Weekly Solaris Security Digest
2000/02/19 to 2001/02/26

By Seán Boran (sean at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html


The Rundown


Advisories and Security Bulletins

Sun / CERT bulletins

Sun Bulletin #00201: Java Runtime Environment unauthorized command execution
http://sunsolve.sun.com/security
(The bulletin is not yet available on the URL above, but should be soon)

Overview:

A vulnerability in certain versions of the Java(TM) Runtime Environment may allow malicious Java code to execute unauthorized commands. However, permission to execute at least one command must have been granted in order for this vulnerability to be exploited. Since no permission is granted by default, the circumstances necessary to exploit this vulnerability are relatively rare.

System affected

Solaris Production releases SDK and JRE 1.2.1, and JDK and JRE 1.1.7B and 1.1.6 should no longer be used. In addition, releases prior to JDK and JRE 1.1.6 for Windows or Solaris should no longer be used. Users of these releases should upgrade to a later release

To the best of Sun's knowledge, Netscape Navigator(TM) and Microsoft Internet Explorer are not exposed to this vulnerability.

Fixes

This vulnerability was fixed in Java 2 Platform, Standard Edition, v 1.3.

Windows Production and Solaris Reference Releases
SDK and JRE 1.2.2_007 http://java.sun.com/products/jdk/1.2/
SDK and JRE 1.2.1_004 http://java.sun.com/products/jdk/1.2.1/
JDK and JRE 1.1.8_006 http://java.sun.com/products/jdk/1.1/
JDK and JRE 1.1.7B_007 http://java.sun.com/products/jdk/1.1.7B/
JDK and JRE 1.1.6_009 http://java.sun.com/products/jdk/1.1.6/

Solaris Production Releases
SDK and JRE 1.2.2_07 http://www.sun.com/software/solaris/java/download.html
JDK and JRE 1.1.8_12 http://www.sun.com/software/solaris/java/archive.html

Linux Production Release
SDK and JRE 1.2.2_007 http://java.sun.com/products/jdk/1.2/download-linux.html

Bugtraq vulnerabilities this week - Solaris:

Solaris 8 pam_ldap.so.1 module broken
http://archives.neohapsis.com/archives/bugtraq/2001-02/0344.html
David Caleb reminds us that the pam_ldap module is seriously broken, a NULL password can be used for authentication. It is still pending as Sunsolve BugID 4384816. Using the pam_ldap module compiled from source code available at http://www.padl.com appears to work correctly

Bugtraq vulnerabilities this week - 3rd party applications:

2001-02-18: Mailnews.cgi Username Remote Shell Commands Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2391

2001-02-16: Thinking Arts ES.One Directory Traversal Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2385

2001-02-15: Bajie Webserver Remote Command Execution Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2388

2001-02-15: Bajie Arbitrary Shell Command Execution Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2389

2001-02-13: Analog ALIAS Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/2377


Patches

In this section we aim to inform you of new patches published by Sun. Patches are published [on ftp://sunsolve.sun.com/pub/patches] in two ways:

We analyse both reports since changes in one are not always reflected in the other.

1. The latest Solaris 'Recommended & Security Patch clusters' are as follows:

Solaris 8           Feb/21/01

108974-09 SunOS 5.8: dada, uata, dad, sd and scsi patch
108975-04 SunOS 5.8: /usr/bin/rmformat and /usr/sbin/format patch
110905-01 SunOS 5.8: /usr/bin/find patch
110951-01 SunOS 5.8: /usr/sbin/tar and /usr/sbin/static/tar patch
108993-02 SunOS 5.8: nss and ldap patch
108528-06 SunOS 5.8: kernel update patch
109279-08 SunOS 5.8: /kernel/drv/ip patch
109740-03 SunOS 5.8: /kernel/drv/udp patch
109322-02 SunOS 5.8: libnsl patch
109898-02 SunOS 5.8: /kernel/drv/arp patch

Solaris 8_x86   Feb/16/01

110906-01 SunOS 5.8_x86: /usr/bin/find patch
110952-01 SunOS 5.8_x86: /usr/sbin/tar and /usr/sbin/static/tar patch
110959-01 SunOS 5.8_x86: /kernel/drv/xsvc and /kernel/drv/xsvc.conf

Solaris 7           Jan/30/01: no changes
Solaris 2.6        Feb/20/01: The date has changed but no patches seem to have changed.
Solaris 2.5.1     Jan/26/01: no changes

2. New or updated individual security/recommended patches. Note that the arp problem reported a few weeks back has been fixed.

105181-25 SunOS 5.6: Kernel update patch
106629-23 SunOS 5.6: CS6400 kernel update patch
105529-10 SunOS 5.6: /kernel/drv/tcp patch
105633-50 OpenWindows 3.6: Xsun patch
105703-24 CDE 1.2: dtlogin patch
105800-07 SunOS 5.6: /usr/bin/admintool, y2000 patch
105802-14 OpenWindows 3.6: ToolTalk patch
106834-02 SunOS 5.6: cp/ln/mv patch
109719-01 SunOS 5.6: arp should lose set-gid bid

106541-14 SunOS 5.7: Kernel update patch
106942-14 SunOS 5.7: libnsl, rpc.nisd and nis_cachemgr patch
107180-25 * CDE 1.3: dtlogin patch
107451-05 SunOS 5.7: /usr/sbin/cron patch
107477-03 SunOS 5.7: /usr/lib/nfs/mountd patch
107654-08 * OpenWindows 3.6.1 X11R6.4 LBX & XRX Extensions Patch
107709-07 SunOS 5.7: libssasnmp/libssagent/snmpdx/mibiisa patch
107716-11 * SunOS 5.7: PGX32 Graphics Patch
107885-08 CDE 1.3: dtprintinfo Patch
107887-10 CDE 1.3: Actions Patch
107893-10 OpenWindows 3.6.1: Tooltalk patch
108376-21 OpenWindows 3.6.1: Xsun Patch
108551-03 SunOS 5.7: /usr/sbin/rpc.nispasswdd patch
108721-02 SunOS 5.7: admintool patch
108748-01 SunOS 5.7: /usr/lib/nfs/statd patch
108750-01 SunOS 5.7: /usr/lib/netsvc/yp/ypbind patch
108754-01 SunOS 5.7: /usr/lib/netsvc/yp/ypxfrd patch
108756-01 SunOS 5.7: /usr/lib/netsvc/yp/rpc.ypupdated patch
108758-01 SunOS 5.7: /usr/sbin/keyserv patch
108760-01 SunOS 5.7: /usr/sbin/rpcbind patch
108762-01 SunOS 5.7: /usr/sbin/rpc.nisd_resolv patch
108764-01 SunOS 5.7: /usr/sbin/rpc.bootparamd patch
109709-01 SunOS 5.7: /usr/sbin/arp patch

108528-06 SunOS 5.8: kernel update patch
108975-04 SunOS 5.8: /usr/bin/rmformat and /usr/sbin/format patch
109279-06 SunOS 5.8: /kernel/drv/ip patch
109322-02 SunOS 5.8: libnsl patch
109888-05 SunOS 5.8: platform drivers patch
109892-02 * SunOS 5.8: ecpp patch
109893-01 * SunOS 5.8: stc driver patch
109894-01 * SunOS 5.8: bpp patch
109896-03 * SunOS 5.8: USB patch
109965-03 * SunOS 5.8: pam_smartcard.so.1 patch
110416-02 SunOS 5.8: ATOK12 patch
110453-01 SunOS 5.8: admintool patch

108529-05 SunOS 5.8_x86: kernel update patch
108980-05 * SunOS 5.8_x86: PCI HotPlug framework and devfsadm patch
109280-06 SunOS 5.8_x86: /kernel/drv/ip patch
109323-02 SunOS 5.8_x86: libnsl patch
109784-01 SunOS 5.8_x86: /usr/lib/nfs/nfsd patch
109895-01 * SunOS 5.8_x86: lp driver patch
109897-03 SunOS 5.8_x86: USB patch
110417-02 SunOS 5.8_x86: ATOK12 patch
110454-01 SunOS 5.8_x86: admintool patch

Please tell us if you have suggestions or feedback on how we present this patch analysis.


News & Articles

Sun

Auditing in the Solaris8 Operating Environment
William Osser and Alex Noordergraaf
http://www.sun.com/blueprints/online.html

The use of the Solaris OE auditing (BSM) has never been well understood. This article presents an
auditing configuration optimized for Solaris 8. The recommended configuration will audit activity on a system without generated gigabytes of data every day. In addition, the configuration files are
available for download from http://www.sun.com/blueprints/tools.

Comment: This is useful, fresh material on BSM

 

Disksuite - Disaster recovery: restoring a mirrored root from backup
Sunsolve
http://sunsolve.sun.com/pub-cgi/retrieve.pl?type=0&nolog=1&doc=srdb/14650

If your machine with an SDS-mirrored root disk has been completely destroyed and you need to restore from backup, this document will show you the additional steps you must take to re-create the Disksuite state databases and how to resolve issues with the mirrored boot configuration on your backup tapes.

 

A new site with some Solaris tips:
http://www.rootprompt.net

Linux Security

Security Best Practices Articles and White Papers
Allaire
http://www.allaire.com/handlers/index.cfm?ID=10956&Method=Full

Allaire is pleased to present 7 new documents in our Allaire Security White Paper Series. Among these documents, you can find Procedure recommendation documents, and step-by-step walk-through of common default configurations for major platforms and web servers and how to lock them down securely.

 

IP Spoofing
Linux Gazette
http://linuxgazette.com/issue63/sharma.html

A spoofing attack involves forging one's source address. It is the act of using one machine to impersonate another. Most of the applications and tools in UNIX rely on the source IP address authentication. Many developers have used the host based access controls to secure their networks. Source IP address is a unique identifier but not a reliable one. It can easily be spoofed.

 

The sky is not falling
Dev Zaborav
http://www.sunworld.com/unixinsideronline/swol-02-2001/swol-0216-unixsecurity-dv.html

Panic over vulnerabilities may make security experts skeptical of real emergencies. The recent discovery of vulnerabilities in BIND quickly escalated from a reasonable security concern to widespread panic. In this week's Unix Security, Dev Zaborav looks at the increasing sensationalism that surrounds Internet security and worries that too many cries of emergency will leave administrators distrustful when critical situations actually arise.

 

IT security: Keep it at home or take it outside?
P.J. Connolly and Tom Yager
http://www.sunworld.com/unixinsideronline/swol-02-2001/swol-0216-ITsecurity.html

Are you insecure about recruiting an outside firm to protect your networks? Our experts debate the issue.

 

SunWorld

Securing your Solaris server
Jamie Wilson
http://www.sunworld.com/unixinsideronline/swol-02-2001/swol-0216-hardening.html

Systems administrators are often too busy with their day-to-day work to concern themselves with system security. That means servers may end up without the latest security patches or fixes, offering easy ways for attackers to gain entry into their systems. In this Unix Insider feature, Jamie Wilson helps you secure your Solaris server by demonstrating how to disable inetd, secure su, find and secure setuid and setgid files, and install and configure IPfilter.

 

SysAdmin Magazine

Getting Your Message Across with Apache
Carlos Ramirez
http://www.sysadminmag.com/current/0103a/0103a.htm

Ramirez presents an Apache module that provides a way to push important messages to your user community so that anyone accessing any Web page on your server will get the message.
The module is called Apache::Motd. As the name implies, this module works on Apache Web servers and is based on the "Message Of The Day" (or motd) utility found on UNIX systems.

 

SecurityFocus

Steps for Recovering from a UNIX or NT System Compromise
CERT
http://www.securityfocus.com/frames/?content=/templates/library.html?id=3322%3Fid%3D3322

This document is being published jointly by the CERT Coordination Center and AusCERT (Australian Computer Emergency Response Team). It describes suggested steps for responding to a UNIX or NT system compromise.

 

Password Crackers - Ensuring the Security of Your Password
A. Cliff
http://www.securityfocus.com/focus/basics/articles/passcrack.html

Passwords are a crucial component of good computer security for users of any level. This is especially true since the development of the password cracker, an automated tool that allows hackers to guess passwords quickly and easily. In this article, A. Cliff explains that password crackers can be used to enforce secure passwords. The article also explains what steps users should take to develop and maintain strong, secure passwords.

 

Studying Normal Traffic, Part 2: Studying FTP Traffic
Karen Frederick
http://securityfocus.com/focus/ids/articles/normaltraf2.html


Mailing Lists

FOCUS-Sun Discussions Threads

02/22/01 NFS over ssh
http://www.securityfocus.com/archive/92/164887

02/22/01 OpenSSH and passwords
http://www.securityfocus.com/archive/92/164886

02/21/01 Re: sources of randomness
http://www.securityfocus.com/archive/92/164892

02/20/01 New Article: Auditing in the Solaris 8 OE BluePrint Published
http://www.securityfocus.com/archive/92/164190

02/20/01 Solaris with MD5 encrypted passwords ?
http://www.securityfocus.com/archive/92/164187

02/18/01 Solaris 7 patch behavior
http://www.securityfocus.com/archive/92/164179

02/14/01 CDE Security
http://www.securityfocus.com/archive/92/162990

02/09/01 LDAP Authentication on Solaris / AIX
http://www.securityfocus.com/archive/92/161687

Note: as the links to the threats themselves are too long to be published, the above links directly point on the first message of each discussion.

 

YASSP (the Solaris hardening tool) Developers' list discussions

Yassp beta 15 is still current. There was lots of discussion on OpenSSH, Tripwire, xinetd, floppy + broken kernel patches,

Discussions this week:

MAXSYMLINKS
http://www.theorygroup.com/Archive/YASSP/2001/msg00072.html

Updated docs
http://www.theorygroup.com/Archive/YASSP/2001/msg00064.html

OpenSSH package: (tentative) summary of recent discussions
http://www.theorygroup.com/Archive/YASSP/2001/msg00060.html

RE: Uncommenting inetd.conf Lines After Installing YASSP
http://www.theorygroup.com/Archive/YASSP/2001/msg00037.html

SOLVED: floppy access
http://www.theorygroup.com/Archive/YASSP/2001/msg00057.html
Broken diskette access ?
http://www.theorygroup.com/Archive/YASSP/2001/msg00056.html

OpenSSH package: new proposals
http://www.theorygroup.com/Archive/YASSP/2001/msg00042.html

Random for OpenSSH?
http://www.theorygroup.com/Archive/YASSP/2001/msg00039.html

See also http://www.yassp.org


Security Tools

All security tool news is now summarized in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html

Of note is the release of OpenSSH 2.5.1p1, see http://www.openssh.com/portable.html.


Tip of the Week: BIND errors

Two minor BIND tips this week, which popped up after migrating to 8.2.3:

named[9708]: tcp_send: bind(query_source): Permission denied

The problem arises because a query fails as a UDP packet (e.g. due to heave server or network load) and must be retried using TCP. The TCP connection is re-tried from a privileged source port (the one specified in the log file), which is not allowed since BIND is not running as root (or shouldn't be anyway). Hopefully ISC will fix this in the next release. In the meantime, if this happens to you alot, a patch posted by Mark Andrews of Nominum makes the TCP connection using a random non-privileged source port.
http://www.isc.org/ml-archives/bind-users/2001/02/msg01433.html


References and Resources

All weekly digests are archive at:
securityportal.com/research/research.digestarchives.html

Sign up to get this digest and many others by email.

A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2001, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 23 February, 2001