Weekly Solaris Security Digest
2000/02/26 to 2001/03/05

By Seán Boran (sean at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html

The Rundown

• Solaris vulnerabilities: none
• Vulnerabilities in 3rd party applications: Ultimate Bulletin Board, Simple server.
• Patches: All clusters have changed, but no new individual patches.
• Articles/news: SSH, IDS, TCP wrappers, Anticryptography, Filesystems, Firewalls, IPF, Sockets, Crypto, Outsourcing.
• Discussions summary: Yassp & Focus-sun.
• Tip of the Week: CERT, itbpm.

Advisories and Security Bulletins

Solaris vulnerabilities this week:

none

Vulnerabilities this week - 3rd party applications (Bugtraq):

2001-02-24: Simple Server Directory Traversal Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2415

2001-02-21: Ultimate Bulletin Board [IMG] Tag JavaScript Embedding Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2408

Patches

In this section we aim to inform you of new patches published by Sun. Patches are published [on ftp://sunsolve.sun.com/pub/patches] in two ways:

• As a recommended cluster of patches that can be installed in one go and used to bring a system up to date quickly. A report for each cluster is available, we compare it with the reports from the previous week.
• Individual patches to fix specific problems. A patch reports lists all patches and their versions, we compare patches in the recommended and security sections of this report with the report published the previous week.

We analyze both reports since changes in one are not always reflected in the other.

1. The latest Solaris 'Recommended & Security Patch clusters' are as follows:

Solaris 8           Mar/01/01:

109805-02 SunOS 5.8: pam_krb5.so.1 patch
108981-04 SunOS 5.8: /kernel/drv/hme and /kernel/drv/sparcv9/hme patch
110898-01 SunOS 5.8: csh/pfcsh patch
108727-06 SunOS 5.8: /kernel/fs/nfs and /kernel/fs/sparcv9/nfs patch
110609-01 SunOS 5.8: cdio.h and command.h USB header patch
109041-03 SunOS 5.8: sockfs patch
109883-02 SunOS 5.8: /usr/include/sys/ecppsys.h patch
109887-02 SunOS 5.8: smartcard patch
109896-04 SunOS 5.8: USB patch

Solaris 8_x86  Mar/01/01:

109280-08 SunOS 5.8_x86: /kernel/drv/ip patch
109899-01 SunOS 5.8_x86: /kernel/drv/arp patch
109741-03 SunOS 5.8_x86: /kernel/drv/udp patch
109743-02 SunOS 5.8_x86: /kernel/drv/icmp patch
110701-01 SunOS 5.8_x86: automount patch
10899-01 SunOS 5.8_x86: csh/pfcsh patch
109042-03 SunOS 5.8_x86: sockfs patch

Solaris 7           Feb/28/01:     

106541-15 SunOS 5.7: Kernel update patch
107636-07 SunOS 5.7: X Input & Output Method patch
106942-15 SunOS 5.7: libnsl, rpc.nisd and nis_cachemgr patch

Solaris 2.6        Feb/28/01

105667-03 SunOS 5.6: /usr/bin/rdist patch
106625-09 SunOS 5.6: libsec.a, libsec.so.1 and /kernel/fs/ufs patch
109339-02 SunOS 5.6: nscd's size grows - TTL values not implemented
105633-51 OpenWindows 3.6: Xsun patch

Solaris 2.5.1     Feb/27/01: 

104605-11 SunOS 5.5.1: ecpp driver patch

2. New or updated individual security/recommended patches.

No changes this week.

Please tell us if you have suggestions or feedback on how we present this patch analysis.

News & Articles

SSH

F-Secure SSH 2.4

F-Secure have written in to say that the only technical opportunity in 2.4 over 2.3 is if you plan to integrate SSH with SecurID. 2.4 does have native SSH integrated with challenge-response support. So if use 2.3 or later you are covered against the vulnerabilities recently discovered.

F-Secure also announced F-Secure SSH Server 5.0 for Windows last week.
http://www1.buyonet.com/f-secure/sshntsrv  

 

OpenSSH 2.5.1p2
http://www.openssh.com/portable.html
Changes from p1 are: PAM, compiling problems on some platforms, EGD detection, and uid handling.

SecurityPortal

IDS Review
Dragos Ruiu
http://securityportal.com/articles/idsintroduction20010226.html

An interesting and useful review of free and commercial NIDS for SOHO and large site usage.

Linux Security

Network monitoring, access control, and booby traps using TCP Wrappers - I
Trevor Warren
http://www.freeos.com/articles/3729/

In introduction to the TCP wrappers. No innovative examples on how to use them though.

O'Reilly

Using SSH Tunneling
Rob Flickenger
http://www.oreillynet.com/pub/a/wireless/2001/02/23/wep.html

They say that the Wired Equivalent Privacy protocol has been cracked. What's a wireless user to do? Tunnel. Secure Shell (SSH) is open, free, fast, secure, and easy to setup (once you know how).
Comment: This paper presents a simple example on port tunneling with SSH.

 

Anticryptography: The Next Frontier in Computer Science
Brian McConnell
http://www.oreilly.com/news/seti_0201.html

Ever since Mosaic, the computer industry has been obsessed with cryptography. The crusade to put strong encryption technology in the hands of ordinary computer users is a noble and important cause. Yet in our obsession with encryption and electronic anonymity, we've overlooked something equally important, the idea of creating complex messages that decode themselves.

 

Basics: Understanding Unix Filesystems
Dru Lavigne
http://www.oreillynet.com/pub/a/bsd/2001/02/28/FreeBSD_Basics.html

Daemon News

OpenBSD bridge without IPs using IPF Tutorial
by Doug Hogan and Bryan Hinton
http://www.daemonnews.org/200103/ipf_bridge.html

The Sunscreen fans among you might be interested in an alternative 'stealth' firewall.....

 

Adventures in firewalling
Bill Moran
http://www.daemonnews.org/200103/firewall.html

Some practical tips on configuring firewalls, especially with ipfw.

UnixInsider

Sex, drugs, and technology, Demonizing cryptography
By Carole Fennelly
http://www.sunworld.com/unixinsideronline/swol-02-2001/swol-0223-unixsecurity.html

"People fear what they don't understand -- and the average person doesn't understand anything that ends with ography. When in doubt, blame technology."

 

Understanding the Solaris socket filesystem
Jim Mauro
http://www.sunworld.com/unixinsideronline/swol-02-2001/swol-0202-insidesolaris.html

A useful overview of socket implementations on pre Solaris 2.6 releases.

 

IT security: Keep it at home or take it outside?
Connolly and Tom Yager
http://www.sunworld.com/unixinsideronline/swol-02-2001/swol-0216-ITsecurity.html

As the Internet becomes an ever-more dominant medium for doing business, companies require even greater protection for their intellectual assets. Conducting business via the Web turns your network into a proving ground for hackers bent on infamy. Stepping up to meet this challenge are security outsourcing companies that promise to constantly monitor and tune your firewalls, routers, and servers via remote links for maximum protection. That idea delights a growing number of IT leaders; still, many tremble at the thought of trusting the corporate jewels to outsiders.

Comment: An entertaining debate on In-house 'control freaks' and external consultants.

SecurityFocus

Comparative Analysis of Methods of Defense against Buffer Overflow Attacks
Istvan Simon
http://www.mcs.csuhayward.edu/~simon/security/boflo.html

For the past several years Buffer Overflow attacks have been the main method of compromising a computing system's security. Many of these attacks have been devastatingly effective, allowing the attacker to attain administrator privileges on the attacked system. We review the anatomy of these attacks and the reasons why conventional methods of defense have been ineffective, and likely to remain so in the foreseeable future. Recently, however, several promising methods of defense have been proposed. We compare the strengths and weaknesses of these defense methods.

 

The Field Guide for Investigating Computer Crime, Part Seven: Information Discovery - Basics and Planning
Timothy E. Wright
http://www.securityfocus.com/focus/ih/articles/crimeguide7.html

This is the seventh installment of SecurityFocus.com's Field Guide for Investigating Computer Crime. The previous installment in this series, "Search and Seizure - Evidence Retrieval and Processing", concluded the overview of search and seizure with a discussion of the retrieval and processing of computer crime scene evidence. In this installment, we will begin our discussion of information discovery - the process of viewing log files, databases and other data sources on unseized equipment, in order to find and analyze information that may be of importance to a computer crime investigation.

Mailing Lists

FOCUS-Sun Discussions Threads

02/24/01 NFS over ssh
http://www.securityfocus.com/archive/92/164887

02/23/01 OpenSSH and passwords
http://www.securityfocus.com/archive/92/164886

02/23/01 Solaris with MD5 crypted passwords?
http://www.securityfocus.com/archive/92/164187

02/23/01 CDE daemons
http://www.securityfocus.com/archive/92/165056

Note: as the links to the threats themselves are too long to be published, the above links directly point on the first message of each discussion.

YASSP (the Solaris hardening tool) Developers' list discussions

Yassp beta 15 is still current.

Discussions this week:

Telnet & ftp
http://www.theorygroup.com/Archive/YASSP/2001/msg00091.html

When compiling packages ...
http://www.theorygroup.com/Archive/YASSP/2001/msg00088.html

Repackaging yassp's tcpd
http://www.theorygroup.com/Archive/YASSP/2001/msg00087.html

Uncommenting inetd.conf Lines After Installing YASSP
http://www.theorygroup.com/Archive/YASSP/2001/msg00037.html

OpenSSH package: (tentative) summary of recent discussions
http://www.theorygroup.com/Archive/YASSP/2001/msg00060.html

Updated docs
http://www.theorygroup.com/Archive/YASSP/2001/msg00064.html

See also http://www.yassp.org

Security Tools

All security tool news is now summarized in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html

• Updates to General free tools this week include Eudora GnuPG plugin, GPA, GPGME, Seahorse, OpenSSH, Stunnel, Apache and Linux kernel.
• Auditing and Intrusion Monitoring tools include SAINT, NetSaint, syslog-ng and 5 other new tools.
• Firewalls for UNIX/Linux/BSD & Cross-platform include Zorp, Fireparse, IPtables, IPtables Linux Firewall, Firestarter and 3 other tools.
• Tools for Linux/Unix/Cross Platform include APG, Exiscan, BUGS/bcrypt, SILC, Sectar and 4 other tools.
• Tools for Windows include aTrans, aCrypt and Advanced Password Generator.

Of note is:

• Apache 1.3.19
  http://www.apache.org/dist
  Changes: new version 1.3.19. The version 1.3.18 was not released due to an incorrect fix addressing hostnames with url-escaped characters. A corrected fix will be included in the next release. The version 1.3.19 of Apache is primarily a security fix release addressing a problem which could lead to a directory listing being displayed in place of an error message. Also, it fixes some broken functionality present in the 1.3.17 release and various Win32 issues. The main new feature is a new configuration error reporting if the UserDir argument is set to a relative path on Win32 or Netware [which do not support home directories], or a relative path on any platform if that path includes the '*' username substitution.

Tip of the Week:

I'd not read the CERT documents on security in a long time and was pleasantly surprised, they are looking good and worth a visit:
http://www.cert.org/security-improvement/index.html#unix

On a more comprehensive level, the english translation of the IT Baseline Protection Manual (itbpm)  is available on http://www.bsi.bund.de/english.

References and Resources

All weekly digests are archive at:
securityportal.com/research/research.digestarchives.html

Sign up to get this digest and many others by email.

A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html

About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.