassp.org/express.html
The developers email list is archived at www.theorygroup.com/Archive/YASSP
[10] Casper Dik's fix-modes script contains a huge number of file permission improvements for most Solaris versions. ftp.wins.uva.nl:/pub/solaris/fix-modes.tar.gz
Jens Vöckler's nettune script www.rvs.uni-hannover.de/people/voeckler/tune/EN/tune.html
See also the local copy nettune.
[11] The Titan Project  www.titan.org
[12] Hardening Solaris with Yassp beta#13 (draft)
www.boran.com/sp/security/solaris_hardening3.html
[13] Example Yassp beta#13 installation output
www.boran.com/sp/security/solaris/yassp_install.txt

 

If you have any security tips/scripts you'd like to share with others, contact sean at boran.com.


References and Resources

A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 19 November, 2000