[12340] in bugtraq
Re: HP automountd security bulletin
daemon@ATHENA.MIT.EDU (Bennett Todd)
Tue Oct 26 14:40:39 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19991026000340.A22447@mordor.net>
Date: Tue, 26 Oct 1999 00:03:40 -0400
Reply-To: Bennett Todd <bet@MORDOR.NET>
From: Bennett Todd <bet@MORDOR.NET>
X-To: douglas-siebert@uiowa.edu
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <199910221745.MAA11053@l-ecn010.icaen.uiowa.edu>; from
dsiebert@ENGINEERING.UIOWA.EDU on Fri, Oct 22,
1999 at 12:45:14PM -0500
1999-10-22-13:45:14 dsiebert@ENGINEERING.UIOWA.EDU:
> Who is vulnerable? As far as I know, all of the new generation
> automounters (the ones that use RPC, support executable maps, and no
> longer have the /tmp_mnt directory) are vulnerable. [...]
> The vulnerability lets anyone anywhere run anything as root on your
> system. Since it uses RPC, you can't use tcpwrappers to block it or
> filter an extra port or two on your router. Unless you have an
> application level firewall or use the "deny all ; allow these few
> things" type of router rules, you can get hit. Even with a firewall,
> you are still vulnerable to anyone on the inside (I hope you trust
> them!) [...]
> What can you do? If you are running that new generation automounter,
> unless/until you know for sure you are not vulnerable, I would go back
> to the old generation one immediately (the one that uses /tmp_mnt) That
> one is not vulnerable.
I'd personally recommend a fix related to ``... or use "deny all; allow these
few things" tpe of router rules''. Run host packet filtering. That at least
narrows the attackers down to people on the same machine, which is in many
settings (e.g. personal machines with accounts only for the local user) less
of a worry. So use ipchains on Linux or ipfilter on most anything, and set up
the host to block all but select, chosen protocols at its interfaces.
These days I set up all Unix systems that way. It's easier than trying to
strip them of services, and I can do things like run a stock system without
worrying about security holes in "local-only" services like the X font server,
all the rpc stuff, etc.
Just another alternative, somewhat less effective (doesn't help against local
users) but perhaps, in some settings, less disruptive than trying to go to a
different automounter.
-Bennett
