By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html
Sun Bulletin #00201: Java Runtime Environment unauthorized command execution
http://sunsolve.sun.com/security
(The bulletin is not yet available on the URL above, but should be soon)Overview:
A vulnerability in certain versions of the Java(TM) Runtime Environment may allow malicious Java code to execute unauthorized commands. However, permission to execute at least one command must have been granted in order for this vulnerability to be exploited. Since no permission is granted by default, the circumstances necessary to exploit this vulnerability are relatively rare.
System affected
Solaris Production releases SDK and JRE 1.2.1, and JDK and JRE 1.1.7B and 1.1.6 should no longer be used. In addition, releases prior to JDK and JRE 1.1.6 for Windows or Solaris should no longer be used. Users of these releases should upgrade to a later release
To the best of Sun's knowledge, Netscape Navigator(TM) and Microsoft Internet Explorer are not exposed to this vulnerability.
Fixes
This vulnerability was fixed in Java 2 Platform, Standard Edition, v 1.3.
Windows Production and Solaris Reference Releases
SDK and JRE 1.2.2_007 http://java.sun.com/products/jdk/1.2/
SDK and JRE 1.2.1_004 http://java.sun.com/products/jdk/1.2.1/
JDK and JRE 1.1.8_006 http://java.sun.com/products/jdk/1.1/
JDK and JRE 1.1.7B_007 http://java.sun.com/products/jdk/1.1.7B/
JDK and JRE 1.1.6_009 http://java.sun.com/products/jdk/1.1.6/Solaris Production Releases
SDK and JRE 1.2.2_07 http://www.sun.com/software/solaris/java/download.html
JDK and JRE 1.1.8_12 http://www.sun.com/software/solaris/java/archive.htmlLinux Production Release
SDK and JRE 1.2.2_007 http://java.sun.com/products/jdk/1.2/download-linux.html
Solaris 8 pam_ldap.so.1 module broken
http://archives.neohapsis.com/archives/bugtraq/2001-02/0344.html
David Caleb reminds us that the pam_ldap module is seriously broken, a NULL password can be used for authentication. It is still pending as Sunsolve BugID 4384816. Using the pam_ldap module compiled from source code available at http://www.padl.com appears to work correctly
2001-02-18: Mailnews.cgi Username Remote Shell Commands Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=23912001-02-16: Thinking Arts ES.One Directory Traversal Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=23852001-02-15: Bajie Webserver Remote Command Execution Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=23882001-02-15: Bajie Arbitrary Shell Command Execution Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=23892001-02-13: Analog ALIAS Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/2377
In this section we aim to inform you of new patches published by Sun. Patches are published [on ftp://sunsolve.sun.com/pub/patches] in two ways:
We analyse both reports since changes in one are not always reflected in the other.
1. The latest Solaris 'Recommended & Security Patch clusters' are as follows:
Solaris 8 Feb/21/01
108974-09 SunOS 5.8: dada, uata, dad, sd and scsi patch
108975-04 SunOS 5.8: /usr/bin/rmformat and /usr/sbin/format patch
110905-01 SunOS 5.8: /usr/bin/find patch
110951-01 SunOS 5.8: /usr/sbin/tar and /usr/sbin/static/tar patch
108993-02 SunOS 5.8: nss and ldap patch
108528-06 SunOS 5.8: kernel update patch
109279-08 SunOS 5.8: /kernel/drv/ip patch
109740-03 SunOS 5.8: /kernel/drv/udp patch
109322-02 SunOS 5.8: libnsl patch
109898-02 SunOS 5.8: /kernel/drv/arp patchSolaris 8_x86 Feb/16/01
110906-01 SunOS 5.8_x86: /usr/bin/find patch
110952-01 SunOS 5.8_x86: /usr/sbin/tar and /usr/sbin/static/tar patch
110959-01 SunOS 5.8_x86: /kernel/drv/xsvc and /kernel/drv/xsvc.confSolaris 7 Jan/30/01: no changes
Solaris 2.6 Feb/20/01: The date has changed but no patches seem to have changed.
Solaris 2.5.1 Jan/26/01: no changes
2. New or updated individual security/recommended patches. Note that the arp problem reported a few weeks back has been fixed.
105181-25 SunOS 5.6: Kernel update patch
106629-23 SunOS 5.6: CS6400 kernel update patch
105529-10 SunOS 5.6: /kernel/drv/tcp patch
105633-50 OpenWindows 3.6: Xsun patch
105703-24 CDE 1.2: dtlogin patch
105800-07 SunOS 5.6: /usr/bin/admintool, y2000 patch
105802-14 OpenWindows 3.6: ToolTalk patch
106834-02 SunOS 5.6: cp/ln/mv patch
109719-01 SunOS 5.6: arp should lose set-gid bid106541-14 SunOS 5.7: Kernel update patch
106942-14 SunOS 5.7: libnsl, rpc.nisd and nis_cachemgr patch
107180-25 * CDE 1.3: dtlogin patch
107451-05 SunOS 5.7: /usr/sbin/cron patch
107477-03 SunOS 5.7: /usr/lib/nfs/mountd patch
107654-08 * OpenWindows 3.6.1 X11R6.4 LBX & XRX Extensions Patch
107709-07 SunOS 5.7: libssasnmp/libssagent/snmpdx/mibiisa patch
107716-11 * SunOS 5.7: PGX32 Graphics Patch
107885-08 CDE 1.3: dtprintinfo Patch
107887-10 CDE 1.3: Actions Patch
107893-10 OpenWindows 3.6.1: Tooltalk patch
108376-21 OpenWindows 3.6.1: Xsun Patch
108551-03 SunOS 5.7: /usr/sbin/rpc.nispasswdd patch
108721-02 SunOS 5.7: admintool patch
108748-01 SunOS 5.7: /usr/lib/nfs/statd patch
108750-01 SunOS 5.7: /usr/lib/netsvc/yp/ypbind patch
108754-01 SunOS 5.7: /usr/lib/netsvc/yp/ypxfrd patch
108756-01 SunOS 5.7: /usr/lib/netsvc/yp/rpc.ypupdated patch
108758-01 SunOS 5.7: /usr/sbin/keyserv patch
108760-01 SunOS 5.7: /usr/sbin/rpcbind patch
108762-01 SunOS 5.7: /usr/sbin/rpc.nisd_resolv patch
108764-01 SunOS 5.7: /usr/sbin/rpc.bootparamd patch
109709-01 SunOS 5.7: /usr/sbin/arp patch108528-06 SunOS 5.8: kernel update patch
108975-04 SunOS 5.8: /usr/bin/rmformat and /usr/sbin/format patch
109279-06 SunOS 5.8: /kernel/drv/ip patch
109322-02 SunOS 5.8: libnsl patch
109888-05 SunOS 5.8: platform drivers patch
109892-02 * SunOS 5.8: ecpp patch
109893-01 * SunOS 5.8: stc driver patch
109894-01 * SunOS 5.8: bpp patch
109896-03 * SunOS 5.8: USB patch
109965-03 * SunOS 5.8: pam_smartcard.so.1 patch
110416-02 SunOS 5.8: ATOK12 patch
110453-01 SunOS 5.8: admintool patch108529-05 SunOS 5.8_x86: kernel update patch
108980-05 * SunOS 5.8_x86: PCI HotPlug framework and devfsadm patch
109280-06 SunOS 5.8_x86: /kernel/drv/ip patch
109323-02 SunOS 5.8_x86: libnsl patch
109784-01 SunOS 5.8_x86: /usr/lib/nfs/nfsd patch
109895-01 * SunOS 5.8_x86: lp driver patch
109897-03 SunOS 5.8_x86: USB patch
110417-02 SunOS 5.8_x86: ATOK12 patch
110454-01 SunOS 5.8_x86: admintool patch
Please tell us if you have suggestions or feedback on how we present this patch analysis.
Sun
Auditing in the Solaris8 Operating Environment
William Osser and Alex Noordergraaf
http://www.sun.com/blueprints/online.htmlThe use of the Solaris OE auditing (BSM) has never been well understood. This article presents an
auditing configuration optimized for Solaris 8. The recommended configuration will audit activity on a system without generated gigabytes of data every day. In addition, the configuration files are
available for download from http://www.sun.com/blueprints/tools.Comment: This is useful, fresh material on BSM
Disksuite - Disaster recovery: restoring a mirrored root from backup
Sunsolve
http://sunsolve.sun.com/pub-cgi/retrieve.pl?type=0&nolog=1&doc=srdb/14650If your machine with an SDS-mirrored root disk has been completely destroyed and you need to restore from backup, this document will show you the additional steps you must take to re-create the Disksuite state databases and how to resolve issues with the mirrored boot configuration on your backup tapes.
A new site with some Solaris tips:
http://www.rootprompt.net
Linux Security
Security Best Practices Articles and White Papers
Allaire
http://www.allaire.com/handlers/index.cfm?ID=10956&Method=FullAllaire is pleased to present 7 new documents in our Allaire Security White Paper Series. Among these documents, you can find Procedure recommendation documents, and step-by-step walk-through of common default configurations for major platforms and web servers and how to lock them down securely.
IP Spoofing
Linux Gazette
http://linuxgazette.com/issue63/sharma.htmlA spoofing attack involves forging one's source address. It is the act of using one machine to impersonate another. Most of the applications and tools in UNIX rely on the source IP address authentication. Many developers have used the host based access controls to secure their networks. Source IP address is a unique identifier but not a reliable one. It can easily be spoofed.
The sky is not falling
Dev Zaborav
http://www.sunworld.com/unixinsideronline/swol-02-2001/swol-0216-unixsecurity-dv.htmlPanic over vulnerabilities may make security experts skeptical of real emergencies. The recent discovery of vulnerabilities in BIND quickly escalated from a reasonable security concern to widespread panic. In this week's Unix Security, Dev Zaborav looks at the increasing sensationalism that surrounds Internet security and worries that too many cries of emergency will leave administrators distrustful when critical situations actually arise.
IT security: Keep it at home or take it outside?
P.J. Connolly and Tom Yager
http://www.sunworld.com/unixinsideronline/swol-02-2001/swol-0216-ITsecurity.htmlAre you insecure about recruiting an outside firm to protect your networks? Our experts debate the issue.
SunWorld
Securing your Solaris server
Jamie Wilson
http://www.sunworld.com/unixinsideronline/swol-02-2001/swol-0216-hardening.htmlSystems administrators are often too busy with their day-to-day work to concern themselves with system security. That means servers may end up without the latest security patches or fixes, offering easy ways for attackers to gain entry into their systems. In this Unix Insider feature, Jamie Wilson helps you secure your Solaris server by demonstrating how to disable inetd, secure su, find and secure setuid and setgid files, and install and configure IPfilter.
SysAdmin Magazine
Getting Your Message Across with Apache
Carlos Ramirez
http://www.sysadminmag.com/current/0103a/0103a.htmRamirez presents an Apache module that provides a way to push important messages to your user community so that anyone accessing any Web page on your server will get the message.
The module is called Apache::Motd. As the name implies, this module works on Apache Web servers and is based on the "Message Of The Day" (or motd) utility found on UNIX systems.
SecurityFocus
Steps for Recovering from a UNIX or NT System Compromise
CERT
http://www.securityfocus.com/frames/?content=/templates/library.html?id=3322%3Fid%3D3322This document is being published jointly by the CERT Coordination Center and AusCERT (Australian Computer Emergency Response Team). It describes suggested steps for responding to a UNIX or NT system compromise.
Password Crackers - Ensuring the Security of Your Password
A. Cliff
http://www.securityfocus.com/focus/basics/articles/passcrack.htmlPasswords are a crucial component of good computer security for users of any level. This is especially true since the development of the password cracker, an automated tool that allows hackers to guess passwords quickly and easily. In this article, A. Cliff explains that password crackers can be used to enforce secure passwords. The article also explains what steps users should take to develop and maintain strong, secure passwords.
Studying Normal Traffic, Part 2: Studying FTP Traffic
Karen Frederick
http://securityfocus.com/focus/ids/articles/normaltraf2.html
02/22/01 NFS over ssh
http://www.securityfocus.com/archive/92/16488702/22/01 OpenSSH and passwords
http://www.securityfocus.com/archive/92/16488602/21/01 Re: sources of randomness
http://www.securityfocus.com/archive/92/16489202/20/01 New Article: Auditing in the Solaris 8 OE BluePrint Published
http://www.securityfocus.com/archive/92/16419002/20/01 Solaris with MD5 encrypted passwords ?
http://www.securityfocus.com/archive/92/16418702/18/01 Solaris 7 patch behavior
http://www.securityfocus.com/archive/92/16417902/14/01 CDE Security
http://www.securityfocus.com/archive/92/16299002/09/01 LDAP Authentication on Solaris / AIX
http://www.securityfocus.com/archive/92/161687Note: as the links to the threats themselves are too long to be published, the above links directly point on the first message of each discussion.
Yassp beta 15 is still current. There was lots of discussion on OpenSSH, Tripwire, xinetd, floppy + broken kernel patches,
Discussions this week:
MAXSYMLINKS
http://www.theorygroup.com/Archive/YASSP/2001/msg00072.htmlUpdated docs
http://www.theorygroup.com/Archive/YASSP/2001/msg00064.htmlOpenSSH package: (tentative) summary of recent discussions
http://www.theorygroup.com/Archive/YASSP/2001/msg00060.htmlRE: Uncommenting inetd.conf Lines After Installing YASSP
http://www.theorygroup.com/Archive/YASSP/2001/msg00037.htmlSOLVED: floppy access
http://www.theorygroup.com/Archive/YASSP/2001/msg00057.html
Broken diskette access ?
http://www.theorygroup.com/Archive/YASSP/2001/msg00056.htmlOpenSSH package: new proposals
http://www.theorygroup.com/Archive/YASSP/2001/msg00042.htmlRandom for OpenSSH?
http://www.theorygroup.com/Archive/YASSP/2001/msg00039.htmlSee also http://www.yassp.org
All security tool news is now summarized in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html
Of note is the release of OpenSSH 2.5.1p1, see http://www.openssh.com/portable.html.
Two minor BIND tips this week, which popped up after migrating to 8.2.3:
named[9708]: tcp_send: bind(query_source): Permission denied
The problem arises because a query fails as a UDP packet (e.g. due to heave server or network load) and must be retried using TCP. The TCP connection is re-tried from a privileged source port (the one specified in the log file), which is not allowed since BIND is not running as root (or shouldn't be anyway). Hopefully ISC will fix this in the next release. In the meantime, if this happens to you alot, a patch posted by Mark Andrews of Nominum makes the TCP connection using a random non-privileged source port.
http://www.isc.org/ml-archives/bind-users/2001/02/msg01433.html
named[6251]: [ID 295310 daemon.notice] denied update from ....
It may not be an attack, or even an incorrectly configured DNS secondary, but simple a Windows200 machine. I've seen this several times, the exact reasons for Windows2000 trying to update itself into DNS are not clear.
All weekly digests are archive at:
securityportal.com/research/research.digestarchives.html
Sign up to get this digest and many others by email.
A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.
| © Copyright 2001, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 23 February, 2001 |