By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html
NEW! Sign up to get this digest by email.
CA-2000-20 Multiple Denial-of-Service Problems in ISC BIND
http://www.cert.org/advisories/CA-2000-20.htmlThe CERT/CC has not received any direct reports of either of these vulnerabilities being exploited to date.
The "zxfr bug": The problem occurs in the Compressed Zone Transfer (ZXFR) functionality of BIND. A default installation of BIND does not support the transfer of compressed zone files. However, issuing a request for a compressed zone file transfer to a name server without
this functionality produces unpredictable results. Such a transfer request leads to a crash of the daemon. This could result in a name resolution Denial of Service for all users and systems depending upon nameservers using the affected software.The "srv bug": can cause affected DNS servers running named to go into an infinite loop, thus preventing further name requests to be handled. This can happen if an SRV record (defined in RFC2782) is sent to the vulnerable server.
- Workaround for the "zxfr bug": Disallow zone transfers except from trusted hosts. Note that if the trusted hosts are compromised, name servers with this bug will be vulnerable to denial of service attacks.
http://www.isc.org/products/BIND/bind-security.html- Fix: update to BIND 8.2.2-P7
http://www.isc.org/products/BIND/bind8.html
CERT: Current activity [ Reviewed: 16 Nov 2000 ]
http://www.cert.org/current/current_activity.htmlCompromises via rpc.statd Vulnerability
Compromises via 'SITE EXEC' Vulnerability in FTPD
Scans and Probes
none
2000-11-16: joe Text Editor Symbolic Link Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=19592000-11-14: DC Scripts DCForum cgforum.cgi Arbitrary File Disclosure Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=19512000-11-14: ABiSoft Baxter Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=19472000-11-13: Midnight Commander cons.saver Arbitrary File Write Vulnerability
http://www.securityfocus.com/frames/?content=/vdb/bottom.html?vid=1945%3Fvid%3D19452000-11-13: OpenSSH Client Unauthorized Remote Forwarding Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1949
The problem occurs in the OpenSSH Client. The client does not sufficiently check for the ssh-agent and X11 forwarding options after an SSH session has been negotiated. This allows the server end of the SSH session to gain access to either of these two resources on the client side. This could result in a malicious server gaining access to the X11 display and remotely watching the desktop and keystokes. This problem can also allow a malicious server access to the local ssh-agent.
Workaround: If connecting to suspect SSH servers, unset the $DISPLAY and $SSH_AUTH_SOCK environment variables.
Fix: No patches are available yet.2000-11-10: McMurtrey/Whitaker & Associates Cart32 Path Disclosure Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=19322000-11-10: McMurtrey/Whitaker & Associates Cart32 DoS Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=19342000-11-10: gbook.cgi Remote Command Execution Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=19402000-11-10: Gaim Remote Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=19482000-11-10: Multiple Vendor UNIX adduser/useradd Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1950
Comment: It is unclear what the exact problem is and no exploits are listed.
The latest Solaris Recommended / Security Patch clusters are as follows:
Solaris 8 Sep/07/00
Solaris 7 Nov/02/00
Solaris 2.6 Nov/03/00
Solaris 2.5.1 Nov/02/00
Foiling DNS Attacks, by Jay Beale
http://securityportal.com/cover/coverstory20001113.htmlPython: Security Aspects, by Ronald Mendell
http://securityportal.com/articles/python20001116.html
All tools are now summarised in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html
11/16/00 Bind (3Tk)
http://www.securityfocus.com/templates/archive.pike?fromthread=0&start=2000-11-12&end=2000-11-18&tid=145408&threads=1&list=92&11/15/00 any patch for libc locale vulnerability?
http://www.securityfocus.com/templates/archive.pike?threads=0&end=2000-11-18&mid=145092&start=2000-11-12&fromthread=0&list=92&11/15/00 Bind (3Tk)
http://www.securityfocus.com/templates/archive.pike?threads=0&end=2000-11-18&mid=145087&start=2000-11-12&fromthread=0&list=92&11/15/00 Re: any patch for libc locale vulnerability?
http://www.securityfocus.com/templates/archive.pike?threads=0&end=2000-11-18&mid=145111&start=2000-11-12&fromthread=0&list=92&11/15/00 Re: Bind (3Tk)
http://www.securityfocus.com/templates/archive.pike?threads=0&end=2000-11-18&mid=145086&start=2000-11-12&fromthread=0&list=92&11/14/00 Re: djbdns
http://www.securityfocus.com/templates/archive.pike?threads=0&end=2000-11-18&mid=144867&start=2000-11-12&fromthread=0&list=92&11/14/00 djbdns
http://www.securityfocus.com/templates/archive.pike?threads=0&end=2000-11-18&mid=144826&start=2000-11-12&fromthread=0&list=92&
Yassp beta 12 and beta 13 were released this week. Initial testing shows that it works well.
Beta 13 changes:
- PRFtripw: added the siggen binary, Typo in the prototype file of /secure/databases (missing ending 's')
- SECclean: Added socks (1080/tcp) in the list of services. In the preinstall, we now test for the existence of any file handle by a 'sed' class script as if they don't exist, SECclean install will partially fail. The RPC startup script is no longer handled by a sed class, but with the postinstall//preremove/postremove, for the same reason. It required lot of testing as the cleanlib was touched. /etc/shells: Update to reflect Solaris 8 getusershell(3). Fix: Daemon shells use 'noshell', not /dev/null.
- PARCdaily: take off dependency on GNU package as they may exist under others names.
- OpenSSH. sshd_config.Dist should refer to /etc/hosts.deny not /etc/hosts.denied, Incorrect VENDOR string.
- Typos: WhatsNew, man page, install script,
Beta 12 changes:
- supports i386 and sparc
- OpenSSH 2.3.0p1 (without SecurID support yet)
- BSD like license
- md5 binary
- PARCdaily re-written.
- Less verbose by default, more configurable, through yassp.conf.
- various bugs changes (syslogd '-t' for 2.8, typos ...)
Discussions:
beta#13 problems
http://www.theorygroup.com/Archive/YASSP/2000/msg00705.htmlyassp: beta#13 out
http://www.theorygroup.com/Archive/YASSP/2000/msg00704.htmlRe: Beta#12: could you include siggen?
http://www.theorygroup.com/Archive/YASSP/2000/msg00702.htmlPARCdaily fails unless GNUgzip is also selected
http://www.theorygroup.com/Archive/YASSP/2000/msg00695.htmlOpenSSH question
http://www.theorygroup.com/Archive/YASSP/2000/msg00692.htmltypos + suggestion
http://www.theorygroup.com/Archive/YASSP/2000/msg00691.htmlscp problem: solution
http://www.theorygroup.com/Archive/YASSP/2000/msg00685.htmlssh problems
http://www.theorygroup.com/Archive/YASSP/2000/msg00684.htmlPARCdaily beta#12 bugs
http://www.theorygroup.com/Archive/YASSP/2000/msg00672.htmlBeta#12 out
http://www.theorygroup.com/Archive/YASSP/2000/msg00670.htmlSee also :
http://www.yassp.org
This week, I would like to shamelessly plug a project that I contribute to, which is a major benefit to the Solaris community. I would like to see many more of you involved in testing / reviewing /giving feedback. Below is an overview of Yassp, its features, disadvantages and advantages.
Now that the licensing issues have been sorted out, Yassp beta 12 and 13 were released this week, with the hope for releasing V1.0 very soon. The changes in the last two betas are documented in the previous section.
What is needed now, is testers for Solaris 2.6/2.7 SPARCE and especially on Intel (nudge, nudge..).
Jean Chouanard of Xerox and a host of Solaris experts have developed the Yassp (Yet Another Solaris Security Package) [1] scripts for hardening Solaris and which includes many useful precompiled security tools .
The first version appeared in summer 1999 and adhered pretty closely to the SANS Solaris Hardening Guide. We now have an improved Yassp beta#12 (Nov.2000) that now goes further and is a final release candidate. It's been tested by admins, has received much input from experts and tries to pull together all known issues of Solaris hardening into one bundle. Yassp includes scripts and binaries for key tools and allows individual tuning, so that it can be used for bastion hosts, servers and workstations.
The core hardening features are in the SECclean package in Yassp:
There is also a tarball available in addition to SECclean. This tarball also includes "GNUgzip GNUrcs OPENssh WVtcpd PARCdaily" i.e. binary packages for SPARC and X86. The tools are installed in /opt/local, except tripwire which goes in /secure/tripwire.
Yassp installation logs:
[1] | www.yassp.org :YASSP (yet
another solaris security package) for Solaris 2.6/7/8 The list of SECclean hardening actions is documented at www.yassp.org/internal.html Express installation guide: www.yassp.org/express.html The developers email list is archived at www.theorygroup.com/Archive/YASSP |
[10] | Casper Dik's fix-modes
script contains a huge number of file permission improvements for most Solaris
versions. ftp.wins.uva.nl:/pub/solaris/fix-modes.tar.gz
Jens Vöckler's nettune script www.rvs.uni-hannover.de/people/voeckler/tune/EN/tune.html See also the local copy nettune. |
[11] | The Titan Project www.titan.org |
[12] | Hardening Solaris with Yassp beta#13 (draft) www.boran.com/sp/security/solaris_hardening3.html |
[13] | Example Yassp beta#13 installation output www.boran.com/sp/security/solaris/yassp_install.txt |
If you have any security tips/scripts you'd like to share with others, contact sean at boran.com.
A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.
© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 19 November, 2000 |