By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html
Several problems with BIND have been discovered, discussed and fixed. Bulletins, articles are analyzed and pulled together in the Tip of the Week section.
CERT Incident Note IN-2001-01 - Widespread Compromises via "Ramen" Toolkit
http://www.cert.org/incident_notes/IN-2001-01.htmlThe CERT/CC has received reports from sites that have recovered an intruder toolkit called "Ramen" from compromised hosts. It targets Linux systems, but it would be useful for Solaris administrators to know about Ramen which looks for wu-ftp, lprng, rpc.statd vulnerabilities.
CERT Advisory CA-2000-17 Input Validation Problem in rpc.statd
http://www.cert.org/advisories/CA-2000-17.htmlThis advisory is not new in the Solaris Digest, but the CERT/CC continues to receive reports of Linux systems being root compromised via an input validation vulnerability in rpc.statd. All the systems running the rpc.statd service are vulnerable. More information about this vulnerability is available at the following public URLs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0666 and http://www.securityfocus.com/bid/1480.
Solution: Upgrade your version of rpc.statd, disable the rpc.statd service or block unneeded ports at your firewall.
CERT Advisory CA-2000-13 Two Input Validation Problems In FTPD
http://www.cert.org/advisories/CA-2000-13.htmlThis advisory is not new in the Solaris Digest, the CERT/CC continues to receive reports of systems being root compromised via an input validation vulnerability in the 'SITE EXEC' command of some FTP daemons. For more information about related intruder activity, please see CERT Incident Note IN-2000-10 at http://www.cert.org/incident_notes/IN-2000-10.html.
Solution: The CERT/CC encourages all Internet sites to review the rpc.statd advisory (CA-2000-17) and the wu-ftpd advisory (CA-2000-13) and insure workarounds or patches have been applied on all affected hosts on your network.
Solaris BIND is also affected by the ISC BIND problem. See the Tip of the Week section.
Solaris7/8 ximp40 shared library buffer overflow
unyun
http://www.securityfocus.com/vdb/bottom.html?vid=2322
http://archives.neohapsis.com/archives/bugtraq/2001-01/0517.html
http://shadowpenguin.backsection.net/Confidence: This is an initial report submitted to Bugtraq.No confirmation is yet available.
Severity: A local user could gain root access.
Description: Shared library "ximp40" which is installed on Solaris7 and 8 by default has buffer overflow bug, the local user can obtain root privilege or mail gid by using the following suid/sgid programs which are using the shared library ximp40. On Solaris 8,
suid root : /usr/dt/bin/dtaction
suid root : /usr/dt/bin/dtprintinfo
suid root : /usr/openwin/bin/sys-suspend
sgid mail : /usr/dt/bin/dtmail
sgid mail : /usr/openwin/bin/mailtoolFix: remove SGID/SUID from affected binaries and wait for a patch from Sun.
2001-01-25: Netscape Enterprise Server Web Publishing DoS Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2294
The latest Solaris Recommended / Security Patch clusters are as follows:
Solaris 8 Jan/26/01
Solaris 7 Jan/30/01
Solaris 2.6 Jan/29/01
Solaris 2.5.1 Jan/26/01See also ftp://sunsolve.sun.com/pub/patches.
Note: In future, we'll also provide you with a list of patches that have changed each week, an a list of changes to each new Bundles published (starting from the bundles above).
Solaris 2.6 updated or new security related patches:
110531-01 AnswerBook 1.4.2: HTTP GET overflow allows code execution 110532-01 AnswerBook 1.4.3: HTTP GET overflow allows code execution 110613-01 PC FileViewer 1.x: FileViewer takes up large amount of cpu time
110420-02 SSP 3.4: ssp_restore overwrites newer files with older ones.Solaris 7 updated or new security related patches:
110281-01 SunOS 5.7: find's expansion of {} is broken
110531-01 AnswerBook 1.4.2: HTTP GET overflow allows code execution
110532-01 AnswerBook 1.4.3: HTTP GET overflow allows code execution
110613-01 PC FileViewer 1.x: FileViewer takes up large amount of cpu time
Interview with Wietse Venema
Kurt Seifried
http://securityportal.com/closet/closet20010131.htmlWietse Venema has contributed so much to computer security, he has to be worth listening to....
Giving away the secrets - A detailed list of online Solaris resources
Peter Baer Galvin
http://www.sunworld.com/unixinsideronline/swol-01-2001/swol-0126-supersys.htmlSolaris users have many questions about systems administration, and they seek answers via email, Internet news postings, help-desk phone calls, and search engines. This month, Peter Baer Galvin delves into the many online sources of Solaris administration information: those that are helpful, those that are complete, and those that you can't live without.
Comment: not very useful.
SolarisGuide
DoS Attack Summary
Richard Steenbergen
http://www.e-gerbil.net/ras/dos.txtA great summary of what a DoS (Denial of Service) Attack is, and some proactive measures you can take to protect your network.
SecurityFocus
Studying Normal Traffic, Part One
Karen Frederick
http://www.securityfocus.com/frames/?focus=ids&content=/focus/ids/articles/normaltraf.htmlMany intrusion detection analysts concentrate on identifying the characteristics of suspicious packets - illegal TCP flag combinations or reserved IP addresses, for example. However, it is also important to be familiar with what normal traffic looks like. A great way to learn what traffic should look like is to generate some normal traffic, capture the packets and examine them. In this article in SecurityFocus.com's Intrusion Detection Systems focus area, Karen Frederick will discuss a tool for logging packets, and will review some packet captures in depth.
O'Reilly
New Security Problems and a Warning About Checking User Input
Noel Davis
http://www.oreillynet.com/pub/a/linux/2001/01/30/insecurities.htmlA discussion of buffer overflows in splitvt, bing, write, and Lotus Domino's SMTP server; temporary file problems with webmin and Apache's mod_rewrite; format string problems with icecast; ip firewalling problems with FreeBSD; and SQL problems in Postaci.
LinuxSecurity
SSL is not a magic bullet
Rik Farrow / Spirit.com
http://www.spirit.com/Network/net1100.txtUnfortunately, SSL has a checkered past and present. Like other security problems involving encryption packages, the issues lie not so much in SSL as in the software used to implement and support it. Instead of guaranteeing security, SSL may provide a false sense of security through its occasional failings. In this column, Rik Farrow examines how SSL works, what it can do, and how the products and applications that use SSL have failed, resulting in updates to Netscape Navigator and Microsoft's Internet Explorer and IIS this year.
Top Ten Secure Shell FAQs
O'Reilly
http://sysadmin.oreilly.com/news/sshtips_0101.htmlUsed properly, SSH is an extremely valuable tool that helps users more safely navigate today's Internet and helps system administrators secure their networks or perform remote administration. Because of its flexibility--as well as the existence of multiple implementations for various operating systems with differing features and limitations--newcomers to SSH frequently have lots of questions.
Comment: good stuff.
Call For Testers: New Secure ftpd
Chris Evans
ftp://ferret.lmh.ox.ac.uk/pub/linux/vsftpd-0.0.9.tar.gzChris Evans has announced a beta release of "vsftpd". vsftpd is an FTP server, or daemon. The "vs" stands for Very Secure. Obviously this is not a guarantee, but a reflection that I have written the entire codebase with security in mind, and carefully designed the program to be resilient to attack.
Included in the distribution is information on the design goals and decisions of the new daemon, and how he limits buffer overflow exposure and trust relationships. More information about what should be tested is available at http://www.linuxsecurity.com/articles/security_sources_article-2390.html.
System Fingerprinting
Rik Farrow
http://www.spirit.com/Network/net0900.txtA useful explanation of how the famous Nmap does its stuff.
Security is an Interactive Sport: Lessons learned from Ramen
Benjamin D. Thomas
http://www.linuxsecurity.com/feature_stories/feature_story-75.htmlThis article outlines the importance of monitoring vendor advisories and applying appropriate software patches when necessary. It uses the Ramen epidemic as an example showing the possible effects of poor system administration.
Intrusion Detection Systems: Part II - Installing Tripwire
Trevor Warren
http://www.freeos.com/articles/3405A brief overview of running Tripwire on RedHat.
01/31/01 Rendering BIND 8.2.3 ultra secure
http://www.securityfocus.com/templates/archive.pike?fromthread=0&end=2001-02-03&tid=159707&threads=1&list=92&start=2001-01-28&01/29/01 Five questionable processes on fw
http://www.securityfocus.com/templates/archive.pike?fromthread=0&end=2001-02-03&tid=159443&threads=1&list=92&start=2001-01-28&1/29/01 Sun or Checkpoint
http://www.securityfocus.com/templates/archive.pike?fromthread=0&end=2001-02-03&tid=159437&threads=1&list=92&start=2001-01-28&01/26/01 Sun Cluster Remote Management Server??
http://www.securityfocus.com/templates/archive.pike?start=2001-01-21&threads=1&list=92&fromthread=0&tid=158790&end=2001-01-27&
Yassp beta 15 is still current.
Discussions this week:
New after.html
http://www.theorygroup.com/Archive/YASSP/2001/msg00023.htmlHow to make YASSP and patch updates co-exist...
http://www.theorygroup.com/Archive/YASSP/2001/msg00019.htmlPARCDaily suggested change
http://www.theorygroup.com/Archive/YASSP/2001/msg00018.htmlDefault syslog.conf config
http://www.theorygroup.com/Archive/YASSP/2001/msg00010.htmlSee also http://www.yassp.org
All security tool news is now summarized in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html
Updates to General free tools this week include mod_ssl, Stunnel, BIND and Apache.
Auditing and Intrusion Monitoring tools include Nessus, Snort, Saint, Titan, Chkrootkit
and 7 other tools.
Firewalls for UNIX/Linux/BSD & Cross-platform include Zorp, IPtables, RChains and 3
other tools.
Tools for Linux/Unix/Cross Platform include OpenCA, Libnet and 7 other tools.
Tools for Windows include Tiny Personal Firewall, Forix iScan and 4 other tools.
BIND, the well known, DNS server has popped up a few serious vulnerabilities (discovered by NAI) which have caused widespread concern. We present here, the original Bulletins, our analysis and point to relevant articles.
Vulnerabilities in BIND 4 and 8
http://archives.neohapsis.com/archives/bugtraq/2001-01/0472.html
The original report from NAI's COVERT labs.
CERT Advisory CA-2001-02 Multiple Vulnerabilities in BIND
http://www.cert.org/advisories/CA-2001-02.htmlThe CERT/CC has recently learned of four vulnerabilities spanning multiple versions of the Internet Software Consortium's (ISC) Berkeley Internet Name Domain (BIND) server. BIND is an implementation of the Domain Name System (DNS) that is maintained by the ISC. Because the majority of name servers in operation today run BIND, these vulnerabilities present a serious threat to the Internet infrastructure.
Domain Name System (DNS) Servers running various versions of ISC BIND (including both 4.9.x prior to 4.9.8 and 8.2.x prior to 8.2.3; 9.x is not affected) and derivatives. Because the normal operation of most services on the Internet depends on the proper operation of DNS servers, other services could be impacted if these vulnerabilities are exploited. The four vulnerabilities are:
- Vulnerability Note VU#196945 - ISC BIND 8 contains buffer overflow in transaction signature (TSIG) handling code http://www.kb.cert.org/vuls/id/196945
- Vulnerability Note VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain()
http://www.kb.cert.org/vuls/id/572183- Vulnerability Note VU#868916 - ISC BIND 4 contains input validation error in nslookupComplain() http://www.kb.cert.org/vuls/id/868916
- Vulnerability Note VU#325431 - Queries to ISC BIND servers may disclose environment variables http://www.kb.cert.org/vuls/id/325431
The Internet Software Consortium has posted information about all four vulnerabilities at http://www.isc.org/products/BIND/bind-security.html. Upgrading to BIND version 9.1 is strongly recommended. If that is not possible for your site, upgrading at least to BIND version 8.2.3 is imperative.
Bugtraq database
2001-01-29: ISC Bind 8 Transaction Signatures Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=23022001-01-29: ISC Bind 8 Transaction Signatures Heap Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=23042001-01-29: ISC Bind 4 nslookupComplain() Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=23072001-01-29: ISC Bind 4 nslookupComplain() Format String Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2309
BIND holes mean big trouble
Kevin Poulsen
http://www.securityfocus.com/news/144
ISC wants to limit access to BIND Security advisories to a closed group of 3rd parties, to avoid the reduce the window of exposure between an announcement being released, attackers automating attacks, vendors releasing patches and sysadmins installing the patches. http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Fmid%3D159741%26threads%3D0%26end%3D2001-02-03%26fromthread%3D0%26list%3D1%26start%3D2001-01-28%26
- It is recommended to upgrade your critical Internet DNS servers soon, DNS is just too important.
- Exploit code for the TSIG weakness was announced, but then it turned out that the exploit was in fact a trojan that attacks dns1.nai.com:
http://archives.neohapsis.com/archives/bugtraq/2001-01/0517.html- Sun has not yet released patches (you're better off running ISC's bind anyway), some Linux vendors already had fixes available on Tuesday.
- How could you defend against these bugs in advance? Chroot'ing helps, as does hiding the BIND version, running as a non-root user, using a dedicate machine and monitoring logs. Some people don't believe in hiding the version number, as it is "security by obscurity", but I maintain that it at least helps against the script kiddies who are roaming the net looking for obvious targets. Defending against the pros is a different matter.
- The fix is to point upgrade 8.2.3, or the newer 9.1. ISC recommend going to 9.1.
- Upgrading to 8.2.3 is easy enough, one more library is needed to be added to the chroot jail on a Solaris 8 primary. See also the article "Hardening the BIND DNS Server", http://securityportal.com/cover/coverstory20001002.html
- Personally, I've been reluctant to go to 9.1, since it's a complete rewrite and one would expect bugs in such a scenario. BIND v9 is now several months old however, and does not suffer from these new weaknesses (which is a good sign). So this may be the time (and excuse) to tackle v9.1.
All weekly digests are archive at:
securityportal.com/research/research.digestarchives.html
Sign up to get this digest and many others by email.
A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.
© Copyright 2001, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 02 February, 2001 |