Weekly Solaris Security Digest
2000/03/19 to 2001/03/26

By Seán Boran (sean at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html


The Rundown


Advisories and Security Bulletins

Sun / CERT bulletins

None

Solaris vulnerabilities this week:

2001-03-15: Solaris snmpXdmid Buffer Overflow Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2417

We covered this last week, it is now listed  in the Bugtraq database.

 

SunOS application perfmon vulnerability
Published by Hackers on Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0326.html

JSparm perfmon is not part of the Solaris base package. Through insecure file permissions it can be used to created root files. Fix: disable SUID bit.

Vulnerabilities this week - 3rd party applications:

The Bugtraq database is very quiet these days.

2001-03-15: Jelsoft vBulletin PHP Command Execution Vulnerability
http://www.securityfocus.com/bid/2474

2001-03-11: Ikonboard Remote File Disclosure Vulnerability
http://www.securityfocus.com/bid/2471

2001-03-09: Halflife Map Command Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/2476

2001-03-09: Free Online Dictionary of Computing Remote File Viewing Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2484

2001-03-08: Elm Subject Line Buffer Overflow Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=2470

Bugtraq email list:

Passive Analysis of SSH (Secure Shell) Traffic
Published by Openwall on Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0225.html

This advisory demonstrates several weaknesses in implementations of SSH (Secure Shell) protocols. When exploited, they let the attacker obtain sensitive information by passively monitoring encrypted SSH sessions. The information can later be used to speed up brute-force attacks on passwords, including the initial login password and other passwords appearing in interactive SSH sessions, such as those used with su(1) and Cisco IOS "enable" passwords.
Comment: This well-written analysis uses quite advanced techniques to gain information by analysing the traffic (packet sizes, frequency etc.), transmitted by SSH. The weaknesses are not "critical", but demonstrate that encryption alone is not enough for a secure protocol. Thankfully, fixes have been proposed (and OpenSSH 2.5.2 which was released this week includes them). On the negative side, more detailed analysis of SSH is to be expected in the future and other weaknesses will probably arise. Therefore, consider implementing a procedure now for updating SSH on a periodic basis.


Patches

In this section we aim to inform you of new patches published by Sun. Patches are published [on ftp://sunsolve.sun.com/pub/patches] in two ways:

We analyze both reports since changes in one are not always reflected in the other.

1. The latest Solaris 'Recommended & Security Patch clusters' are as follows:

Solaris 8          Mar/21/01:

108968-04 SunOS 5.8: vol/vold/rmmount patch
110387-03 SunOS 5.8: ufssnapshots support, ufsdump patch
108981-05 SunOS 5.8: /kernel/drv/hme and /kernel/drv/sparcv9/hme patch

Solaris 8_x86  Mar/21/01:

108976-04 SunOS 5.8_x86: /usr/bin/rmformat and /usr/sbin/format patch
108876-08 SunOS 5.8_x86: c2audit patch
110919-01 SunOS 5.8_x86: /kernel/drv/openeepr patch

Solaris 7          Mar/22/01:     

107709-10 SunOS 5.7: libssasnmp/libssagent/snmpdx/mibiisa/dmispd/snmp_trapsend
107180-26 CDE 1.3: dtlogin patch
110869-01 SunOS 5.7: useradd, usermod do not handle some expiration dates
106942-14 SunOS 5.7: libnsl, rpc.nisd and nis_cachemgr patch

Solaris 2.6        Mar/21/01:

105181-26 SunOS 5.6: Kernel update patch
105566-10 CDE 1.2: calendar manager patch
105703-25 CDE 1.2: dtlogin patch

Solaris 2.5.1     Mar/09/01: no changes.

 

2. New or updated individual security/recommended patches.

105181-25 SunOS 5.6: Kernel update patch
106415-03 OpenWindows 3.6: xdm patch
107618-01 SunOS 5.6: Permissions problem in /vol.

107259-01 SunOS 5.7: /usr/sbin/vold patch
107709-07 SunOS 5.7: libssasnmp/libssagent/snmpdx/mibiisa patch

108529-05 SunOS 5.8_x86: kernel update patch
109897-03 SunOS 5.8_x86: USB patch

Please tell us if you have suggestions or feedback on how we present this patch analysis.


News & Articles

 

SecurityPortal

Asymmetric Warfare and Computer Technology
Ronald L. Mendell
http://securityportal.com/articles/asymmetricwarfare20010313.html

Trendy name: asymmetric means that the attacker expends much less resources than the victim consumes defending himself.

 

Sun BigAdmin

http://www.sun.com/software/solaris/binaries/get.html
The Solaris CDs can now be downloaded (until now the CDs could be bought for $75.-).
As Sun say: Given the size of the download (800 Mbytes), we strongly recommend that this option be considered only by those with a fast connection (DSL, cable modem, or faster). All other customers should consider obtaining the Solaris media kit.

 

http://planetmirror.com/
A new, comprehensive download site for Linux, Sun, Freeware, etc for Asia/Australia

 

Sun System Configuration Check Tool
http://www.sun.com/service/support/is/info.html

Sun System Configuration Check is an availability maintenance tool. It's completely web based and self administered. You can use it whenever and on whichever machine you need an exact snapshot report of critical system statistics including disk, operating system, patch and single point of failure data. Sun System Configuration Check is designed to help you prevent problems and troubleshoot faster and with greater accuracy.
Costs $150 for a single system. I've not tried it.

LinuxSecurity

Passive Analysis of SSH (Secure Shell) Traffic
Openwall Project
http://www.linuxsecurity.com/articles/projects_article-2700.html

SecurityFocus

Realistic Expectations for Intrusion Detection Systems
by Richard Wiens
http://www.securityfocus.com/frames/?focus=ids&content=/focus/ids/articles/expect.html

The emergence of IDSs causes some security commentators to see them as a panacea, solving all of the complex and diverse threats to network security. However, as does any weapon in the security arsenal, an IDS has limited capabilities. To expect too much of an IDS places the user's network at risk. This article will discuss reasonable expectations of Intrusion Detection Systems (IDSs).

Daemonnews

SSH inventor denied trademark request
http://www.nwfusion.com/news/2001/0321ssh.html

..... As the Internet Engineering Task Force wraps up its work to standardize Secure Shell, Ylönen asked the group to change the protocol's acronym to Secsh or some other phrase to protect his company's trademarks and brand names. At a contentious meeting held here this week, the IETF's Secure Shell working group denied Ylönen's request, citing concerns that it would set a bad precedent for other trademark claims facing the standards-setting body......

Unix Insider

Six Unix OS flavors run the gamut
http://www.sunworld.com/unixinsideronline/swol-01-2001/swol-0119-flavors.html

 

The sound of silence: Ideas for achieving a quiet work environment
Rich Morin
http://www.sunworld.com/unixinsideronline/swol-03-2001/swol-0316-silicon.html


Mailing Lists

FOCUS-Sun Discussions Threads

Re: Sun's security patch process
http://www.securityfocus.com/archive/92/170194

This was a very interesting thread: first the severe lacking in Sun's bulleting and management of vulnerabilities/patches was noted by many, followed up by promises from Sun to improve this in the future. Kudos to Sun for listening, let's hope that action follows up the words...

Re: Solaris with MD5 crypted passwords ?
http://www.securityfocus.com/archive/92/170192

Re: Starting ssh-agent from dtlogin
http://www.securityfocus.com/archive/92/169003

 

YASSP (the Solaris hardening tool) Developers' list discussions

Yassp beta 15 is still current.

Discussions this week: none.

See also http://www.yassp.org


Security Tools

Security tool news is now summarized in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html  

Updates to General free tools this week include Mindterm SSH, OpenSSH, the Coroner Toolkit and Trusted BSD.

Auditing and Intrusion Monitoring tools include Snort attack scripts, NmapNT, WAP-Nmap, SAINT, NetSaint, LIDS, Chkrootkit, BigBrother, MergeLog, Samhain and 2 other tools.

Firewalls for UNIX/Linux/BSD & Cross-platform include IPtables, IPfilter, IPtables Linux Firewall, Securepoint Firewall Server SB and 2 other tools.

Tools for Linux/Unix/Cross Platform include Bastille Linux, Squid, APG, NSA Security-enhanced Linux, Linux VPN, SILC, Libmcrypt, Saint Jude LKM and 4 other tools.

Tools for Windows include Winfingerprint.

OpenSSH 2.5.2

Security related changes: Improved countermeasure against "Passive Analysis of SSH (Secure Shell) Traffic". The countermeasures introduced in earlier OpenSSH-2.5.x versions caused interoperability problems with some other implementations.
Improved countermeasure against "SSH protocol 1.5 session key recovery vulnerability".


Tip of the Week: logging interactive sessions

The 'script' tool can be used to log all activity in an interactive login session.

For example, to run a few commands and have them appended to /var/tmp/script.log:

% script -a /var/tmp/script.log
Script started, file is /var/tmp/script.log

# pwd
/secure
# df -k
Filesystem kbytes used avail capacity Mounted on
/proc 0 0 0 0% /proc
/dev/dsk/c0t2d0s0 2054233 1261038 731569 64% /
swap 204800 8 204792 1% /tmp

# exit
Script done, file is /var/tmp/script.log

Notes

If you have tips you like to share with others, contact us.


References and Resources

All weekly digests are archive at:
securityportal.com/research/research.digestarchives.html

Sign up to get this digest and many others by email.

A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2001, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 23 March, 2001