Weekly Solaris Security Digest
2000/02/12 to 2001/02/19

By Seán Boran (sean at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html


The Rundown


Advisories and Security Bulletins

Advisories

CERT Advisory CA-2001-02 Multiple Vulnerabilities in BIND
http://www.cert.org/advisories/CA-2001-02.html

Changes: This advisory has been originally released the January 29, 2001 and has been reviewed the February 2, 2001. This new version of the advisory adds an appendix B, which answers frequently asked questions.
Note: The tip of the week of the Solaris Digest 2000/01/29 to 2001/02/05 analyses these vulnerabilities in BIND.
http://securityportal.com/topnews/weekly/solaris20010205.html

 

Last week we reported on several SSH vulnerabilities:
2001-02- 05: SSH1 SSH Daemon Logging Failure Vulnerability
2001-02-07: SSH protocol 1.5 session key recovery vulnerability
2001-02-08: SSH1 CRC-32 compensation attack detector vulnerability

Upgrading to the latest version to roll in all these fixes is recommended.

Bugtraq vulnerabilities this week - Solaris:

None

Bugtraq vulnerabilities this week - 3rd party applications:

2001-02-12: Micro Focus Cobol Arbitrary Command Execution Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2359

2001-02-12: SilverPlatter WebSPIRS File Disclosure Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2362

2001-02-06: AOLserver Directory Traversal Vulnerability
http://www.securityfocus.com/bid/2343

2001-02-06: Infobot fortran math Arbitrary Command Execution Vulnerability
http://www.securityfocus.com/bid/2349


Patches

The latest Solaris Recommended / Security Patch clusters are as follows:

Solaris 8           Feb/06/01
Solaris 7           Feb/13/01*
Solaris 2.6        Feb/12/01*
Solaris 2.5.1     Jan/26/01

New or updated security/recommended patches this week available from  ftp://sunsolve.sun.com/pub/patches:

106439-07 SunOS 5.6: /usr/sbin/syslogd patch
106429-02 SunOS 5.6: /kernel/drv/mm patch
105847-08 SunOS 5.6: /kernel/drv/st.conf and /kernel/drv/st patch
105181-25 SunOS 5.6: Kernel update patch
105210-33 SunOS 5.6: libaio, libc & watchmalloc patch
105568-22 SunOS 5.6: /usr/lib/libthread.so.1 patch

110397-01 SunOS 5.8_x86: libnvpair patch 60a61
108529-05 SunOS 5.8_x86: kernel update patch

Solaris 7:
108376-21 OpenWindows 3.6.1: Xsun Patch


News & Articles

LinuxToday

Tatu Ylonen requests OpenSSH to change its name
http://linuxtoday.com/news_story.php3?ltsn=2001-02-14-003-04-NW-SW-BD

Lawyers have been called in, it's starting to look ugly:
http://www.newsforge.com/article.pl?sid=01/02/15/2031256&mode=nocomment

 

Linux Security

Crypto-Gram February 15th, 2001
Counterpane
http://www.linuxsecurity.com/articles/cryptography_article-2515.html

Always a good read, I found the section 'A Semantic Attack on URLs' very interesting.

 

who's responsible for improving security?
http://www.pbs.org/wgbh/pages/frontline/shows/hackers/blame

 

Intrusion Detection Systems, Part IV: Logcheck
Trevor Warren
http://www.freeos.com/articles/3540

The last in this four part series on IDS, looks at Logcheck: a software package that is designed to automatically run and check system log files for security violations and unusual activity.

Note: I like and use logcheck myself. I've improved it to allow comments and whitespace in the regular expression files, see www.boran.com/security/sp/solaris/logcheck11_sean.zip I recommend centralization syslogs on one hardened host and running logcheck there. In fact logcheck can be used to monitor the changes in any text logs.

 

Luring Killer Bees With Honey
Jeff Forristal
http://www.nwc.com/1116/1116ws3.html

This article describes honeypots, the legal aspects, and how to integrate it into your network. According to the general definition, a honey pot's goal is to emulate production servers while alerting and logging intruder activity.

 

Security Horizon

Incident Response Part 1: Preparation
Gregory S. Miles
http://www.securityhorizon.com/whitepapers/incident1.html

Preparation is a critical step in any professional environment. Law Enforcement Officers train to use weapons, apprehend suspects, and conduct investigations. Athletes train for months in preparation for their sport seasons. The military trains in preparation for conflict or war. But what about an organization’s computer and network systems?

 

Incident Response Part 2:  Identification
Gregory S. Miles
http://www.securityhorizon.com/whitepapers/incident2.html

Identification of a computer security incident is one of the most critical and difficult elements of the CIRT activity.  This is due to the fact that without the proper detection tools, logging, and security awareness, most incidents will go unnoticed for a long period of time.

 

O'Reilly Net

Monitoring Unix Logins
Dru Lavigne
http://www.oreillynet.com/pub/a/bsd/2001/02/14/FreeBSD_Basics.html

An explanation of utmp, wtmp and lastlog.

 

SecurityFocus

Rendering BIND 8.2.3 ultra secure
PGCI, Inc.
http://www.pgci.ca/p_bind.html

This paper deals with how to install bind 8.2.3 as an under-privileged user in a chroot jail with static named and named-xfer binaries. This particular example is for Solaris sparc 2.6.
Note that I've also written a paper on hardening and chroot'ing bind:
http://securityportal.com/cover/coverstory20001002.html

 

Secure Remote Log Servers Using SCP
Kristy Westphal
http://securityfocus.com/frames/?focus=sun&content=/focus/sun/articles/securelog.html

A few months ago, a problem was presented. It became a necessity to implement a centralized system log server that would securely store logs. The design needed to provide a level of security that would prevent tampering or mischief, while preserving integrity. . It was necessary to find a solution that fit into my company's tight budget that would also be a) secure, b) affordable and c) easy to run, especially on a Solaris system. While these constraints made it difficult to discover a viable solution, I was nevertheless able to do so. This article will discuss a solution that meets these criteria and will work well in other environments as well. It should be noted that since I implemented the solution I have in place now, I have discovered some other options.

Comment: Pretty basic stuff. I don't know why a user other than root could not have been used for the trusts.


Mailing Lists

FOCUS-Sun Discussions Threads

The SF URLs for linking directly to threads is long/complicated so we just provide a URL to a message in each thread.

02/14/01 Login timeouts/retries
http://www.securityfocus.com/archive/92/163124
http://www.securityfocus.com/archive/92/163093

02/14/01 CDE Security
http://www.securityfocus.com/archive/92/162990

02/13/01 X11 / Port 6000
http://www.securityfocus.com/archive/92/161366

02/12/01 sources of randomness
http://www.securityfocus.com/archive/92/162393

02/12/01 HELP! BSM: How to get a socket-token or two socket-inet-token for accept/connect system calls
http://www.securityfocus.com/archive/92/162102

02/10/01 ufsrestore(1M) For UID 0 Only?
http://www.securityfocus.com/archive/92/161780

02/09/01 Configuring BSM Question
http://www.securityfocus.com/archive/92/161468

02/09/01 sshd2
http://www.securityfocus.com/archive/92/160258

02/09/01 LDAP Authentication on Solaris / AIX
http://www.securityfocus.com/archive/92/161687

 

YASSP (the Solaris hardening tool) Developers' list discussions

Yassp beta 15 is still current.

Discussions this week:

random for Openssh?
http://www.theorygroup.com/Archive/YASSP/2001/msg00039.html

Porting of Tripwire Open Source 2.3.0-50
http://www.theorygroup.com/Archive/YASSP/2001/msg00038.html

Uncommenting inetd.conf Lines After Installing YASSP
http://www.theorygroup.com/Archive/YASSP/2001/msg00037.html

Resolved: Pseudo TTY limit on Solaris 8
http://www.theorygroup.com/Archive/YASSP/2001/msg00031.html

Pseudo TTY limit on Solaris 8
http://www.theorygroup.com/Archive/YASSP/2001/msg00030.html

See also http://www.yassp.org


Security Tools

All security tool news is now summarized in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html:

Updates to General free tools this week include Nifty Telnet SSH, BIND, TrustedBSD and Linux kernel.

Auditing and Intrusion Monitoring tools include Snort and Snort tools, SAINT, SARA, SAStk, BigBrother and 3 other tools.

Firewalls for UNIX/Linux/BSD & Cross-platform include FwLogWatch, Ferm, IPtables, GshieldConf and 5 other tools.

Tools for Linux/Unix/Cross Platform include Bastille Linux, Zebedee, Openwall Linux kernel patch, Lomac, StegFS, SILC and 3 other tools.

Tools for Windows include Tiny Personal Firewall and Crack Whore.


Tip of the Week:

This week a few practical tips:


References and Resources

All weekly digests are archive at:
securityportal.com/research/research.digestarchives.html

Sign up to get this digest and many others by email.

A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2001, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 16 February, 2001