----------------------------------------------------------------------------- SUN MICROSYSTEMS SECURITY BULLETIN: #00123, 10 November 93 ----------------------------------------------------------------------------- BULLETIN TOPICS I. Sendmail update A. Summary of ongoing efforts B. Comments on the recent CERT, CIAC, and NASIRC advisories C. Workaround needed by some 4.1.x sites to run 100377-07 D. List of platforms, operating system versions, and patches II. How to obtain Sun security patches A. If you have a support contract B. If you do not have a support contract III. How to report Sun security problems /\ \\ \ Send Replies or Inquiries To: \ \\ / / \/ / / Sun Security Coordinator / / \//\ MS MPK2-04 \//\ / / 2550 Garcia Avenue / / /\ / Mountain View, CA 94043-1100 / \\ \ Phone: 415-688-9081 \ \\ Fax: 415-688-9101 \/ E-mail: security-alert@Sun.COM ----------- This information is only to be used for the purpose of alerting Sun customers to problems. Any other use or re-broadcast of this information without the express written consent of Sun Microsystems shall be prohibited. Sun Microsystems expressly disclaims all liability for any misuse of this information by any third party. Sun Microsystems recommends that all customers concerned with the security of their SunOS system(s) obtain and install all patches that are applicable to their computing environment. ----------------------------------------------------------------------------- SUN MICROSYSTEMS SECURITY BULLETIN: #00123, 10 November 93 ----------------------------------------------------------------------------- I. Sendmail update Many Sun customers have asked for an update concerning the security holes in sendmail. This bulletin summarizes the state of our work to close those holes. No new vulnerabilities are discussed. We also provide in this bulletin a workaround for the benefit of customers whose mail system configurations proved incompatible with patch 100377-07 (see section C below). A. Summary of ongoing efforts Since the release of Sun's 21 October sendmail patch (see our bulletin #122), sendmail has been closely scrutinized for possible security holes. As a result of this scrutiny, new bugs--both generic and Sun-specific--have come to light. We are now working on fixes for the newly-discovered bugs in our version of sendmail, and will release a patch as soon as testing is complete. In this effort we are collaborating with several external sendmail experts; CERT; and, through CERT, with other UNIX vendors. We expect to release the next sendmail patch in seven to ten days--that is, about 19 November. However, the release may be delayed if more holes are discovered in the interim or if the known bugs prove more difficult than expected to resolve. We will announce the patch in a bulletin similar to this one. B. Comments on the recent CERT, CIAC, SERT, and NASIRC advisories Several customers have asked this office to comment on the recent advisories (CERT CA 93:16; CIAC E-03; SERT SA-93.10; and NASIRC #96-06). These bulletins state that every commercial sendmail has known security holes. Most recommend that sites consider some additional security measures, such as running the 8.6.4 sendmail (and perhaps the new smrsh program) from Berkeley. Beyond recommending that customers apply the Sun patches and follow documented procedures, we cannot give advice. But here is what we know. 1. The sendmail patches we released on 21 October fixed all of the security holes we were aware of at that time. The next patch will fix all of the holes we are aware of now. 2. As of this writing we are aware of no reports from Sun customers concerning undesirable interactions with the Berkeley software, or of any unanticipated side effects, or bugs, associated with the smrsh program. 3. The CERT advisory, in particular, contains sound advice prepared by recognized experts in the field. In light of the unavoidable delay until the release of our next patch, we suggest that every customer carefully evaluate the alternatives presented there. Lastly--while taking no position on the use of the smrsh program itself--we recommend extreme caution in the selection of those programs for which remote execution is allowed. C. Workaround needed by some 4.1.x sites to run 100377-07 Some of our customers have experienced problems after installing sendmail patch 100377-07 (SunOS 4.1.x). These problems result from an undocumented change--a correction, in fact--to the behavior of the "$%y" operator in subsidiary sendmail.cf files. We apologize for our previous oversight in not documenting the change. Under the old interpretation of "$%y", only unqualified names, presumably indicating hosts on the local Ethernet segment, would match, thus getting local delivery. Using the new interpretation of "$%y", any name which succeeds in a "gethostbyname" call (which is any valid DNS name if DNS forwarding through NIS is enabled) will match, so the "subsidiary" file is fooled into thinking all Internet hosts are "local". In this case mail cannot successfully be delivered by the subsidiary host. This problem does not arise on Solaris 2.x systems. We recommend the following workaround (on "subsidiary" systems only): 1. Become root. Make a backup copy of your /etc/sendmail.cf file, with a command such as: %cp /etc/sendmail.cf /etc/sendmail.cf-FCS 2. Edit the /etc/sendmail.cf file, adding one line and changing approximately two others. The line to be inserted is: DYhosts.byname and it is most conveniently placed directly after the comment, "#known hosts in this domain are obtained from gethostbyname() call". This comment is found in line 52 in the sample .cf file. In that same file, replace all references (there are two in the sample file) from "$%y" to "$%Y". (That is, change references to the lower-case y operator so that they instead refer to the newly defined upper-case Y macro.) 3. Kill and restart sendmail. Be sure to supply the appropriate command line options. You can get these either from your rc.local file or via a command like "ps -auxw | grep sendmail". Sun Microsystems wishes to acknowledge the contributions of customers Paul Quare, Greg Jumper, and Logan Thomas in the development and testing of this workaround. Please direct any comments or questions to your local answer center. D. List of platforms, operating system versions, and patches 1. Platforms. Sun has now made the sendmail security patches available on its sun3 and x86 architectures. All supported architectures (sun3, sun4, and x86) now have patches. A sun3 version has been added to the existing patch 100377-07. The bug ID for all 4.1.x platforms is 1144946. The patch for the x86 platform is 101352-01, as shown below. The bug ID for all Solaris 2.x platforms is 1142888. Note that this patch also includes an x86 fix for the tar security bug discussed in the 21 October bulletin. 2. OS Versions. Sendmail patches are available for the following versions of the operating system: 4.1.1, 4.1.2, 4.1.3, 5.1 (Solaris 2.1) and 5.2 (Solaris 2.2). No 5.3 (Solaris 2.3) version of the existing patch is available; but 5.3 will be included in all future sendmail patches. No patches will be produced for SunOS 4.1, or earlier versions such as 4.0.3. Running the 4.1.1 version on a 4.1 system is not a supported configuration and we cannot recommend it. Many customers who have tried it report that it works satisfactorily, despite the many error messages (displayed when the program starts up) complaining about old library versions. For further information on this subject please contact your local answer center. 3. Patches. Available patches are tabulated below. Note that the checksum for 100377-07.tar.Z is different than that shown in our bulletin of 21 October because of the addition of the sun3 patch. System Patch ID Filename BSD SVR4 Checksum Checksum ------ -------- --------------- --------- ----------- SunOS 4.1.x 100377-07 100377-07.tar.Z 39017 741 6982 1482 Solaris 2.1 100840-03 100840-03.tar.Z 01153 194 39753 388 Solaris 2.2 101077-03 101077-03.tar.Z 49343 177 63311 353 Solaris x86 101352-01 101352-01.tar.Z 31564 551 37608 1101 The checksums shown above are from the BSD-based checksum (on 4.1.x, /bin/sum; on Solaris 2.x, /usr/ucb/sum) and from the SVR4 version on Solaris 2.x (/usr/bin/sum). II. How to obtain Sun security patches A. If you have a support contract Customers with Sun support contracts can obtain the patches listed here--and all other Sun security patches--from: - Local Sun answer centers, worldwide - SunSolve Online Please refer to the bug ID and patch ID when requesting patches from Sun answer centers. You should also contact your answer center if you have a support contract and: - You need assistance in installing a patch - You need additional patches - You want an existing patch ported to another platform - You believe you have encountered a bug in a Sun patch B. If you do not have a support contract Sun also makes its security patches available to customers who do not have a support contract, via anonymous ftp: - In the US, from /systems/sun/sun-dist on ftp.uu.net - In Europe, from ~ftp/sun/fixes on ftp.eu.net Patches announced in a Sun security bulletin are uploaded to these two sites just before the bulletin is released, and seldom updated. In contrast, the "supported" patch databases are refreshed nightly, and will often contain newer versions of a patch incorporating changes which are not security-related. III. How to report Sun security problems If you discover a security problem with Sun software, please contact one or more of the following: - Your local Sun answer centers, worldwide - Your representative computer security response team, such as CERT - This office. Address postal mail to: Sun Security Coordinator MS MPK2-04 2550 Garcia Avenue Mountain View, CA 94043-1100 Phone: 415-688-9081 Fax: 415-688-9101 E-mail: security-alert@Sun.COM ----------- If you received this bulletin indirectly, and would like to be added to Sun's Customer Warning System mailing list, send a request to the address above with your affiliation and contact information. If you have e-mail access, send mail to "security-alert@Sun.COM" with the subject "subscribe" and your affiliation and contact information in the message body.