By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html
CERT Advisory CA-2001-02 Multiple Vulnerabilities in BIND
http://www.cert.org/advisories/CA-2001-02.htmlChanges: This advisory has been originally released the January 29, 2001 and has been reviewed the February 2, 2001. This new version of the advisory adds an appendix B, which answers frequently asked questions.
Note: The tip of the week of the Solaris Digest 2000/01/29 to 2001/02/05 analyses these vulnerabilities in BIND.
http://securityportal.com/topnews/weekly/solaris20010205.html
Last week we reported on several SSH vulnerabilities:
2001-02- 05: SSH1 SSH Daemon Logging Failure Vulnerability
2001-02-07: SSH protocol 1.5 session key recovery vulnerability
2001-02-08: SSH1 CRC-32 compensation attack detector vulnerabilityUpgrading to the latest version to roll in all these fixes is recommended.
- OSSH: upgrade to 1.5.8
- SSH1, which many of you probably use was updated in January and is still vulnerable at least one of the above attacks. The latest SSH1 release (1.2.31) has a very restrictive license and the SSH protocol v2 protocol is more secure than v1, so now is the time to either move to OpenSSH or the commercial offering from SSH communications.
- OpenSSH: use 2.3.1 (which should be released by the time you read this?)
- Commercial SSH: use 2.4 or later.
None
2001-02-12: Micro Focus Cobol Arbitrary Command Execution Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=23592001-02-12: SilverPlatter WebSPIRS File Disclosure Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=23622001-02-06: AOLserver Directory Traversal Vulnerability
http://www.securityfocus.com/bid/23432001-02-06: Infobot fortran math Arbitrary Command Execution Vulnerability
http://www.securityfocus.com/bid/2349
The latest Solaris Recommended / Security Patch clusters are as follows:
Solaris 8 Feb/06/01
Solaris 7 Feb/13/01*
Solaris 2.6 Feb/12/01*
Solaris 2.5.1 Jan/26/01
New or updated security/recommended patches this week available from ftp://sunsolve.sun.com/pub/patches:
106439-07 SunOS 5.6: /usr/sbin/syslogd patch
106429-02 SunOS 5.6: /kernel/drv/mm patch
105847-08 SunOS 5.6: /kernel/drv/st.conf and /kernel/drv/st patch
105181-25 SunOS 5.6: Kernel update patch
105210-33 SunOS 5.6: libaio, libc & watchmalloc patch
105568-22 SunOS 5.6: /usr/lib/libthread.so.1 patch110397-01 SunOS 5.8_x86: libnvpair patch 60a61
108529-05 SunOS 5.8_x86: kernel update patchSolaris 7:
108376-21 OpenWindows 3.6.1: Xsun Patch
Tatu Ylonen requests OpenSSH to change its name
http://linuxtoday.com/news_story.php3?ltsn=2001-02-14-003-04-NW-SW-BDLawyers have been called in, it's starting to look ugly:
http://www.newsforge.com/article.pl?sid=01/02/15/2031256&mode=nocomment
Crypto-Gram February 15th, 2001
Counterpane
http://www.linuxsecurity.com/articles/cryptography_article-2515.htmlAlways a good read, I found the section 'A Semantic Attack on URLs' very interesting.
who's responsible for improving security?
http://www.pbs.org/wgbh/pages/frontline/shows/hackers/blame
Intrusion Detection Systems, Part IV: Logcheck
Trevor Warren
http://www.freeos.com/articles/3540The last in this four part series on IDS, looks at Logcheck: a software package that is designed to automatically run and check system log files for security violations and unusual activity.
Note: I like and use logcheck myself. I've improved it to allow comments and whitespace in the regular expression files, see www.boran.com/security/sp/solaris/logcheck11_sean.zip I recommend centralization syslogs on one hardened host and running logcheck there. In fact logcheck can be used to monitor the changes in any text logs.
Luring Killer Bees With Honey
Jeff Forristal
http://www.nwc.com/1116/1116ws3.htmlThis article describes honeypots, the legal aspects, and how to integrate it into your network. According to the general definition, a honey pot's goal is to emulate production servers while alerting and logging intruder activity.
Incident Response Part 1: Preparation
Gregory S. Miles
http://www.securityhorizon.com/whitepapers/incident1.htmlPreparation is a critical step in any professional environment. Law Enforcement Officers train to use weapons, apprehend suspects, and conduct investigations. Athletes train for months in preparation for their sport seasons. The military trains in preparation for conflict or war. But what about an organizations computer and network systems?
Incident Response Part 2: Identification
Gregory S. Miles
http://www.securityhorizon.com/whitepapers/incident2.htmlIdentification of a computer security incident is one of the most critical and difficult elements of the CIRT activity. This is due to the fact that without the proper detection tools, logging, and security awareness, most incidents will go unnoticed for a long period of time.
Monitoring Unix Logins
Dru Lavigne
http://www.oreillynet.com/pub/a/bsd/2001/02/14/FreeBSD_Basics.htmlAn explanation of utmp, wtmp and lastlog.
Rendering BIND 8.2.3 ultra secure
PGCI, Inc.
http://www.pgci.ca/p_bind.htmlThis paper deals with how to install bind 8.2.3 as an under-privileged user in a chroot jail with static named and named-xfer binaries. This particular example is for Solaris sparc 2.6.
Note that I've also written a paper on hardening and chroot'ing bind:
http://securityportal.com/cover/coverstory20001002.html
Secure Remote Log Servers Using SCP
Kristy Westphal
http://securityfocus.com/frames/?focus=sun&content=/focus/sun/articles/securelog.htmlA few months ago, a problem was presented. It became a necessity to implement a centralized system log server that would securely store logs. The design needed to provide a level of security that would prevent tampering or mischief, while preserving integrity. . It was necessary to find a solution that fit into my company's tight budget that would also be a) secure, b) affordable and c) easy to run, especially on a Solaris system. While these constraints made it difficult to discover a viable solution, I was nevertheless able to do so. This article will discuss a solution that meets these criteria and will work well in other environments as well. It should be noted that since I implemented the solution I have in place now, I have discovered some other options.
Comment: Pretty basic stuff. I don't know why a user other than root could not have been used for the trusts.
The SF URLs for linking directly to threads is long/complicated so we just provide a URL to a message in each thread.
02/14/01 Login timeouts/retries
http://www.securityfocus.com/archive/92/163124
http://www.securityfocus.com/archive/92/16309302/14/01 CDE Security
http://www.securityfocus.com/archive/92/16299002/13/01 X11 / Port 6000
http://www.securityfocus.com/archive/92/16136602/12/01 sources of randomness
http://www.securityfocus.com/archive/92/16239302/12/01 HELP! BSM: How to get a socket-token or two socket-inet-token for accept/connect system calls
http://www.securityfocus.com/archive/92/16210202/10/01 ufsrestore(1M) For UID 0 Only?
http://www.securityfocus.com/archive/92/16178002/09/01 Configuring BSM Question
http://www.securityfocus.com/archive/92/16146802/09/01 sshd2
http://www.securityfocus.com/archive/92/16025802/09/01 LDAP Authentication on Solaris / AIX
http://www.securityfocus.com/archive/92/161687
Yassp beta 15 is still current.
Discussions this week:
random for Openssh?
http://www.theorygroup.com/Archive/YASSP/2001/msg00039.htmlPorting of Tripwire Open Source 2.3.0-50
http://www.theorygroup.com/Archive/YASSP/2001/msg00038.htmlUncommenting inetd.conf Lines After Installing YASSP
http://www.theorygroup.com/Archive/YASSP/2001/msg00037.htmlResolved: Pseudo TTY limit on Solaris 8
http://www.theorygroup.com/Archive/YASSP/2001/msg00031.htmlPseudo TTY limit on Solaris 8
http://www.theorygroup.com/Archive/YASSP/2001/msg00030.htmlSee also http://www.yassp.org
All security tool news is now summarized in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html:
Updates to General free tools this week include Nifty Telnet SSH, BIND, TrustedBSD and Linux kernel.
Auditing and Intrusion Monitoring tools include Snort and Snort tools, SAINT, SARA, SAStk, BigBrother and 3 other tools.
Firewalls for UNIX/Linux/BSD & Cross-platform include FwLogWatch, Ferm, IPtables, GshieldConf and 5 other tools.
Tools for Linux/Unix/Cross Platform include Bastille Linux, Zebedee, Openwall Linux kernel patch, Lomac, StegFS, SILC and 3 other tools.
Tools for Windows include Tiny Personal Firewall and Crack Whore.
This week a few practical tips:
All weekly digests are archive at:
securityportal.com/research/research.digestarchives.html
Sign up to get this digest and many others by email.
A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.
© Copyright 2001, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 16 February, 2001 |