----------------------------------------------------------------------------- SUN MICROSYSTEMS SECURITY BULLETIN: #00124, 15 December 93 ----------------------------------------------------------------------------- BULLETIN TOPICS I. New security patches for "loadmodule" and "modload" A. loadmodule patch 100448-02 (SunOS 4.1.x, Openwindows 3.0 only) B. modload patch 101200-02 (SunOS 4.1.x) II. Protecting Solaris 2.x systems against fsck failures at system boot III. Sendmail update IV. How to obtain Sun security patches A. If you have a support contract B. If you do not have a support contract V. How to report or inquire about Sun security problems VI. How to obtain Sun security bulletins A. Subscription information B. Obtaining old bulletins /\ \\ \ Send Replies or Inquiries To: \ \\ / / \/ / / Sun Security Coordinator / / \//\ MS MPK2-04 \//\ / / 2550 Garcia Avenue / / /\ / Mountain View, CA 94043-1100 / \\ \ Phone: 415-688-9081 \ \\ Fax: 415-688-9101 \/ E-mail: security-alert@Sun.COM ----------- Permission is granted for the redistribution of this Bulletin for the purpose of alerting Sun customers to problems, as long as the Bulletin is not edited and is attributed to Sun Microsystems. Any other use of this information without the express written consent of Sun Microsystems is prohibited. Sun Microsystems expressly disclaims all liability for any misuse of this information by any third party. ----------------------------------------------------------------------------- SUN MICROSYSTEMS SECURITY BULLETIN: #00124, 15 December 93 ----------------------------------------------------------------------------- I. New security patches for "loadmodule" and "modload" A. loadmodule patch 100448-02 (SunOS 4.1.1, 4.1.2, 4.1.3, 4.1.3c, Open Windows version 3.0 only) Loadmodule bug 1076118 allows root access via the manipulation of environmental variables. System Patch ID Filename BSD SVR4 Checksum Checksum ------ -------- --------------- --------- ----------- 4.1.x 100448-02 100448-02.tar.Z 19410 5 30701 9 Loadmodule was distributed only for OW 3.0, which means that no sun3 or x86 machines are affected; and systems running Solaris 2.x use OW 3.1, which excludes them as well. However, any system on which loadmodule is installed "setuid root"--owned by root, with the suid bit set, as in the standard release--is vulnerable, whether or not Open Windows is running on that machine. Note: The modload patch described below must also be installed to close this security hole. B. modload patch 101200-02 (SunOS 4.1.1, 4.1.2, 4.1.3, 4.1.3c) Bug 1137491 allows root access via the manipulation of environmental variables. System Patch ID Filename BSD SVR4 Checksum Checksum ------ -------- --------------- --------- ----------- 4.1.x 101200-02 101200-02.tar.Z 41677 28 56138 55 Modload can only represent a security problem when it is installed setuid or setgid (which, by default, it is not); or when it is invoked from setuid or setgid software, such as loadmodule. Modload is often invoked in this latter mode and it is for this reason that Sun recommends running the patched version. Note: The loadmodule patch described above must also be installed to close this security hole. II. Protecting Solaris 2.x systems against fsck failures at system boot If fsck fails during system boot, a privileged shell is run on the system console. This behavior can represent a security vulnerability if it is possible for users who would normally not have root access to have physical access to the console at boot time. This bug, 1124898, does not occur in 4.1.x systems. A simple change to each of two system scripts can be used to close this potential security hole. The new behavior will cause the system to run the privileged shell only if the user at the console enters the correct root password. The changes, described below, have been integrated into the upcoming Solaris 2.x release. If you wish to make the change on your own systems, edit both /sbin/rcS and /sbin/mountall, changing every occurrence of: /sbin/sh < /dev/console to: /sbin/sulogin < /dev/console As distributed by Sun, /sbin/rcS contains one occurrence of this string, at line 152; and /sbin/mountall contains two, one at line 66 and one at line 250. Once this change has been made, sulogin will request the root password in the event fsck fails, before starting a privileged shell. The success or failure of sulogin will be logged in /var/adm/sulog. III. Sendmail update In our bulletin #123 issued 10 November 1993, we said: We are now working on fixes for the newly-discovered bugs in our version of sendmail, and will release a patch as soon as testing is complete. We expect to release the next sendmail patch... about 19 November. However, the release may be delayed if more holes are discovered in the interim or if the known bugs prove more difficult than expected to resolve. We have almost completed testing of the new sendmail patch and expect to release it no later than 21 December (Tuesday). We will announce the patch in a bulletin similar to this one. IV. How to obtain Sun security patches A. If you have a support contract Customers with Sun support contracts can obtain the patches listed here--and all other Sun security patches--from: - Local Sun answer centers, worldwide - SunSolve Online Please refer to the bug ID and patch ID when requesting patches from Sun answer centers. You should also contact your answer center if you have a support contract and: - You need assistance in installing a patch - You need additional patches - You want an existing patch ported to another platform - You believe you have encountered a bug in a Sun patch - You want to know if a patch exists, or when one will be ready B. If you do not have a support contract Sun also makes its security patches available to customers who do not have a support contract, via anonymous ftp: - In the US, from /systems/sun/sun-dist on ftp.uu.net - In Europe, from ~ftp/sun/fixes on ftp.eu.net Patches announced in a Sun security bulletin are uploaded to these two sites just before the bulletin is released, and seldom updated. In contrast, the "supported" patch databases are refreshed nightly, and will often contain newer versions of a patch incorporating changes which are not security-related. V. How to report or inquire about Sun security problems If you discover a security problem with Sun software or wish to inquire about a possible problem, contact one or more of the following: - Your local Sun answer centers - Your representative computer security response team, such as CERT - This office. Address postal mail to: Sun Security Coordinator MS MPK2-04 2550 Garcia Avenue Mountain View, CA 94043-1100 Phone: 415-688-9081 Fax: 415-688-9101 E-mail: security-alert@Sun.COM VI. How to obtain Sun security bulletins A. Subscription information Sun Security Bulletins are available free of charge as part of our Customer Warning System. It is not necessary to have a Sun support contract in order to receive them. To subscribe to this bulletin series, send mail to the address "security-alert@Sun.COM" with the subject "subscribe CWS [mail-address]" and a message body containing affiliation and contact information. To request that your name be removed from the mailing list, send mail to the same address with the subject "unsubscribe CWS [mail-address]". Do not include other requests or reports in a subscription message. Due to the volume of subscription requests which we receive, we cannot guarantee to acknowledge or execute requests which are not in the format described above. Normally we will acknowledge your request within 24 hours of receipt. If you would like your bulletin delivered via postal mail or fax, please contact this office directly to make arrangements. B. Obtaining old bulletins Recent bulletins (#119 and later) are archived on ftp.uu.net, in the same directory as the patches. Many earlier bulletins are available from SunSolve. Please try these sources first before contacting this office for old bulletins. ------------