Weekly Solaris Security Digest
2000/11/27 to 2000/12/04

By Seán Boran (sean at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html

Sign up to get this digest by email.


The Rundown


Advisories and Security Bulletins

Sun / CERT bulletins

Sun Bulletin #99, Potential security issue in Java class loading
http://sunsolve.sun.com/pub-cgi/secBulletin.pl

Most JVMs are vulnerable (exceptions are Hotspot 2, Internet Explorer and Netscape Navigator) to a bug whereby forbidden classes can be loaded.
Comment: Sun is a bit fuzzy on the details, but a patch to your Java VM is advisable on servers in hostile environments, multi-user servers and webservers using Java. HP have also announced fixes.

 

CERT Advisory CA-2000-21 Denial-of-Service Vulnerabilities in TCP/IP Stacks
http://www.cert.org/advisories/CA-2000-21.html

BindView's RAZOR Security Team have found new DoS attacks that work against many TCP/IP stacks. They called these Naptha vulnerabilities. The attacker makes a A TCP connection and leaves the TCP/IP stack in one of several states, possibly starving system resources if many connections are used. No exploit code has been released. Sun has not finished analysis for Solaris, but Solaris to Solaris connections are not vulnerable.
See also the original advisory:
http://razor.bindview.com/publish/advisories/adv_NAPTHA.html

Bugtraq vulnerabilities this week - Solaris:

none

Bugtraq vulnerabilities this week - 3rd party applications:

2000-11-25: Twig Remote Arbitrary Script Execution Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=1998

2000-11-24: Phorum Arbitrary File Read Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=1997


Patches

The latest Solaris Recommended / Security Patch clusters are as follows:

Solaris 8       Nov/17/00
Solaris 7       Nov/02/00
Solaris 2.6    Nov/03/00
Solaris 2.5.1 Nov/02/00


News & Articles

SecurityPortal

ISC DHCPD, by Kurt Seifried
http://securityportal.com/closet/closet20001129.html

An overview of the free DHCP server, why it needs to be secured, how to chroot it, and run it as a non-root user.

SolarisGuide

Sun releases Trusted Solaris 8
http://www.sun.com/smi/Press/sunflash/2000-11/sunflash.20001120.1.html

 

Sun BigAdmin

Solaris Infrequently Asked and Obscure Questions, by Argoth
http://shells.devunix.org/~argoth/iaoq/

Comment: looks interesting, but everything is displayed in one massive paragraph.

 

Sun Tech tips
http://www.wdpi.com/sunmicrotechtips/suntt.htm

Comment: not bad at all!

 

A SunSolve Patch Primer
http://sunsolve.sun.com/pub-cgi/show.pl?target=content/content1

Comment: This is a useful overview of patches for sysadmins. It is a pity that Sun still keep the Patchdiag tool and access to all patches restricted to contract customers. I bought both Sparc and Intel versions of Solaris 8, why should I not have patch access?

 

O'Reilly Network

The System Startup Daemon: init, by Dru Lavigne
http://www.oreillynet.com/pub/a/bsd/2000/11/28/FreeBSD_Basics.html

Comment: I agree this has nothing to do with Solaris, but if you still use SunOS4 you'll find FreeBSD starts up in a similar way :)

SecurityFocus

An Introduction to Incident Handling, by Chad Cook
http://www.securityfocus.com/frames/?focus=basics&content=/focus/basics/articles/inchan.html

This paper provides a short overview and several guidelines to handle incidents with regards to three of the most common attacks - viruses, system compromise and denial of service.
Comment: A good paper.

 

Solaris BSM Auditing, by Darren Moffat
http://www.securityfocus.com/focus/sun/articles/bsmaudit1.html  

When considering the security of a system we need to be concerned not only with which features and tools we use to implement the access restrictions, but also with what logging of access we do. Logging is important for two main reasons: regular analysis of our logs gives us an early warning of suspicious activity and, if stored securely it can provide the evidence required to find out what went wrong when a breach in the security policy occurs. This article by Darren Moffat offers an overview of the Basic Security Module implementation and management aspects, and provides us insight helpful in raising security to another level in "Solaris BSM Auditing."

Comment: This is a useful tutorial on BSM. Note however that root cron stopped working when I enabled BSM on two Solaris 8 Intel systems. Other notes on BSM are available on:
http://www.boran.com/security/sp/Solaris_bsm.html

 

ECN and its impact on Intrusion Detection, by Toby Miller
http://www.securityfocus.com/focus/ids/articles/ECN.html  

Recently, there has been some discussion on various mailing list(s) about the Explicit Congestion Notification (ECN) proposed standard and QUESO/nmap scan detection. The debate has been centered around the two reserve bits in the TCP header (bits 8 & 9) that QUESO sets in a SYN packet and those same two bits being used by ECN.

 

Thinking about Security Monitoring and Event Correlation, by Billy Smith
http://www.securityfocus.com/focus/ids/articles/thinking.html

Most security devices provide logging and alerting of known and possibly unknown security events that occur on an information technology infrastructure. Despite all our technological advances and the introduction of devices like firewalls and VPNs, most companies do not monitor the information coming from these devices.

 

Computerworld

Sizing Up Security Services, by Deborah Radcliff
http://www.computerworld.com/cwi/stories/0,1199,NAV47-68-84-90_STO54345,00.html

You hire a security consulting firm that analyzes your network. On his way out, the auditor leaves you to grapple with an 800-page report listing your network's 60,000 vulnerabilities......
Comment: A useful article to help selecting and handling Security Consultants.

LinuxSecurity

Security group benchmarking Solaris, by Diane Frank
http://www.fcw.com/fcw/articles/2000/1127/web-cis-11-29-00.asp

The Center for Internet Security is preparing to release the first in a wave of security benchmarks for commercial products widely used in government, industry and academia. The Solaris benchmark should be out by the end of the year.
Comment: Few details are available, let's wait for the new year..

Security Tools News

All tools are now summarised in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html

One tool that may interest Solaris sysadmins in particular is:

Solpromisc 1.0
UDP - Digital Security Architect
http://www.low-level.net/udp/projects.html

Solpromisc is a kernel module which you can load to detect attempts to put devices into promiscuous mode from user space via DLPI (e.g. solsniff, tcpdump, anything pcap based). It dumps the cred struct for the process, and the driver responsible, to the dmesg output buffer for collection by syslog.


Mailing Lists

FOCUS-Sun Discussions Threads

11/29/00 SunShield BSM and SSH
http://www.securityfocus.com/templates/archive.pike?threads=1&end=2000-12-02&tid=147661&start=2000-11-26&fromthread=0&list=92&

11/29/00 FW: SunShield BSM and SSH
http://www.securityfocus.com/templates/archive.pike?threads=1&end=2000-12-02&tid=147657&start=2000-11-26&fromthread=0&list=92&

11/28/00 Is fsirand still needed?
http://www.securityfocus.com/templates/archive.pike?threads=1&end=2000-12-02&tid=147318&start=2000-11-26&fromthread=0&list=92&

11/26/00 Network Mapping
http://www.securityfocus.com/templates/archive.pike?threads=1&end=2000-12-02&tid=146949&start=2000-11-26&fromthread=0&list=92&

11/24/00 unsafe start-up services
http://www.securityfocus.com/templates/archive.pike?fromthread=0&end=2000-11-25&start=2000-11-19&tid=146772&list=92&threads=1&

11/24/00 locking a user immediately on Solaris 8
http://www.securityfocus.com/templates/archive.pike?fromthread=0&end=2000-11-25&start=2000-11-19&tid=146781&list=92&threads=1&

YASSP (the Solaris hardening tool) Developers' list discussions

Yassp beta 15 is still current. A few more problems were fixed and the documentation is being updated. V1.0 is close. If you are a Solaris sysdmin, please consider testing Yassp and providing input on the documentation, programs and hardening at this very important stage before the final release.

Discussions

Another bug in the OPENssh package
http://www.theorygroup.com/Archive/YASSP/2000/msg00753.html

Some questions from first time v 0.15rc2 user
http://www.theorygroup.com/Archive/YASSP/2000/msg00752.html

SUMMARY: cron audit problem. job failed
http://www.theorygroup.com/Archive/YASSP/2000/msg00751.html

Beta15: post install doc
http://www.theorygroup.com/Archive/YASSP/2000/msg00750.html

See also
http://www.yassp.org


Tip of the Week: Reconfiguring devices: "boot -r"

Solaris recognizes disk devices dynamically when booting and loads appropriate drivers. New devices are not automatically recognised (presumably for faster booting).

If a new disk is added, the system is typically rebooted and told to search for new devices. This can be done by several methods:

There is an easier way, even without rebooting.

Tell Solaris to update /devices and then create appropriate device links for disks (and possibly tapes or serial ports):

drvconfig
disks
ports
tapes

Solaris 8 has a new command for managing devices, 'devfsadm'.

devfsadm(1M) maintains the /dev and /devices namespaces. It replaces the previous suite of devfs administration tools including drvconfig(1M), disks(1M), tapes(1M), ports(1M), audlinks(1M), and devlinks(1M).

devfsadmd(1M) is the daemon version of devfsadm(1M). The daemon is started by the /etc/rc* scripts during system startup and is responsible for handling both reconfiguration boot processing and updating /dev and /devices in response to dynamic reconfiguration event notifications from the kernel.

So this one command can be used for reconfiguring on Solaris 8:

devfsadm

Note: On my hardened Solaris 8 systems, the daemon 'devfsadmd' is disabled without any obvious ill effects. It is probably necessary on systems like the Starfire which support dynamic changing of hardware.

If you have any security tips/scripts you'd like to share with others, contact sean at boran.com.


References and Resources

A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 01 December, 2000