Weekly Solaris Security Digest
2000/12/18 to 2000/12/25

By Seán Boran (sean at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html


The Rundown


Advisories and Security Bulletins

Sun / CERT bulletins

none

Bugtraq vulnerabilities this week - Solaris:

2000-12-18: Solaris patchadd Race Condition Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2127

The Problem: patchadd is the patch management tool included with the Solaris. A problem exists which could allow a user to corrupt or append system files.
The problem exists in the creation of /tmp files by patchadd. patchadd creates a variety of files in /tmp while installing the patches on the operating system. The files created in /tmp are mode 0666, and are created with the extension sh<pid of patchadd>.1, sh<pid of patchadd>.2, and so on. Running the program requires administrative access. It is possible to brute force guess the pid of patchadd, and create files in the /tmp directory that are symbolic links to sensitive system files. It is therefore possible for a user with malicious intent to gain elevated privileges, corrupt system files, or execute arbitrary commands.
Analysis: No patches are yet available. The problem is a 'local exploit' on Solaris 7/8 (patchadd did not exist in older versions), so on sensitive multi-user systems, either install patches in single-user mode, or remove /tmp files just before running patchadd.

 

Solaris 2.7/2.8 catman temp file vulnerability.
Vapid Labs
http://vapid.betteros.org/catman-advisory.html

Through the use of symlinking temporary files created by /usr/bin/catman upon execution by root, a local user can clobber root owned files. Sun has been informed, Sun BugID: 4392144.
Analysis: Workarounds until a patch is available:
a) ensure that catman is not automatically executed from cron on multi-user systems
b) Root users should avoid using catman on sensitive multi-user systems.

 

Sun Cluster multiple vulnerabilities
http://archives.neohapsis.com/archives/bugtraq/2000-12/0180.html

Sun Cluster version 2.x contains various vulnerabilities that would allow a remote attacker to gain access to system configuration information of a host running in.mond, the Cluster monitor daemon. By telneting to Port 12000, an attacker can read the host's syslog and view the cluster configuration information. Further, if an attacker has a local account, he or she can create a symlink in /var/opt/SUNWcluster/fm/fmstatus/nfs/<logicalhostname>/status, and then use the "open hastat" command of the monitor daemon to view any file on the host. Sun is working on a patch.

Bugtraq vulnerabilities this week - 3rd party applications:

2000-12-19: Stunnel Weak Encryption Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2137

2000-12-18: Stunnel Local Arbitrary Command Execution Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2128

2000-12-18: Sonata Local Arbitrary Command Execution Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2125


Patches

The latest Solaris Recommended / Security Patch clusters are as follows:

Solaris 8 Dec/19/00*
Solaris 7 Dec/19/00*
Solaris 2.6 Dec/05/00
Solaris 2.5.1 Dec/12/00
See also: ftp://sunsolve.sun.com/pub/patches

News & Articles

Solaris BSM

I mentioned a while back a problem I had with Solaris BSM: on Solaris8 x86 boxes- if BSM is switched on, all root cron jobs fail. Other Solaris 8 SPARC systems run BSM happily (they have an older patch level however).

A reader wrote n to note that this problem is known to Sun (SRDB ID: 18219). Fix: for each file in /var/spool/cron/crontabs, there should also be a FILE.au. e.g.
touch /var/spool/cron/crontabs/root.au

CERT

The CERT/CC Vulnerability Notes Database
http://www.kb.cert.org/vuls

In keeping with our new vulnerability disclosure policy, the CERT Coordination Center publishes information on a wide variety of vulnerabilities. Descriptions of these vulnerabilities are available from this web page in a searchable database format, and are published as "CERT Vulnerability Notes".

SolarisGuide

Installing a secure web server
Rich Bowen
http://apachetoday.com/news_story.php3?ltsn=2000-12-11-001-06-OS-LF-AD

Comment: This is a skimpy overview of getting SSL running on Apache, which is not quite what the title suggests. However, it does present a link to a presentation given by Ralf S. Engelschall in the auditorium of the London Olympia Centre at ApacheCon 2000 Europe (25 slides).
http://www.modssl.org/docs/apachecon2000/

Sunworld

SunWorld has changed its name to Unix Insider!
http://www.sunworld.com/unixinsideronline/swol-12-2000/swol-1211-letter.html

LinuxSecurity

The SC Magazine Pick of 2000
http://www.scmagazine.com/scmagazine/2000_12/testc/index.htm

Over the course of 2000, SC Magazine has covered many topics in our Test Centers and Market Surveys. We have also tested many products, which have featured as standalone reviews. In this issue we bring you the Pick of 2000 - that's all the products that have achieved either an overall 5-star rating, our Best Buy or Recommended awards.
Comment: My favorites are not listed...

Root Security
http://linuxsecurity.com/tips/tip-12.html
Dave Wreski

This posting is short, 6 months old and timeless. Read it to remind yourself of key issues when logged in as root.

 

SecurityFocus

Solaris Kernel Tuning for Security
http://securityfocus.com/focus/sun/articles/kernel.html
Ido Dubrawsky

This article looks at the main kernel parameters for hardening the IP stack and ARP responses. ARP attacks are well described. This document helps explain why hardening tools like Yassp and Titan insist on kernel tuning.

 

Vulnerabilities in Operating-System Patch Distribution
Matt Power
http://razor.bindview.com/publish/papers/os-patch.html

In this research project, BindView Corporation has studied the processes by which 27 operating-system vendors distribute security patches. The report focuses on vulnerabilities in these processes, with the hope that customers can use the information to assess the adequacy of the processes used by their own vendors, in both an absolute and comparative sense.
Comment: A thorough look at patch notification and distribution.

O'Reilly Net

Order from Chaos with Procmail
Kevin Mullet
http://sysadmin.oreilly.com/news/procmail_1200.html


Mailing Lists

FOCUS-Sun Discussions Threads

12/18/00 SEAM, KRB5 and phrase length
http://securityfocus.com/templates/archive.pike?threads=1&end=2000-12-23&start=2000-12-17&tid=151678&list=92&fromthread=0&

12/18/00 Solaris 8 and Windows NT...
http://securityfocus.com/templates/archive.pike?threads=1&end=2000-12-23&start=2000-12-17&tid=151508&list=92&fromthread=0&

 

YASSP (the Solaris hardening tool) Developers' list discussions

Yassp beta 15 is still current.

Discussions:

First draft: check startup file script
http://www.theorygroup.com/Archive/YASSP/2000/msg00775.html

A tool to check what's started at the boot time, list them in order, and check the coherency of the /etc/rc?.d and /etc/init.d directories. A second script will use this one to check that the init are managed by YASSP, and if not, proposed to yasspified them.

See also
http://www.yassp.org


Tip of the Week

The Solaris Security Digest came to life in May 2000, and each week we have tried to include a useful tip. The following document collects those tips in FAQ style. Just browse the table of contents to find items that interest you.

http://securityportal.com/articles/solaristips20001220.html  

Thanks for reading the Digest this year. Have a happy Christmas and no system crashes or attacks until (at least) the new year!


References and Resources

A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html

All security tool news is now summarised in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 22 December, 2000

NEW! Sign up to get this digest and many others by email.