Weekly Solaris Security Digest
2001/05/21 to 2001/05/27

By Seán Boran (sean at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://securityportal.com/research/research.wss.html


Subscribe to get FREE security news, commentary, and articles.



New Solaris Vulnerabilities this Week

 none 

Vulnerabilities this Week — Third-party Applications:

none.


Solaris vulnerabilities pending

Over the last few weeks, we reported on several Solaris vulnerabilities. Those which are not yet covered by Solaris patches are listed below. See previous digests for a more detailed analysis.

mailx buffer Overflow
http://archives.neohapsis.com/archives/bugtraq/2001-05/0016.html
http://www.securityfocus.com/vdb/bottom.html?vid=2610  

Status: local sgid 'mail' exploit. Sun were notified on 18th April and patches should be forthcoming.

Workaround: disable sgid on 'mailx'. Brief tests on Solaris 8 have not shown any noticeable side effects to me: outgoing email can still be sent to remote servers and incoming email can still be read. There may be locking problems however with locally delivered email.

Xsun HOME buffer overflow vulnerability
http://www.eEye.com/html/Research/Advisories/solxsun.html
http://securityfocus.com/vdb/bottom.html?vid=2561

Status: Local SUID exploit.

Workaround: Remove the SUID permissions. It should continue to work fine if Xsun is run via dtlogin or xdm. Recent patches from Sun include 108376-22 (Solaris 7) 108652-29 (Solaris 8), but there are no notes in the READMEs to indicate that they addressed this issue.

SNMP to DMI mapper daemon

Status: Remote exploit being actively abused, no patches yet (Sun bug id 4412996).

Workaround: Disable DMI daemons. Based on reports to the CERT/CC, intruders are using the snmpXdmid vulnerability to compromise hosts and then install Carko, minor variant of stacheldraht, a widely used DDoS tool.
http://www.kb.cert.org/vuls/id/CFCN-4UMQEC
http://www.cert.org/incident_notes/IN-2001-04.html
Recent patches from Sun include 108869-05 (Solaris 8), 108870-05 (Solaris 8 x86) and 107709 (Solaris 7) but it's unclear if these solve this issue, as no reference is made to the above Sun bug ID. The Solaris 8 patch README 108869-05, released on 9th May indicated only a fix for:
"Bug id: 4404944 libssasnmp changes the syslog message format"


kcsSUNWIOsolf.so KCMS_PROFILES environment variable

Status: Local SUID exploit, no patches yet.

Workaround: Disable SUID, side effects are minimal.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solsparc_kcssunwiosolf


kcms_configure vulnerability

Status: Local SUID exploit of command line options, no patches yet.

Workaround: Disable SUID, side effects are minimal.
http://www.eeye.com/html/Research/Advisories/AD20010409.html


CDE dtsession LANG environment variable

Status: Local SUID exploit, no patches yet.

Workaround: On servers not requiring a GUI, the SUID can be removed, on a new Solaris 2.8 workstation I removed the suid bit and the CDE desktop continued to function. However, the screen-saver will no longer work since it needs to access /etc/shadow (unless you use PAM for authentication).
http://www.securityfocus.com/vdb/bottom.html?vid=2603
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
http://lsd-pl.net/files/get?SOLARIS/solx86_dtsession


ftpd #1 globbing buffer overflows

Status: Apparently it's not so easy to exploit, but the ftp daemon can be crashed and a core file created which may contain /etc/shadow. So, it's less serious that originally reported.

Workaround: Watch your ftp servers carefully for core dumps, consider restricting access by IP address.
http://www.kb.cert.org/vuls/id/SVHN-4VN6DT
http://securityfocus.com/vdb/bottom.html?vid=2601


ftpd #2 CWD Username Enumeration

Status: Remote exploit, low impact (allows an attacker to recognize valid usernames).

Workaround: Watch your ftp servers carefully.
http://archives.neohapsis.com/archives/bugtraq/2001-04/0181.html
http://securityfocus.com/vdb/bottom.html?vid=2564


NTP buffer overflow

Status: Serious remote exploit, no patches yet.

Workaround: Watch your NTP servers carefully, restricting access by IP address. One contract customer reports that an "emergency fix" can be got from Sun.
http://securityfocus.com/vdb/bottom.html?vid=2540


ipcs Timezone buffer overflow vulnerability

Status: Local SUID exploit, no patches yet.

Workaround: Disable SUID, minimal side effects.
http://www.eEye.com/html/Research/Advisories/solipcs.html
http://securityfocus.com/vdb/bottom.html?vid=2581




Patches

In this section we aim to inform you of new patches published by Sun. Patches are published (on ftp://sunsolve.sun.com/pub/patches) in two ways:

  1. As a recommended cluster of patches that can be installed in one go and used to bring a system up to date quickly. A report for each cluster is available. We compare it with the reports from the previous week.
     
  2. Individual patches to fix specific problems. A patch reports lists all patches and their versions. We compare patches in the recommended and security sections of this report with the report published the previous week.

We analyze both reports since changes in one are not always reflected in the other.

1. The latest Solaris "Recommended & Security Patch clusters" are as follows:

Solaris 2.5.1, May/16/01:

Solaris 2.6, May/23/01:

Solaris 7, May/23/01:    

Solaris 8, May/23/01:

Solaris 8_x86, May/23/01:

2. New or updated individual security/recommended patches.



News & Articles

LinuxSecurity


CERT

Solaris Guide


Sun

UNIX Insider

O'Reilly Network

 BSD Today

CIS


Mailing Lists

Focus-Sun Discussions Threads


YASSP (the Solaris Hardening Tool) Developers' List Discussions

YASSP beta 15 is still current. See also http://www.yassp.org .

Discussions this week:


Security Tools

Security tool news is summarized in the Weekly Security Tools Digest.
http://securityportal.com/topnews/weekly/tools.html

Updates to General free tools this week include Mod_ssl, OpenLDAP and Apache.
Auditing and Intrusion Monitoring tools include SnortSnarf, LIDS, BigBrother and John the Ripper.
Firewalls for UNIX/Linux/BSD & Cross-platform include GShield, FloppyFw, netfilter and rTables Linux Firewall.
Tools for Linux/Unix/Cross Platform include AES Encryption for Shell Script,  Ethereal, SILC, Samhain, FreeVSD and 3 other tools.
Tools for Windows include RATS.

Apache 1.3.20: This version of Apache is principally a security fix release which closes a problem under the Windows and OS2 ports that would segfault the server in response to a carefully constructed URL.  It also fixes some potential configuration quirks present in the 1.3.19 release.


Tip of the Week: Solaris Fingerprinting

Sun has just announced a very interesting service:

I like to use tripwire to verify file integrity on critical Solaris systems, but tripwire does have it's limits. For instance if you've never run tripwire on a system, there is obviously little tripwire can do to detect changes. The Sun method however, can detect changes on a system that has never had an integrity checking tool installed! Nice.

To try it out, run md5 on a Solaris binary of your choice, and paste it into the appropriate field on http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl. If you paste more than one entry, make sure they are cleanly separate by newlines. For example, pasting:

Accompanying tools: Sun provide a few tools to help with automating the fingerprint checking, which can be downloaded from http://www.sun.com/blueprints/tools/fingerprint_license.html .

A new notes

 

If you have tips you'd like to share with others, contact us.


References and Resources

All weekly digests are archived at:
securityportal.com/research/research.digestarchives.html

A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.


Receive this digest by email!