[59] in Intrusion Detection Systems
Sun Security Bulletin #130
daemon@ATHENA.MIT.EDU (Frank Swift at Home)
Wed Apr 5 16:42:26 1995
Date: Wed, 5 Apr 1995 06:04:04 -0700
To: ids@uow.edu.au
From: uncl@llnl.gov (Frank Swift at Home)
Reply-To: ids@uow.edu.au
Date: Tue, 4 Apr 1995 23:39:31 -0700
From: Mark.Graff@Eng.Sun.COM ( Mark Graff )
To: cws@liberty.Eng.Sun.COM
Subject: Sun Security Bulletin #130
Precedence: junk
Reply-To: security-alert@Sun.COM
X-Sun-Charset: US-ASCII
-----------------------------------------------------------------------------
SUN MICROSYSTEMS SECURITY BULLETIN: #00130, 4 April 1995
-----------------------------------------------------------------------------
BULLETIN TOPICS
In this bulletin Sun discusses the potential impact of the release of
"SATAN", a public domain software package which probes UNIX systems for
security holes. We also include here a list of available security
patches for each supported SUNOS release, and a set of procedures we
recommend to help protect Sun systems against external attack.
SATAN is expected to be released at 8:00am EST tomorrow, 5 April 1995.
This package is the same one discussed in the recent CERT bulletin
CA-95:06.
I. Discussion of SATAN's potential impact on customer systems.
II. List of currently available Sun security patches.
III. Set of recommended security procedures.
APPENDICES
A. How to obtain Sun security patches
B. How to report or inquire about Sun security problems
C. How to obtain Sun security bulletins
/\ Send Replies or Inquiries To:
\\ \
\ \\ / Mark Graff
/ \/ / / Sun Security Coordinator
/ / \//\ MS MPK3
\//\ / / 2550 Garcia Avenue
/ / /\ / Mountain View, CA 94043-1100
/ \\ \ Phone: 415-688-9081
\ \\ Fax: 415-688-9764
\/ E-mail: security-alert@Sun.COM
-----------
Permission is granted for the redistribution of this Bulletin for
the purpose of alerting Sun customers to problems, as long as the
Bulletin is not edited and is attributed to Sun Microsystems.
Any other use of this information without the express written consent
of Sun Microsystems is prohibited. Sun Microsystems expressly disclaims
all liability for any misuse of this information by any third party.
-----------------------------------------------------------------------------
SUN MICROSYSTEMS SECURITY BULLETIN: #00130, 4 April 1995
-----------------------------------------------------------------------------
I. Discussion of SATAN's potential impact
Many people have asked for our evaluation of the package. What can
it do? How will it be used? What steps, if any, should
administrators of Sun systems take in reaction to the software's
release? Our answers here are based on our study of a pre-release
version made available to UNIX vendors last month.
A. What can it do?
SATAN provides a new and easy way to test UNIX systems for the
presence of several well-known security holes. None of the
problems probed for are new. Each one (in the version we have
seen) has already been discussed in previous CERT and Sun bulletins
and each can be countered either by installing the appropriate
patch or fixing a system configuration flaw. SATAN does not
introduce a distinct new threat to UNIX systems.
B. How will it be used?
Its authors, free-lance programmers Dan Farmer of the U.S. and
Wietse Venema of the Netherlands, intend SATAN as a protective tool
for system and network administrators. Its simple point-and-click
interface and broad distribution, however, make it likely that
SATAN will also be used to locate vulnerable systems for malicious
reasons.
C. What steps should system administrators take?
Sun recommends that customers:
1. Install all available security patches. A comprehensive list is
included in this bulletin.
2. Tighten up system and network configurations to close the other
security holes probed by SATAN. We have included here a set of
specific recommendations as a guide for your use.
3. Obtain a copy of SATAN and study it. Learn how it can be used
and familiarize yourself with its attacks.
II. List of currently available security patches.
Solaris 1.1 (4.1.3)
===================
Security patches
++++++++++++++++
o 100103-12: [README] SunOS 4.1.3;4.1.3_U1: set file permissions to more secure mode (9658 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 100272-07: [README] SunOS 4.1.3: Security update for in.comsat. (39489 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 100296-04: [README] SunOS 4.1.1, 4.1.2, 4.1.3: netgroup exports to world (40128 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 100305-15: [README] SunOS 4.1.1, 4.1.2, 4.1.3: lpr Jumbo Patch (507355 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 100372-02: [README] * SunOS 4.1.1;4.1.2;4.1.3: tfs and c2 do not work together (729205 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 100377-19: [README] SunOS 4.1.3: sendmail jumbo patch (216573 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 100383-06: [README] SunOS 4.0.3;4.1;4.1.1;4.1.2;4.1.3: rdist security and hard links enhancement, (123493 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 100482-06: [README] SunOS 4.1;4.1.1;4.1.2;4.1.3: ypserv and ypxfrd fix, plus DNS fix (670354 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 100507-06: [updated] [README] SunOS 4.1.1, 4.1.2, 4.1.3: tmpfs jumbo patch (62787 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 100513-04: [README] * SunOS 4.1.1;4.1.2;4.1.3: Jumbo tty patch (531383 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 100564-07: [README] * SunOS 4.1.2, 4.1.3: C2 Jumbo patch (2534211 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 100567-04: [README] SunOS 4.1,4.1.1, 4.1.2, 4.1.3: mfree and icmp redirect security patch (10277 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 100593-03: [README] SunOS 4.1.3: Security update for dump. (247471 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 100623-03: [README] SunOS 4.1.2;4.1.3: UFS jumbo patch (143981 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 100630-02: [README] SunOS 4.1.1, 4.1.2, 4.1.3: SECURITY: methods to exploit login/su (40552 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 100631-01: [README] SunOS 4.1 4.1.1 4.1.2 4.1.3: env variables can be used to exploit login (25432 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 100890-10: [README] SunOS 4.1.3: domestic libc jumbo patch (3131283 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 100891-10: [README] SunOS 4.1.3: international libc jumbo patch (3161107 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 100909-03: [README] SunOS 4.1.1;4.1.2;4.1.3: Security update for syslogd. (53666 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 101072-02: [README] SunOS 4.1.1;4.1.2;4.1.3: Non-related data filled the last block tarfile (245215 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 101080-01: [README] SunOS 4.1.1 4.1.2 4.1.3: security problem with expreserve (11790 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 101200-03: [README] SunOS 4.1.3: Breach of security using modload (30894 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 101480-01: [README] SunOS 4.1.1;4.1.2;4.1.3: Security update for in.talkd. (44653 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 101481-01: [README] SunOS 4.1.3: Security update for shutdown. (80997 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 101482-01: [README] SunOS 4.1.3, 4.1.2, 4.1.1: Security update for write. (41407 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 101640-03: [README] SunOS 4.1.3: in.ftpd logs password info when -d option is used. (142453 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 102023-03: [README] SunOS 4.1.3: Root access possible via forced passwd race condition (39521 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 100448-02: [README] OpenWindows 3.0: loadmodule is a security hole. (4460 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 100452-68: [README] OpenWindows 3.0: XView 3.0 Jumbo Patch (1690398 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 100478-01: [README] OpenWindows 3.0: xlock crashes leaving system open (58475 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solaris 1.1.1 (4.1.3_U1)
========================
Security patches
++++++++++++++++
o 100103-12: [README] SunOS 4.1.3;4.1.3_U1: set file permissions to more secure mode (9658 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 101434-03: [README] SunOS 4.1.3_U1: lpr Jumbo Patch (122313 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 101436-08: [README] SunOS 4.1.3_U1: patch for mail executable (16166 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 101440-01: [README] SunOS 4.1.3_U1: security problem: methods to exploit login/su (6832 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 101558-04: [README] SunOS 4.1.3_U1: international libc jumbo patch (3134886 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 101579-01: [README] SunOS 4.1.3_U1: Security problem with expreserve for Solaris 1.1.1 (15231 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 101587-01: [README] SunOS 4.1.3_U1: security patch for mfree and icmp redirect (12685 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 101621-02: [README] SunOS 4.1.3_U1: Jumbo tty patch (108693 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 101665-04: [README] SunOS 4.1.3_U1: sendmail jumbo patch (217621 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 101679-01: [README] SunOS 4.1.3_U1: Breach of security using modload (10358 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 101759-02: [README] SunOS 4.1.3_U1: domestic libc jumbo patch (3143334 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 102060-01: [README] SunOS 4.1.3_U1: Root access possible via passwd race condition (22711 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 100448-02: [README] OpenWindows 3.0: loadmodule is a security hole. (4460 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 100452-68: [README] OpenWindows 3.0: XView 3.0 Jumbo Patch (1690398 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 100478-01: [README] OpenWindows 3.0: xlock crashes leaving system open (58475 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solaris 2.2
===========
Security patches
++++++++++++++++
o 100999-71: [updated] [README] SunOS 5.2: jumbo kernel patch (6918935 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 101090-01: [README] SunOS 5.2: fixes security hole in expreserve (34800 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 101301-03: [README] SunOS 5.2: security bug & tar fixes (411973 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 101842-01: [README] SunOS 5.2: sendmail jumbo patch - security (196513 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solaris 2.3
===========
Security patches
++++++++++++++++
o 101318-70: [README] SunOS 5.3: Jumbo patch for kernel (includes libc, lockd) (9409417 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 101327-08: [README] SunOS 5.3: security and miscellaneous tar fixes (426364 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 101572-03: [README] SunOS 5.3: cron and at fixes (97117 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 101582-03: [README] * SunOS 5.3: POINT PATCH: Password aging & NIS+ don't work (together) (48120 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 101615-02: [README] SunOS 5.3: miscellaneous utmp fixes (69639 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 101620-01: [README] * SunOS 5.3: keyserv has a file descriptor leak (48740 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 101631-02: [README] SunOS 5.3: kd and ms fixes (125951 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 101712-01: [README] SunOS 5.3: uucleanup isn't careful enough when sending mail (54101 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 101736-03: [README] * SunOS 5.3: nisplus patch (58635 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 101739-07: [README] SunOS 5.3: sendmail jumbo patch - security (218819 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
o 101786-02: [README] * SunOS 5.3: inetd fixes (60339 bytes)
o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
