home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Forum of Incident Response & Security Teams
/
Forum_of_Incident_Response_and_Security_Teams_FIRST_October_1994.iso
/
teaminfo
/
nasirc
/
nasa9304.txt
< prev
next >
Wrap
Text File
|
1994-07-02
|
8KB
|
151 lines
NASIRC BULLETIN #93-04 October 21, 1993
SUNOS AND SOLARIS SECURITY VULNERABILITIES
(/usr/lib/sendmail, /bin/tar, and /dev/audio)
===========================================================================
__ __ __ ___ ___ ____ ____
/_/\ /_/| /_/ / _/\ /_/| / __/ \ / __/\
| |\ \| || / \ \ | /\/ | || | /\ \/ | | \/
| ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | |
| || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\
|_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/
NASA Automated Systems Incident Response Capability
===========================================================================
NASIRC has learned about three security vulnerabilities associated with
SunOS versions 4.1.x and 5.x. These three vulnerabilities are in sendmail
and microphone under SunOS 4.1.x and 5.x, and tar under SunOS 5.x.
1. SunOS 4.1.x and 5.x Sendmail. This security vulnerability may allow
remote users to access system files using sendmail on SunOS 4.1.x and
SunOS 5.x (Solaris 2.x). Successful exploitation of this vulnerability
could result in unauthorized access to system files.
The /usr/lib/sendmail utility under SunOS 4.1.x and SunOS 5.x permits
unauthorized access to some system files by remote users. This access may
allow compromise of the system. Note that this vulnerability is being
actively exploited. NASIRC strongly recommends that sites take immediate
corrective action.
Sun Microsystems has released patched versions of the sendmail program for
all affected versions of SunOS:
BSD SVR4
System Patch ID Filename Checksum Checksum
----------- --------- --------------- --------- ----------
SunOS 4.1.x 100377-07 100377-07.tar.Z 36122 586 11735 1171
SunOS 5.1 100840-03 100840-03.tar.Z 01153 194 39753 388
SunOS 5.2 101077-03 101077-03.tar.Z 49343 177 63311 353
The checksums shown above are from the BSD-based checksum (on SunOS 4.1.x,
/bin/sum; on SunOS 5.x, /usr/ucb/sum) and from the SVR4 version that Sun
has released on SunOS 5.x (/usr/bin/sum).
Individuals with support contracts may obtain these patches from their
local Sun Answer Center or from SunSolve Online. Security patches are
also available without a support contract via anonymous FTP from
ftp.uu.net (IP 192.48.96.9) in the directory /systems/sun/sun-dist.
------------------
2. The security vulnerability in tar under SunOS 5.x pertains to archives
created with the tar utility containing extraneous user information. This
could result in user and system information unintentionally disclosed.
Archive files created with the /bin/tar utility under SunOS 5.x contain
extraneous user information from the /etc/passwd and /etc/group files.
Note that the extraneous data does not include user passwords; however,
system configuration and user information may be unintentionally disclosed
should the archive files be distributed.
Sun Microsystems has released patched versions of the tar utility for all
affected versions of SunOS. The patched tar utility produces archive
files in the same format as all other versions; but any extraneous data is
set to zero. Restoring an existing archive file to disk, and then
creating a new file with the patched tar, will result in a clean archive
file with no extraneous data.
BSD SVR4
System Patch ID Filename Checksum Checksum
--------- --------- --------------- --------- ---------
SunOS 5.1 100975-02 100975-02.tar.Z 37034 374 13460 747
SunOS 5.2 101301-01 101301-01.tar.Z 22089 390 4703 779
The checksums shown above are from the BSD-based checksum (on SunOS 4.1.x,
/bin/sum; on SunOS 5.x, /usr/ucb/sum) and from the SVR4 version that Sun
has released on SunOS 5.x (/usr/bin/sum).
Individuals with support contracts may obtain these patches from their
local Sun Answer Center or from SunSolve Online. Security patches are
also available without a support contract via anonymous FTP from
ftp.uu.net (IP 192.48.96.9) in the directory /systems/sun/sun-dist.
------------------
3. The security vulnerability with Sun microphones pertains to the
potential use of these microphones for eavesdropping.
Sun Microsystems has released information regarding the potential for
microphones attached to Sun workstations to be used to eavesdrop on
conversations near the computer. Software solutions to reduce the risk
are described below. Note, however, that NASIRC strongly recommends
microphones on systems in sensitive areas be either physically switched
off or disconnected from the system.
The initial permissions for the audio data device, /dev/audio, allow any
user with an account on the system to listen with the microphone when it
is turned on. Also, the permissions for the audio control device,
/dev/audioctl, allow anyone to vary playback and record settings such as
volume.
Unauthorized use of the system's audio devices may be prevented by
changing the permissions and ownership of /dev/audio and /dev/audioctl.
On SunOS 4.x systems, the /etc/fbtab file may be used to automatically
control access to the audio devices. As root, add the following lines to
the end of the file:
/dev/console 0600 /dev/audio
/dev/console 0600 /dev/audioctl
On SunOS 5.x (Solaris 2.x) systems, the file permissions must be manually
changed. As root, execute the following commands, specifying the username
of the individual that should have access to the microphone:
# chmod 600 /dev/audio*
# chown <desired username> /dev/audio*
------------------
NASIRC ACKNOWLEDGES: Sun Microsystems, CIAC, and CERT for their reporting,
handling and coordination of the solution to this problem.
Security checklists, toolkits and guidance are available from the
NASIRC online archives. Contact the NASIRC Helpdesk for more
information and assistance with toolkits or security measures.
==================================================================
For further assistance, please contact the NASIRC Helpdesk:
Phone: 1-800-7-NASIRC Fax: 1-301-306-1010
Internet Email: nasirc@nasa.gov
24 Hour/Emergency Pager: 1-800-759-7243/Pin:5460866
==================================================================
This bulletin may be forwarded without restrictions to sites
and system administrators within the NASA community
-----------------
PLEASE NOTE: Users outside of the NASA community may receive NASIRC
bulletins. If you are not part of the NASA community, please contact
your agency's response team to report incidents. Your agency's team
will coordinate with NASIRC, who will ensure the proper internal
NASA team(s) are notified. NASIRC is a member of the Forum of Incident
Response and Security Teams (FIRST), a world-wide organization which
provides for coordination between incident response teams in handling
computer-security-related issues.
A list of FIRST member organizations and their constituencies can be
obtained by sending email to docserver@first.org with an empty subject
line and a message body containing the line: send first-contacts.