By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html
none
2000-12-18: Solaris patchadd Race Condition Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2127The Problem: patchadd is the patch management tool included with the Solaris. A problem exists which could allow a user to corrupt or append system files.
The problem exists in the creation of /tmp files by patchadd. patchadd creates a variety of files in /tmp while installing the patches on the operating system. The files created in /tmp are mode 0666, and are created with the extension sh<pid of patchadd>.1, sh<pid of patchadd>.2, and so on. Running the program requires administrative access. It is possible to brute force guess the pid of patchadd, and create files in the /tmp directory that are symbolic links to sensitive system files. It is therefore possible for a user with malicious intent to gain elevated privileges, corrupt system files, or execute arbitrary commands.
Analysis: No patches are yet available. The problem is a 'local exploit' on Solaris 7/8 (patchadd did not exist in older versions), so on sensitive multi-user systems, either install patches in single-user mode, or remove /tmp files just before running patchadd.
Solaris 2.7/2.8 catman temp file vulnerability.
Vapid Labs
http://vapid.betteros.org/catman-advisory.htmlThrough the use of symlinking temporary files created by /usr/bin/catman upon execution by root, a local user can clobber root owned files. Sun has been informed, Sun BugID: 4392144.
Analysis: Workarounds until a patch is available:
a) ensure that catman is not automatically executed from cron on multi-user systems
b) Root users should avoid using catman on sensitive multi-user systems.
Sun Cluster multiple vulnerabilities
http://archives.neohapsis.com/archives/bugtraq/2000-12/0180.htmlSun Cluster version 2.x contains various vulnerabilities that would allow a remote attacker to gain access to system configuration information of a host running in.mond, the Cluster monitor daemon. By telneting to Port 12000, an attacker can read the host's syslog and view the cluster configuration information. Further, if an attacker has a local account, he or she can create a symlink in /var/opt/SUNWcluster/fm/fmstatus/nfs/<logicalhostname>/status, and then use the "open hastat" command of the monitor daemon to view any file on the host. Sun is working on a patch.
2000-12-19: Stunnel Weak Encryption Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2137
2000-12-18: Stunnel Local Arbitrary Command Execution Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=21282000-12-18: Sonata Local Arbitrary Command Execution Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2125
The latest Solaris Recommended / Security Patch clusters are as follows:
Solaris 8 Dec/19/00* Solaris 7 Dec/19/00* Solaris 2.6 Dec/05/00 Solaris 2.5.1 Dec/12/00 See also: ftp://sunsolve.sun.com/pub/patches
I mentioned a while back a problem I had with Solaris BSM: on Solaris8 x86 boxes- if BSM is switched on, all root cron jobs fail. Other Solaris 8 SPARC systems run BSM happily (they have an older patch level however).
A reader wrote n to note that this problem is known to Sun (SRDB ID: 18219). Fix: for each file in /var/spool/cron/crontabs, there should also be a FILE.au. e.g.
touch /var/spool/cron/crontabs/root.au
The CERT/CC Vulnerability Notes Database
http://www.kb.cert.org/vulsIn keeping with our new vulnerability disclosure policy, the CERT Coordination Center publishes information on a wide variety of vulnerabilities. Descriptions of these vulnerabilities are available from this web page in a searchable database format, and are published as "CERT Vulnerability Notes".
Installing a secure web server
Rich Bowen
http://apachetoday.com/news_story.php3?ltsn=2000-12-11-001-06-OS-LF-ADComment: This is a skimpy overview of getting SSL running on Apache, which is not quite what the title suggests. However, it does present a link to a presentation given by Ralf S. Engelschall in the auditorium of the London Olympia Centre at ApacheCon 2000 Europe (25 slides).
http://www.modssl.org/docs/apachecon2000/
SunWorld has changed its name to Unix Insider!
http://www.sunworld.com/unixinsideronline/swol-12-2000/swol-1211-letter.html
The SC Magazine Pick of 2000
http://www.scmagazine.com/scmagazine/2000_12/testc/index.htmOver the course of 2000, SC Magazine has covered many topics in our Test Centers and Market Surveys. We have also tested many products, which have featured as standalone reviews. In this issue we bring you the Pick of 2000 - that's all the products that have achieved either an overall 5-star rating, our Best Buy or Recommended awards.
Comment: My favorites are not listed...Root Security
http://linuxsecurity.com/tips/tip-12.html
Dave WreskiThis posting is short, 6 months old and timeless. Read it to remind yourself of key issues when logged in as root.
Solaris Kernel Tuning for Security
http://securityfocus.com/focus/sun/articles/kernel.html
Ido DubrawskyThis article looks at the main kernel parameters for hardening the IP stack and ARP responses. ARP attacks are well described. This document helps explain why hardening tools like Yassp and Titan insist on kernel tuning.
Vulnerabilities in Operating-System Patch Distribution
Matt Power
http://razor.bindview.com/publish/papers/os-patch.htmlIn this research project, BindView Corporation has studied the processes by which 27 operating-system vendors distribute security patches. The report focuses on vulnerabilities in these processes, with the hope that customers can use the information to assess the adequacy of the processes used by their own vendors, in both an absolute and comparative sense.
Comment: A thorough look at patch notification and distribution.
Order from Chaos with Procmail
Kevin Mullet
http://sysadmin.oreilly.com/news/procmail_1200.html
12/18/00 SEAM, KRB5 and phrase length
http://securityfocus.com/templates/archive.pike?threads=1&end=2000-12-23&start=2000-12-17&tid=151678&list=92&fromthread=0&12/18/00 Solaris 8 and Windows NT...
http://securityfocus.com/templates/archive.pike?threads=1&end=2000-12-23&start=2000-12-17&tid=151508&list=92&fromthread=0&
Yassp beta 15 is still current.
Discussions:
First draft: check startup file script
http://www.theorygroup.com/Archive/YASSP/2000/msg00775.htmlA tool to check what's started at the boot time, list them in order, and check the coherency of the /etc/rc?.d and /etc/init.d directories. A second script will use this one to check that the init are managed by YASSP, and if not, proposed to yasspified them.
See also
http://www.yassp.org
The Solaris Security Digest came to life in May 2000, and each week we have tried to include a useful tip. The following document collects those tips in FAQ style. Just browse the table of contents to find items that interest you.
Thanks for reading the Digest this year. Have a happy Christmas and no system crashes or attacks until (at least) the new year!
A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html
All security tool news is now summarised in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.
| © Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 22 December, 2000 |
NEW! Sign up to get this digest and many others by email.