Weekly Solaris Security Digest
2000/01/29 to 2001/02/05

By Seán Boran (sean at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html


The Rundown

Several problems with BIND have been discovered, discussed and fixed. Bulletins, articles are analyzed and pulled together in the Tip of the Week section.


Advisories and Security Bulletins

Sun / CERT bulletins

CERT Incident Note IN-2001-01 - Widespread Compromises via "Ramen" Toolkit
http://www.cert.org/incident_notes/IN-2001-01.html

The CERT/CC has received reports from sites that have recovered an intruder toolkit called "Ramen" from compromised hosts. It targets Linux systems, but it would be useful for Solaris administrators to know about Ramen which looks for wu-ftp, lprng, rpc.statd vulnerabilities.

 

CERT Advisory CA-2000-17 Input Validation Problem in rpc.statd
http://www.cert.org/advisories/CA-2000-17.html

This advisory is not new in the Solaris Digest, but the CERT/CC continues to receive reports of Linux systems being root compromised via an input validation vulnerability in rpc.statd. All the systems running the rpc.statd service are vulnerable. More information about this vulnerability is available at the following public URLs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0666 and http://www.securityfocus.com/bid/1480.

Solution: Upgrade your version of rpc.statd, disable the rpc.statd service or block unneeded ports at your firewall.

 

CERT Advisory CA-2000-13 Two Input Validation Problems In FTPD
http://www.cert.org/advisories/CA-2000-13.html

This advisory is not new in the Solaris Digest, the CERT/CC continues to receive reports of systems being root compromised via an input validation vulnerability in the 'SITE EXEC' command of some FTP daemons. For more information about related intruder activity, please see CERT Incident Note IN-2000-10 at http://www.cert.org/incident_notes/IN-2000-10.html.

Solution: The CERT/CC encourages all Internet sites to review the rpc.statd advisory (CA-2000-17) and the wu-ftpd advisory (CA-2000-13) and insure workarounds or patches have been applied on all affected hosts on your network.

 

Bugtraq vulnerabilities this week - Solaris:

Solaris BIND is also affected by the ISC BIND problem. See the Tip of the Week section.

Solaris7/8 ximp40 shared library buffer overflow
unyun
http://www.securityfocus.com/vdb/bottom.html?vid=2322
http://archives.neohapsis.com/archives/bugtraq/2001-01/0517.html
http://shadowpenguin.backsection.net/

Confidence: This is an initial report submitted to Bugtraq.No confirmation is yet available.
Severity: A local user could gain root access.
Description:  Shared library "ximp40" which is installed on Solaris7 and 8 by default has buffer overflow bug, the local user can obtain root privilege or mail gid by using the following suid/sgid programs which are using the shared library ximp40. On Solaris 8,
suid root : /usr/dt/bin/dtaction
suid root : /usr/dt/bin/dtprintinfo
suid root : /usr/openwin/bin/sys-suspend
sgid mail : /usr/dt/bin/dtmail
sgid mail : /usr/openwin/bin/mailtool

Fix: remove SGID/SUID from affected binaries and wait for a patch from Sun.

Bugtraq vulnerabilities this week - 3rd party applications:

2001-01-25: Netscape Enterprise Server Web Publishing DoS Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2294


Patches

The latest Solaris Recommended / Security Patch clusters are as follows:

Solaris 8       Jan/26/01
Solaris 7       Jan/30/01
Solaris 2.6    Jan/29/01
Solaris 2.5.1 Jan/26/01

See also ftp://sunsolve.sun.com/pub/patches.

Note: In future, we'll also provide you with a list of patches that have changed each week, an a list of changes to each new Bundles published (starting from the bundles above).

Solaris 2.6 updated or new security related patches:

110531-01 AnswerBook 1.4.2: HTTP GET overflow allows code execution 110532-01 AnswerBook 1.4.3: HTTP GET overflow allows code execution 110613-01 PC FileViewer 1.x: FileViewer takes up large amount of cpu time
110420-02 SSP 3.4: ssp_restore overwrites newer files with older ones.

Solaris 7 updated or new security related patches:

110281-01 SunOS 5.7: find's expansion of {} is broken
110531-01 AnswerBook 1.4.2: HTTP GET overflow allows code execution
110532-01 AnswerBook 1.4.3: HTTP GET overflow allows code execution
110613-01 PC FileViewer 1.x: FileViewer takes up large amount of cpu time


News & Articles

SecurityPortal

Interview with Wietse Venema
Kurt Seifried
http://securityportal.com/closet/closet20010131.html

Wietse Venema has contributed so much to computer security, he has to be worth listening to....

 

SunWorld/UnixInsider

Giving away the secrets - A detailed list of online Solaris resources
Peter Baer Galvin
http://www.sunworld.com/unixinsideronline/swol-01-2001/swol-0126-supersys.html

Solaris users have many questions about systems administration, and they seek answers via email, Internet news postings, help-desk phone calls, and search engines. This month, Peter Baer Galvin delves into the many online sources of Solaris administration information: those that are helpful, those that are complete, and those that you can't live without.

Comment: not very useful.

 

SolarisGuide

DoS Attack Summary
Richard Steenbergen
http://www.e-gerbil.net/ras/dos.txt

A great summary of what a DoS (Denial of Service) Attack is, and some proactive measures you can take to protect your network.

 

SecurityFocus

Studying Normal Traffic, Part One
Karen Frederick
http://www.securityfocus.com/frames/?focus=ids&content=/focus/ids/articles/normaltraf.html

Many intrusion detection analysts concentrate on identifying the characteristics of suspicious packets - illegal TCP flag combinations or reserved IP addresses, for example. However, it is also important to be familiar with what normal traffic looks like. A great way to learn what traffic should look like is to generate some normal traffic, capture the packets and examine them. In this article in SecurityFocus.com's Intrusion Detection Systems focus area, Karen Frederick will discuss a tool for logging packets, and will review some packet captures in depth.

 

O'Reilly

New Security Problems and a Warning About Checking User Input
Noel Davis
http://www.oreillynet.com/pub/a/linux/2001/01/30/insecurities.html

A discussion of buffer overflows in splitvt, bing, write, and Lotus Domino's SMTP server; temporary file problems with webmin and Apache's mod_rewrite; format string problems with icecast; ip firewalling problems with FreeBSD; and SQL problems in Postaci.

 

LinuxSecurity

SSL is not a magic bullet
Rik Farrow / Spirit.com
http://www.spirit.com/Network/net1100.txt

Unfortunately, SSL has a checkered past and present. Like other security problems involving encryption packages, the issues lie not so much in SSL as in the software used to implement and support it. Instead of guaranteeing security, SSL may provide a false sense of security through its occasional failings. In this column, Rik Farrow examines how SSL works, what it can do, and how the products and applications that use SSL have failed, resulting in updates to Netscape Navigator and Microsoft's Internet Explorer and IIS this year.

 

Top Ten Secure Shell FAQs
O'Reilly
http://sysadmin.oreilly.com/news/sshtips_0101.html

Used properly, SSH is an extremely valuable tool that helps users more safely navigate today's Internet and helps system administrators secure their networks or perform remote administration. Because of its flexibility--as well as the existence of multiple implementations for various operating systems with differing features and limitations--newcomers to SSH frequently have lots of questions.

Comment: good stuff.

 

Call For Testers: New Secure ftpd
Chris Evans
ftp://ferret.lmh.ox.ac.uk/pub/linux/vsftpd-0.0.9.tar.gz

Chris Evans has announced a beta release of "vsftpd". vsftpd is an FTP server, or daemon. The "vs" stands for Very Secure. Obviously this is not a guarantee, but a reflection that I have written the entire codebase with security in mind, and carefully designed the program to be resilient to attack.
Included in the distribution is information on the design goals and decisions of the new daemon, and how he limits buffer overflow exposure and trust relationships. More information about what should be tested is available at http://www.linuxsecurity.com/articles/security_sources_article-2390.html.

 

System Fingerprinting
Rik Farrow
http://www.spirit.com/Network/net0900.txt

A useful explanation of how the famous Nmap does its stuff.

 

Security is an Interactive Sport: Lessons learned from Ramen
Benjamin D. Thomas
http://www.linuxsecurity.com/feature_stories/feature_story-75.html

This article outlines the importance of monitoring vendor advisories and applying appropriate software patches when necessary. It uses the Ramen epidemic as an example showing the possible effects of poor system administration.

 

Intrusion Detection Systems: Part II - Installing Tripwire
Trevor Warren
http://www.freeos.com/articles/3405

A brief overview of running Tripwire on RedHat.

 


Mailing Lists

FOCUS-Sun Discussions Threads

01/31/01 Rendering BIND 8.2.3 ultra secure
http://www.securityfocus.com/templates/archive.pike?fromthread=0&end=2001-02-03&tid=159707&threads=1&list=92&start=2001-01-28&

01/29/01 Five questionable processes on fw
http://www.securityfocus.com/templates/archive.pike?fromthread=0&end=2001-02-03&tid=159443&threads=1&list=92&start=2001-01-28&

1/29/01 Sun or Checkpoint
http://www.securityfocus.com/templates/archive.pike?fromthread=0&end=2001-02-03&tid=159437&threads=1&list=92&start=2001-01-28&

01/26/01 Sun Cluster Remote Management Server??
http://www.securityfocus.com/templates/archive.pike?start=2001-01-21&threads=1&list=92&fromthread=0&tid=158790&end=2001-01-27&

 

YASSP (the Solaris hardening tool) Developers' list discussions

Yassp beta 15 is still current.

Discussions this week:

New after.html
http://www.theorygroup.com/Archive/YASSP/2001/msg00023.html

How to make YASSP and patch updates co-exist...
http://www.theorygroup.com/Archive/YASSP/2001/msg00019.html

PARCDaily suggested change
http://www.theorygroup.com/Archive/YASSP/2001/msg00018.html

Default syslog.conf config
http://www.theorygroup.com/Archive/YASSP/2001/msg00010.html

See also http://www.yassp.org


Security Tools

All security tool news is now summarized in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html

Updates to General free tools this week include mod_ssl, Stunnel, BIND and Apache.
Auditing and Intrusion Monitoring tools include Nessus, Snort, Saint, Titan, Chkrootkit and 7 other tools.
Firewalls for UNIX/Linux/BSD & Cross-platform include Zorp, IPtables, RChains and 3 other tools.
Tools for Linux/Unix/Cross Platform include OpenCA, Libnet and 7 other tools.
Tools for Windows include Tiny Personal Firewall, Forix iScan and 4 other tools.


Tip of the Week: BIND Vulnerabilities

BIND, the well known, DNS server has popped up a few serious vulnerabilities (discovered by NAI) which have caused widespread concern. We present here, the original Bulletins, our analysis and point to relevant articles.

Bulletins / articles on the BIND Weakness

Vulnerabilities in BIND 4 and 8
http://archives.neohapsis.com/archives/bugtraq/2001-01/0472.html
The original report from NAI's COVERT labs.

 

CERT Advisory CA-2001-02 Multiple Vulnerabilities in BIND
http://www.cert.org/advisories/CA-2001-02.html

The CERT/CC has recently learned of four vulnerabilities spanning multiple versions of the Internet Software Consortium's (ISC) Berkeley Internet Name Domain (BIND) server. BIND is an implementation of the Domain Name System (DNS) that is maintained by the ISC. Because the majority of name servers in operation today run BIND, these vulnerabilities present a serious threat to the Internet infrastructure.

Domain Name System (DNS) Servers running various versions of ISC BIND (including both 4.9.x prior to 4.9.8 and 8.2.x prior to 8.2.3; 9.x is not affected) and derivatives. Because the normal operation of most services on the Internet depends on the proper operation of DNS servers, other services could be impacted if these vulnerabilities are exploited. The four vulnerabilities are:

The Internet Software Consortium has posted information about all four vulnerabilities at http://www.isc.org/products/BIND/bind-security.html. Upgrading to BIND version 9.1 is strongly recommended. If that is not possible for your site, upgrading at least to BIND version 8.2.3 is imperative.

 

Bugtraq  database

2001-01-29: ISC Bind 8 Transaction Signatures Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2302

2001-01-29: ISC Bind 8 Transaction Signatures Heap Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2304

2001-01-29: ISC Bind 4 nslookupComplain() Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2307

2001-01-29: ISC Bind 4 nslookupComplain() Format String Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=2309

 

BIND holes mean big trouble
Kevin Poulsen
http://www.securityfocus.com/news/144

 

ISC wants to limit access to BIND Security advisories to a closed group of 3rd parties, to avoid the reduce the window of exposure between an announcement being released, attackers automating attacks, vendors releasing patches and sysadmins installing the patches. http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Fmid%3D159741%26threads%3D0%26end%3D2001-02-03%26fromthread%3D0%26list%3D1%26start%3D2001-01-28%26

ANALYSIS

 


References and Resources

All weekly digests are archive at:
securityportal.com/research/research.digestarchives.html

Sign up to get this digest and many others by email.

A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2001, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 02 February, 2001