Weekly Solaris Security Digest
2000/03/05 to 2001/03/12

By Seán Boran (sean at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html

The Rundown

• Vulnerabilities: Quiet this week, one problem with the third part editor 'Joe'.
• Patches: Many changes to bundles and individual patches.
• Articles/news: Cold Mirroring, URL attacks, attack methods, risks, open source debate, pkg-get, redundancy.
• Discussions summary: Yassp & Focus-sun.
• Tip of the Week: fmthard, Disksuite, lkm.

Advisories and Security Bulletins

Sun / CERT bulletins

Open mail relays used to deliver "Hybris Worm"
http://www.cert.org/incident_notes/IN-2001-02.html

It is well documented that intruders have used open mail relays for years to deliver unsolicited email. Recently, the CERT/CC has received reports of intruders using open mail relays to propagate malicious code such as the "Hybris Worm."

Solaris vulnerabilities this week:

none

Vulnerabilities this week - 3rd party applications (Bugtraq):

2001-02-28: Joe Text Editor .joerc Arbitrary Command Execution Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2437

Patches

In this section we aim to inform you of new patches published by Sun. Patches are published [on ftp://sunsolve.sun.com/pub/patches] in two ways:

• As a recommended cluster of patches that can be installed in one go and used to bring a system up to date quickly. A report for each cluster is available, we compare it with the reports from the previous week.
• Individual patches to fix specific problems. A patch reports lists all patches and their versions, we compare patches in the recommended and security sections of this report with the report published the previous week.

We analyze both reports since changes in one are not always reflected in the other.

1. The latest Solaris 'Recommended & Security Patch clusters' are as follows:

Solaris 8          Mar/06/01:

108652-27 X11 6.4.1 Xsun patch
108879-05 Solstice AdminSuite 3.0.1: Auditing, compat mode, passwd, autohome
110901-01 SunOS 5.8: /kernel/drv/sgen and /kernel/drv/sparcv9/sgen patch
109877-01 SunOS 5.8: /usr/include/sys/dma_i8237A.h patch
109892-03 SunOS 5.8: ecpp patch
110662-02 SunOS 5.8: ksh patch

Solaris 8_x86  Mar/06/01:

108653-23 X11 6.4.1_x86: Xsun patch
108881-05 Solstice AdminSuite 3.0.1_x86: Auditing compat mode passwd autohome
110902-01 SunOS 5.8_x86: /kernel/drv/sgen patch
110663-02 SunOS 5.8_x86: ksh patch
110610-01 SunOS 5.8_x86: cdio.h and commands.h USB patch
108529-06 SunOS 5.8_x86: kernel update patch
109897-04 SunOS 5.8_x86: USB patch

Solaris 7          Mar/08/01:     

107893-11 OpenWindows 3.6.1: Tooltalk patch
107022-07 CDE 1.3: Calendar Manager patch
107259-02 SunOS 5.7: /usr/sbin/vold patch
107702-07 CDE 1.3: dtsession patch
108374-05 CDE 1.3: libDtWidget Patch

Solaris 2.6        Mar/07/01: date changed and some Solaris 8 patches listed by mistake.

107618-02 SunOS 5.6: patch /usr/sbin/vold

Solaris 2.5.1     Mar/07/01: date changed only.

 

2. New or updated individual security/recommended patches.

105667-02 SunOS 5.6: /usr/bin/rdist patch
106625-08 SunOS 5.6: libsec.a, libsec.so.1 and /kernel/fs/ufs patch
109339-01 SunOS 5.6: nscd has a potential security problem
105633-50 OpenWindows 3.6: Xsun patch
Note the Solaris 2.6 patch report was badly messed up on March 9th, with about 200 patches apparently changed which is unlikely.

106541-14 SunOS 5.7: Kernel update patch
106942-14 SunOS 5.7: libnsl, rpc.nisd and nis_cachemgr patch
107022-06 CDE 1.3: Calendar Manager patch
107893-10 OpenWindows 3.6.1: Tooltalk patch

109280-06 SunOS 5.8_x86: /kernel/drv/ip patch

109279-06 SunOS 5.8: /kernel/drv/ip patch
109892-02 * SunOS 5.8: ecpp patch
109896-03 * SunOS 5.8: USB patch
109965-03 * SunOS 5.8: pam_smartcard.so.1 patch
110898-01 SunOS 5.8: csh/pfcsh patch
The following were reports as being new, if may be incorrect:
108528-06 SunOS 5.8: kernel update patch
108875-07 SunOS 5.8: c2audit patch
108968-02 SunOS 5.8: vol/vold/rmmount patch
108975-04 SunOS 5.8: /usr/bin/rmformat and /usr/sbin/format patch
108985-02 SunOS 5.8: /usr/sbin/in.rshd patch
109320-01 SunOS 5.8: LP patch
109322-02 SunOS 5.8: libnsl patch
109783-01 SunOS 5.8: /usr/lib/nfs/nfsd patch
109888-05 SunOS 5.8: platform drivers patch
109893-01 * SunOS 5.8: stc driver patch
109894-01 * SunOS 5.8: bpp patch
109951-01 SunOS 5.8: jserver buffer overflow
110416-02 SunOS 5.8: ATOK12 patch
110453-01 SunOS 5.8: admintool patch
110898-01 SunOS 5.8: csh/pfcsh patch

Please tell us if you have suggestions or feedback on how we present this patch analysis.

News & Articles

SecurityPortal

A Tool for Cold Mirroring of Solaris System Disks - mirror_boot.sh
Seán Boran
http://securityportal.com/articles/coldmirroring20010306.html

 

Zen and the Art of Breaking Security - Part I & Part II
Razvan Peteanu
http://securityportal.com/articles/zenandsecurity20010301.html
http://securityportal.com/articles/zenandsecurity20010308.html

 

URL, Little Do We Know Thee
Razvan Peteanu
http://securityportal.com/articles/urlurl20010307.html  

 

Unix Insider

The opening of secrets (the history of public key cryptography)
Steven Levy
http://www.sunworld.com/unixinsideronline/swol-03-2001/swol-0302-bookshelf.html  

 

O'Reilly Network

Is Open Source Un-American?
Tim O'Reilly
http://onlamp.com/pub/a/onlamp/2001/03/08/unamerican.html

 

InfoSecurity Magazine

The Little Things
Dana W. Paxson
http://www.infosecuritymag.com/articles/march01/columns_logoff.shtml

Security begins with the little things. Do them to death. You'll be glad you did.

 

Security for the CXO - Calculating risk
Peter Tippett
http://www.infosecuritymag.com/articles/march01/columns_executive_view.shtml

SysAdmin magazine

Solaris Network Hardening: First Steps
Reg Quinton
http://www.samag.com/current/0104i/0104i.htm

This article looks at using tools like netstat/rpcinfo/lsof/inetd.conf to find out what is actually going on a system, before you go at hardening it.

 

Quick Network Redundancy Schemes
Leo Liberti
http://www.samag.com/current/0104a/0104a.htm

Simple bash scripting and IP aliasing can be used to implement quick and easy host redundancy schemes based either on host availability or service availability.
Comment: if you use the ideas present, use SSH and not rexec for remote execution. Rexec belongs in a museum (from a security standpoint).

Sun

pkg-get
http://www.bolthole.com/solaris/pkg-get.html
Makes it easy to download any package that sunfreeware.com has for your architecture and OS level. It is based on wget.
Comment: looks interesting indeed! In fact take some time to visit this site, as there are lots of well presented tips on various Solaris topics. http://www.bolthole.com/solaris

 

Everything Solaris
http://everythingsolaris.org

Another Solaris tips site to browse.

 

Mailing Lists

FOCUS-Sun Discussions Threads

02/27/01 Re: CDE security
http://www.securityfocus.com/archive/92/166119

02/26/01 NFS over ssh
http://www.securityfocus.com/archive/92/164887

Note: as the links to the threats themselves are too long to be published, the above links directly point on the first message of each discussion.

YASSP (the Solaris hardening tool) Developers' list discussions

Yassp beta 15 is still current. No discussions this week.

See also http://www.yassp.org

Security Tools

Security tool news is now summarized in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html

Updates to General free tools this week include mod_ssl and Tripwire.

Auditing and Intrusion Monitoring tools include Snort and 2 Snort tools, PIKT, BigBrother, MergeLog, ScanSSH and 3 other tools.

Firewalls for UNIX/Linux/BSD & Cross-platform include FloppyFw, IPtables Linux Firewall, Iridium, Knetfilter and Firestorm Firewall Monitor.

Tools for Linux/Unix/Cross Platform include Mozilla NSS, Ethereal, Sectar, OpenCL and 5 other tools.

Tools for Windows include Tiny Personal Firewall, ACL tools and VCatch.

A great little *windows* tool that will finally allow you to replace FTPD with SSHD on your multi-user servers is Winscp v1.0 by Martin Prikryl ( http://winscp.vse.cz/eng ), it's GUI is good enough that non techie users can find their way around it.

Sendmail version 8.11.3 is now available. This version fixes a large bug on systems using buffered file I/O. There is also a fix that properly handles buggy accept() calls, preventing a potential denial of service. See ftp://ftp.sendmail.org/pub/sendmail

Tip of the Week: fmthard, Disksuite, lkms.

1. An example on mirroring using Disksuite For Solaris Sparc by Robert Banniza
   http://www.rootprompt.net/disksuite_mirror.html
   
2. If you wish to partition a second disk identically to a first, the fmthard tool together with prtvtoc is much faster than manually using format. For example if the master is target 3 and the second disk is target 1, and we wish to give it the disk label 'mirror', then:

/usr/sbin/prtvtoc /dev/rdsk/c0t3d0s2 | /usr/sbin/fmthard -n mirror -s - /dev/rdsk/c0t1d0s2

3. On the subject of loadable kernel modules (lkm) which we touched on a few weeks back, an interesting read which proposes lkms as security wrappers for applications is:
   "Using Kernel Hypervisors to Secure Applications", by Terrence Mitchem, Raymond Lu and Richard O'Brien www.securecomputing.com/khyper
   To illustrate the practicality of the kernel hypervisor concept, we prototyped three client kernel hypervisors: one for wrapping the Netscape browser, one for replicating files, and one for wrapping the Apache Web Server.

References and Resources

All weekly digests are archive at:
securityportal.com/research/research.digestarchives.html

Sign up to get this digest and many others by email.

A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html

About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.