[58] in Intrusion Detection Systems
Sun Security Bulletin #130
daemon@ATHENA.MIT.EDU (Frank Swift at Home)
Wed Apr 5 16:17:01 1995
Date: Wed, 5 Apr 1995 06:05:31 -0700
To: ids@uow.edu.au
From: uncl@llnl.gov (Frank Swift at Home)
Reply-To: ids@uow.edu.au
Date: Tue, 4 Apr 1995 23:39:31 -0700
From: Mark.Graff@Eng.Sun.COM ( Mark Graff )
To: cws@liberty.Eng.Sun.COM
Subject: Sun Security Bulletin #130
Precedence: junk
Reply-To: security-alert@Sun.COM
X-Sun-Charset: US-ASCII
o 102034-01: [README] SunOS 5.3: portmapper security hole (62029 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 102167-01: [README] SunOS 5.3: dns fix (55095 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 101513-06: [README] * OpenWindows 3.3: Security loophole cm with access list and permissions (1590849 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 101889-03: [README] OpenWindows 3.3: filemgr forked executable ff.core has a security hole. (62231 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solaris 2.4
===========
Security patches
++++++++++++++++
o 101981-02: [not avail] [README] SunOS 5.4: SECURITY: login & security fixes (112925 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 102044-01: [README] SunOS 5.4: bug in mouse code makes "break root" attack possible (118585 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 102066-04: [README] SunOS 5.4: sendmail bug fixes (218829 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 102070-01: [README] SunOS 5.4: Bugfix for rpcbind/portmapper (65827 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 102216-01: [README] SunOS 5.4: NFS client starts using unreserved UDP port numbers (112925 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 102336-01: [README] * SunOS 5.4: POINT PATCH: 1091205 - Password aging & NIS+ don't work (62331 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 102922-01: [README] * SunOS 5.4: inetd fix (60357 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solaris 2.4_x86
===============
Security patches
++++++++++++++++
o 101946-12: [README] SunOS 5.4_x86: jumbo patch for kernel (2203251 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 101982-02: [README] SunOS 5.4_x86: login & security fixes (1138395 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 102064-04: [README] SunOS 5.4_x86: sendmail bug fixes (191493 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 102071-01: [README] SunOS 5.4_x86: Bugfix for rpcbind/portmapper (61813 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 102217-01: [README] SunOS 5.4_x86: NFS client starts using unreserved UDP port numbers (99433 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
III. Set of recommended procedures
........................................................................
Improving security on your Sun workstation
4 April 1995
........................................................................
This document is intended as a "cookbook" for improving security on
Sun workstations.
In addition to following the steps below, you should consult the following
CERT documents for guidance on improving the security of your systems:
ftp://info.cert.org/tech_tips/security_info
ftp://info.cert.org/tech_tips/anonymous_ftp
ftp://info.cert.org/tech_tips/packet_filtering
Notes on this document:
SunOS versions 4.x will be referenced as "4.x", Solaris versions 2.x
will be referenced as "5.x" in this document.
........................................................................
a. Security patches
Install all applicable security patches for the OS you are running.
It is important to keep up with the security patches. The patches
change over time. Keep your internet machines up to date. SunSolve
Online provides an easy way of doing this: select the appropriate
patches, and add them to your "notify" list. You will be notified
any time the patches are revised.
b. Single user boot security
Set up servers to ensure a password must be given upon single user
boot. Additionally, remote login as root should be disabled.
Root logins can still be accomplished, but users must first login
as a user and then su to root. This is done for logging and
accountability purposes.
SunOS:
Remove all of the "secure" keywords from all /etc/ttytab entries.
Solaris:
Include the line "CONSOLE=/dev/console" in /etc/default/login
file.
c. Trust
Servers should not trust any other server or host, including dump
servers. "Trust" is defined as trusted network access via the files:
/.rhosts, /etc/hosts.equiv and ~/.rhosts
If servers must trust others, trust should be given to a user as well
as a host. The /.rhosts, /etc/hosts.equiv and ~/.rhosts file should
contain two entries per line, one entry for the host and an additional
entry for the particular user that is to be trusted from the host.
Example:
Trust user bgp from host umnp1
umnp1 bgp
d. Root's Path
Root's path should be restricted. The root user should not include
the current directory in the search path. Root's .cshrc, .login or
.profile files should not contain the current directory in the
execute path for commands. remove any "." or ":.:" entry from /.cshrc,
/.profile and /.login files.
e. NIS
Master slave servers should not use NIS for password information.
Additionally, under SunOS, NIS clients should contain strings which
specify the server in their /etc/password file of the form
"+servername" as opposed to the default of "+::-:0:". Under 5.x, NIS
clients should bind using a list of servers (see ypinit -c) as
opposed to using a broadcast to find a server.
f. Aliases
Remove the "decode" alias in /etc/aliases. The file permissions for
/etc/aliases should be 0644 and owned by root.
g. Login accounting file permissions
The /etc/utmp file should not be world writable.
chmod 644 /etc/utmp
h. Turn off all unnecessary RPC services
Comment out the rpc services that aren't needed in the
/etc/inetd.conf file (4.x) or the /etc/inet/inetd.conf file.
In particular, disable the following services: rexd, fingerd, systat,
netstat, rusersd, sprayd, and *uucpd.
Make sure to restart inetd once the changes are made:
5.x:
# ps -ef | grep inetd
4.x:
# ps -auxww | grep inetd
both:
root 121 1 80 Mar 22 ? 2:52 /usr/sbin/inetd -s
# kill -HUP 121
i. TFTPD
Disable tftpd. If it must be running, configure it to run within
a particular directory by specifing the "-s /tftpboot" in the
/etc/inetd.conf file (4.x) or the /etc/inet/inetd.conf file (5.x).
4.x:
tftp dgram udp wait root /usr/etc/in.tftpd in.tftpd -s /tftpboot
5.x:
tftp dgram udp wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot
j. Passwords
All local and NIS passwords should have a password. The *uucp, bin,
audit, sys, ftp, nobody, daemon, news and sync accounts should be
disabled by adding a "*" in the password field (4.x) or a "NP" in
the /etc/shadow file password field (5.x).
The login shell should be set to /bin/false for all the specified
accounts as well. The uucp accounts (if any) should have the shell
set to /usr/lib/uucp/uucico.
k. UID restrictions
No accounts other than root should have the user id (UID) of 0.
l. NFS Export restrictions
NFS exports should be restricted to particular hosts, and no exports
should be writable.
For example, in 4.x the /etc/exports file could contain:
/home -access=upk1,ro
or for 5.x the /etc/dfs/dfstab file could contain:
share -F nfs -o ro=upk1 /home
m. NFS mount restrictions
NFS mount file systems with the "nosuid" options if at all:
4.x:
mount -o nosuid,bg big1:/home /bighome
5.x:
mount -F nfs -o nosuid,bg big1:/home /bighome
n. NIS configuration
If the server is an NIS master server, it should be configured not to
include the password maps, or at least not include the actual
encrypted password information. Additionally, yppasswdd should be
turned off on the NIS server since NIS clients will not need to
change the NIS password information.
o. EEPROM Security
The eeprom on the server should be set to require a password before
being booted from CD or tape from the prom monitor:
eeprom secure=command
p. IP Spoofing
Many of the above attacks can be combined with IP spoofing
to allow false IP authentication to occur. Configure firewall
routers to prevent externally initiated connections, as
described in the recent CERT bulletin (CA-95:01).
q. Passwords
If you ftp or telnet or rlogin across an insecure network,
your password has traveled cleartext across networks which
might be traced by sniffers. Change your password as soon as
possible.
r. Security Checks
Perform regular security checks of the system (weekly at least).
APPENDICES
A. How to obtain Sun security patches
1. If you have a support contract
Customers with Sun support contracts can obtain the patches listed
here--and all other Sun security patches--from:
- Local Sun answer centers, worldwide
- SunSolve Online, and SunSITEs worldwide
The patches are available via World Wide Web at http://sunsolve1.sun.com.
You should also contact your answer center if you have a support
contract and:
- You need assistance in installing a patch
- You need additional patches
- You want an existing patch ported to another platform
- You believe you have encountered a bug in a Sun patch
- You want to know if a patch exists, or when one will be ready
2. If you do not have a support contract
Sun also makes its security patches available to customers who do
not have a support contract, via anonymous ftp:
- In the US, from /systems/sun/sun-dist on ftp.uu.net
- In Europe, from ~ftp/sun/fixes on ftp.eu.net
In some cases patches will appear on the European site a day or
two after a bulletin is released.
Sun does not furnish patches to any external distribution sites
other than the ones mentioned here.
3. About the checksums
Patches announced in a Sun security bulletin are uploaded to the
ftp.*.net sites just before the bulletin is released, and seldom
updated. In contrast, the "supported" patch databases are
refreshed nightly, and will often contain newer versions of a patch
incorporating changes which are not security-related.
So that you can quickly verify the integrity of the patch files
themselves, we supply checksums for the tar archives in each
bulletin. The listed checksums should always match those on the
ftp.*.net systems. (The rare exceptions are listed in the
"checksums" file there.)
Normally, the listed checksums will also match the patches on the
SunSolve database. However, this will not be true if we have
changed (as we sometimes do) the README file in the patch after the
bulletin has been released.
In the future we plan to provide checksum information for the
individual components of a patch as well as the compressed archive
file. This will allow customers to determine, if need be, which
file(s) have been changed since we issued the bulletin containing
the checksums.
If you would like assistance in verifying the integrity of a patch
file please contact this office or your local answer center.
B. How to report or inquire about Sun security problems
If you discover a security problem with Sun software or wish to
inquire about a possible problem, contact one or more of the
following:
- Your local Sun answer centers
- Your representative computer security response team, such as CERT
- This office. Address postal mail to:
Sun Security Coordinator
MS MPK2-04
2550 Garcia Avenue Mountain
View, CA 94043-1100
Phone: 415-688-9081
Fax: 415-688-9101
E-mail: security-alert@Sun.COM
We strongly recommend that you report problems to your local Answer
Center. In some cases they will accept a report of a security bug
even if you do not have a support contract. An additional notification
to the security-alert alias is suggested but should not be used as your
primary vehicle for reporting a bug.
C. How to obtain Sun security bulletins
1. Subscription information
Sun Security Bulletins are available free of charge as part of
our Customer Warning System. It is not necessary to have a Sun
support contract in order to receive them.
To subscribe to this bulletin series, send mail to the address
"security-alert@Sun.COM" with the subject "subscribe CWS
your-mail-address" and a message body containing affiliation and
contact information. To request that your name be removed from the
mailing list, send mail to the same address with the subject
"unsubscribe CWS your-mail-address". Do not include other requests
or reports in a subscription message.
Due to the volume of subscription requests we receive, we cannot
guarantee to acknowledge requests. Please contact this office if
you wish to verify that your subscription request was received, or
if you would like your bulletin delivered via postal mail or fax.
2. Obtaining old bulletins
Sun Security Bulletins are archived on ftp.uu.net (in the same
directory as the patches) and on SunSolve. Please try these
sources first before contacting this office for old bulletins.
------------
