Weekly Solaris Security Digest
2000/02/05 to 2001/02/12

By Seán Boran (sean at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html


The Rundown


Advisories and Security Bulletins

Sun / CERT bulletins

None

Bugtraq vulnerabilities this week - Solaris:

2001-02- 05: SSH1 SSH Daemon Logging Failure Vulnerability
http://www.securityfocus.com/bid/2345

A problem with the implementation of the SSH1 daemon could allow an attacker to by-pass numerous attempts at brute force cracking a system. The logging routine in the SSH1 code does not capture failed attempts beyond the fourth attempt. In a brute force attack scenario, there are numerous successive attempts at logging in as a specific user. This danger is escalated by the SSH1 package allowing remote root logins by default. It is possible for a remote user with malicious intent to launch a brute force attack against a system and successfully remain unnoticed by system logging utilities beyond the fourth attempted login. By use of this method, it is possible for the remote user to gain access to any account, and potentially the root account.

Confidence: this vulnerability was announced to Bugtraq (http://www.securityfocus.com/archive/1/160648) by Jose Nazario in a Crimelabs Security Note on February 5, 2001. SSH.com release a patch. There is currently no Bugtraq discussions regarding this topic.
Severity: a remote user could gain access to any account, and potentially the root account.
Fix: a patch supplied by Jose Nazario is available. SSH upgrade: ftp://ftp.ssh.com/pub/ssh/ssh-1.2.31.tar.gz

 

2001-02-07: SSH protocol 1.5 session key recovery vulnerability
http://www.core-sdi.com/advisories/ssh1_sessionkey_recovery.htm

This advisory describes a vulnerability in the SSH 1.5 protocol that allows an attacker to exploit some design or implementation problem on either client or server to obtain the session key and the proceed to decrypt the stored session using any implementation of the crypto algorithm used. All versions of SSH supporting the protocol 1.5 key exchange are vulnerable. This vulnerability applies to SSH servers only.

Confidence: this advisory has been posted by Core SDI. Currently we are not aware of any CERT bulletin/advisory.
Severity: the session key could be obtained to decrypt the stored session.
Fix: for information about the workaround, please consult the advisory at http://www.core-sdi.com/advisories/ssh1_sessionkey_recovery.htm.

Comments/Analysis:

 

2001-02-08: SSH1 CRC-32 compensation attack detector vulnerability
http://www.linuxsecurity.com/advisories/other_advisory-1149.html

In 1998 Ariel Futoransky and Emiliano Kargieman discovered a design flaw in the SSH1 protocol (protocol 1.5) that could lead an attacker to inject malicious packets into an SSH encrypted stream that would allow execution of arbitrary commands on either client or server. The problem was not fixable without breaking the protocol 1.5 semantics and thus a patch was devised that would detect an attack that exploited the vulnerability found.   The attack detection is done in the file deattack.c from the SSH1 source distribution. A vulnerability was found in the attack detection code that could lead to the execution of arbitrary code in SSH servers and clients that incorporated the patch. This problem affects both SSH servers and clients. All versions of SSH supporting the protocol 1 (1.5) that use the CRC compensation attack detector are vulnerable. For information about the workaround, please consult http://www.core-sdi.com/advisories/ssh1_sessionkey_recovery.htm.

This advisory has been posted by Core SDI. Currently we are not aware of any CERT bulletin/advisory. There is currently no Bugtraq discussions regarding this topic.

Bugtraq vulnerabilities this week - 3rd party applications:

2001-02-02: QNX RTP ftpd stat Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/2342


Patches

The latest Solaris Recommended / Security Patch clusters are as follows:

Solaris 8           Feb/06/01*
Solaris 7           Jan/30/01
Solaris 2.6        Feb/08/01*
Solaris 2.5.1     Jan/26/01

See also ftp://sunsolve.sun.com/pub/patches.

New patches for Solaris 8:
- 109888-02     SunOS 5.8: platform drivers patch
- 109888-05     SunOS 5.8: platform drivers patch

New patches for Solaris 2.6:
- 105568-21     SunOS 5.6: /usr/lib/libthread.so.1 patch
- 105568-22     SunOS 5.6: /usr/lib/libthread.so.1 patch


News & Articles

SolarisGuide

DNS proves to be weak link in Internet chain
Dennis Fisher
http://dailynews.yahoo.com/h/zd/20010205/tc/dns_proves_to_be_weak_link_in_internet_chain_1.html

A series of high-profile events over the last few weeks has highlighted the fact that the DNS that is so critical to the Internet's operation is also one of its weakest links. Though many of the specific problems have only recently come to light, security experts and CIOs said they have known for years that the Domain Name System is full of holes and have been holding their breaths, hoping to avoid a major incident.

 

SunWorld/UnixInsider

Stopping the Ramen worm - Linux and Unix administrators need to be more vigilant in their security measures
Dev Zaborav
http://www.sunworld.com/unixinsideronline/swol-02-2001/swol-0202-unixsecurity-dv.html

The recent outbreak of the worm known as Ramen poses a familiar question: How can we keep worms and viruses from intruding on and infecting our systems? The first thing to do, recommends Unix Security writer Dev Zaborav, is take some basic hardening and security measures, and stop putting Linux servers on the Internet in a default installation.

 

Which language is right for you? Try each one and find a good fit
Cameron Laird and Kathryn Soraiz
http://www.sunworld.com/unixinsideronline/swol-02-2001/swol-0202-regex.html

How do you choose between all of the available scripting languages? Cameron Laird and Kathyrn Soraiz recommend trying them out individually. Each language has its own benefits and its own limits, and only you can determine which best suits your work.

 

BSD Today

BIND news and DNS alternatives
Jeremy C. Reed
http://www.bsdtoday.com/2001/February/Features402.html

 

Establishing Good Password Policies
Dru Lavigne
http://www.oreillynet.com/pub/a/bsd/2001/01/17/FreeBSD_Basics.html?delta=1

"One of the responsibilities of the system administrator is to create a password policy that is appropriate for the users of the network." This article covers several ideas for creating a password policy and configuring login.conf classes to implement policies.

 

LinuxSecurity

BIND-MEMBER Forum FAQ
Paul Vixie / ISC
http://www.linuxsecurity.com/feature_stories/bind-members.html

In this FAQ, Paul answers some of the more frequently asked questions surrounding the bind-members forum mailing list. There has been quite a bit of controversy surrounding this action by the ISC. In this FAQ, Paul talks about why it was formed, what the intentions of the ISC are, and how he feels it will actually improve the level of security of BIND.

 

Case Study: Building a small-business VPN
Karen J. Bannan, PC Magazine
http://www.zdnet.com/smallbusiness/stories/general/0,5821,2671137,00.html

It was a common enough problem for a small business: the needed for a company to connect to its headquarters.

 

A year later, DDoS attacks still a major Web threat
Robert Lemos
http://news.cnet.com/news/0-1003-201-4735597-0.html?tag=mn_hd

The DDoS attack that knocked out Yahoo used a host of hacked servers--dubbed "slaves" or "zombies"--to inundate a Web site or Internet-connected server with data, effectively stopping the server's ability to respond to Web page requests. This kind of attacks seems to be still a major threat.

 

Pathologically Polluting Perl
Brian Ingerson
http://www.perl.com/pub/2001/02/inline.html

No programming language is Perfect. Perl comes very close. P! e! r! l? :-( Not quite ``Perfect''. Sometimes it just makes sense to use another language for part of your work. You might have a stable, pre-existing code base to take advantage of. Perhaps maximum performance is the issue. Maybe you just ``know how to do it'' that way. Or very likely, it's a project requirement forced upon you by management. Whatever the reason, wouldn't it be great to use Perl most of the time, but be able to invoke something else when you had to?

 

Security Issues in Perl Scripts
Jordan Dimov & John Viega
http://opensourceit.earthweb.com/dlink.index-jhtml.72.1077.-.0.jhtml

Perl is one of the most widely used languages for writing interactive applications on the Web, and Perl programs are widely used for various system administration tasks. Applications that serve these tasks must provide reliable access to security sensitive functions and information, and at the same time ensure that no one is granted access to data or functionality that was not intended for them. In this two-part article, Jordan Dimov and John Viega evaluate some of the common security weaknesses and vulnerabilities of Perl applications and give an overview of the features that the Perl language provides to aid the programmer in hardening the security of their applications.

 

Security Issues in Perl Scripts: Perl Taint Mode
Jordan Dimov & John Viega
http://opensourceit.earthweb.com/dlink.index-jhtml.72.1077.-.0.jhtml

In this second of a two parts, Jordan Dimov and John Viega discuss a method for preventing you from making the security mistakes discussed in their first article.

 

Network Security at the Dawn of the New Millenium
Brett Glass
http://www.boardwatch.com/bw/jan01/Network_Sec_Dawn.htm

This article will discuss the good and bad points of today's Internet security systems, and suggest where we can and should go from here.Currently, the most commonly used Internet protocols - HTTP, Telnet, FTP, SMTP and POP3 - either lack measures...

 

O'Reilly

Buffer-Overflow Problems in BIND
Noel Davis
http://www.oreillynet.com/pub/a/linux/2001/02/06/insecurities.html

An overview of recent Unix and open-source security advisories. In this column, we look at buffer-overflow problems in BIND, gnuserv, and tinyProxy; format string attacks against ntop and LPRng; and denial-of-service attacks against inetd, CUPS, and InterNetNews (INN2).

Remark: nothing really new since the last Solaris Digest.

 

SecurityFocus

Chasing the Wind, Episode Four: Through a Glass, Darkly
Robert G. Ferrell
http://www.securityfocus.com/focus/ih/articles/chasing4.html

SecurityFocus.com presents the fourth installation in the highly popular "Chasing the Wind" series, entitled "Through a Glass, Darkly". In this episode, while Jake, the exhausted system administrator, is sleeping obliviously at home, our ambitious script-kiddy and aspiring hacker, Ian, successfully defaces the Acme Ailerons site, hoping to impress his heartthrob, if not the vaunted Br04dB4ndits. Meanwhile, Bob travels to the high-security Command, Control, Communications, Computers, and Intelligence (C4I) center for a very high-level, very secretive meeting...

 

Securing OSPF
Jason Chan
http://www.liquifried.com/securingospf.html

This paper presents a short how-to for securing a heterogeneous OSPF routing environment.


Mailing Lists

FOCUS-Sun Discussions Threads

02/09/01 X11 / Port 6000
http://www.securityfocus.com/archive/92/161366

02/09/01 SunScreen Lite
http://www.securityfocus.com/archive/92/161472

02/08/01 Configuring BSM Question
http://www.securityfocus.com/archive/92/161468

02/02/01 sshd2
http://www.securityfocus.com/archive/92/160258

Note: as the links to the threats themselves are too long to be published, the above links directly point on the first message of each discussion.

 

YASSP (the Solaris hardening tool) Developers' list discussions

Yassp beta 15 is still current.

Discussions this week:

Pseudo TTY limit on Solaris 8
http://www.theorygroup.com/Archive/YASSP/2001/msg00030.html

Missing package for man in the core os distrib
http://www.theorygroup.com/Archive/YASSP/2001/msg00028.html

See also http://www.yassp.org


Security Tools

All security tool news is now summarized in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html

Updates to General free tools this week include MindTerm, PGP, PGPenvelope, Stunnel, Ssldump, Tripwire, BIND, Tcpdump and Linux Kernel.
Auditing and Intrusion Monitoring tools include Snort, RazorBack which seems interesting, NetSaint, LIDS, ICU, SAStk and 3 other tools.
Firewalls for UNIX/Linux/BSD & Cross-platform include Firewalk, Ferm, GShield, GShieldconf, IPtables, FirewallLogDaemon and 5 other tools.
Tools for Linux/Unix/Cross Platform include Libnet, Zebedee, Anomy Sanitizer, APG, SecureFTP, Sectar, Linux VPN masquerade and 10 other tools.
Tools for Windows include Backlog, WinNTConfig and IDA Pro freeware version.


Tip of the Week: "Underground: Hacking, madness and obsession on the electronic frontier"

"Underground: Hacking, madness and obsession on the electronic frontier"
By Suelette Dreyfus with Research by Julian Assange
ISBN 1 86330 595 5
http://www.underground-book.com

This book was published in 1997 in paper form. It's now been released free for download as a text file. It is a fascinating read, an excellent documentation of the hacker scene of the late 80s/early 90s. Well worth reading - in fact, save your eyes some strain and buy the paper copy. :)

Points that stand out for me are the sheer determination and genius of some hackers, and the futility of Security by Obscurity for sensitive systems - VMS systems, and X.25 financial networks have been penetrated, without the hackers having access to decent determination).


References and Resources

All weekly digests are archive at:
securityportal.com/research/research.digestarchives.html

Sign up to get this digest and many others by email.

A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2001, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 09 février, 2001