----------------------------------------------------------------------------- SUN MICROSYSTEMS SECURITY BULLETIN: #00126, 21 March 1994 ----------------------------------------------------------------------------- BULLETIN TOPICS In this bulletin Sun announces the availability of several new security patches for SunOS 4.1.x systems. Also, we alert our customers to the increased importance of installing a previously announced patch. I. Announcement of patches for "/etc/utmp" vulnerability II. Reminder about existing rdist patch III. Table of patches IV. How to obtain Sun security patches V. How to report or inquire about Sun security problems VI. How to obtain Sun security bulletins /\ Send Replies or Inquiries To: \\ \ \ \\ / Mark Graff / \/ / / Sun Security Coordinator / / \//\ MS MPK2-04 \//\ / / 2550 Garcia Avenue / / /\ / Mountain View, CA 94043-1100 / \\ \ Phone: 415-688-9081 \ \\ Fax: 415-688-9101 \/ E-mail: security-alert@Sun.COM ----------- Permission is granted for the redistribution of this Bulletin for the purpose of alerting Sun customers to problems, as long as the Bulletin is not edited and is attributed to Sun Microsystems. Any other use of this information without the express written consent of Sun Microsystems is prohibited. Sun Microsystems expressly disclaims all liability for any misuse of this information by any third party. ----------------------------------------------------------------------------- SUN MICROSYSTEMS SECURITY BULLETIN: #00126, 21 March 1994 ----------------------------------------------------------------------------- I. Announcement of patches for "/etc/utmp" vulnerability SunOS 4.1.x systems have been found to be vulnerable to an attack on the /etc/utmp file. The manipulation of this file, which on SunOS 4.1.x systems is world-writable, can result in unauthorized root access for the attacker. We are releasing today patches to several utilities which close that security hole, identified as bug 1140162. If the new patches are installed, no other changes--such as making the /etc/utmp file not world-writable--are necessary to close the security hole. We recommend that all of the patches be installed. Solaris 2.x systems, including Solaris x86 systems, are not susceptible to this attack. SunOS 4.1.3_U1 (Solaris 1.1.1) systems are also not susceptible. The patches were integrated into that system before it was released. II. Reminder about existing rdist patch Last week, two scripts were published in various Usenet newsgroups which exploit vulnerabilities in rdist. Sun customers can protect their sites from attacks based on these scripts by installing, if they have not already done so, our previously released rdist patch. The most recent version is 100383-06. This patch is required for all SunOS 4.1.x systems except the recently-released 4.1.3_U1 (Solaris 1.1.1). An earlier version of the patch, 100383-05, was integrated into that version of the operating system. That earlier patch also contains the fixes needed to defeat the published scripts. III. Table of patches The patches discussed in this bulletin pertain to rdist and six other utility programs: dump, in.comsat, in.talkd, shutdown, syslogd, and write. Each patch is distributed as a compressed tar file containing versions of the patched program for every supported platform. In the case of rdist that includes combinations for which Sun no longer issues patches. The rdist patch, 100383-06, was issued for the sun3 and sun4 architectures and the 4.0.3, 4.1, 4.1.1, 4.1.2, and 4.1.3 versions of the operating system. Eight patch combinations are represented. The sun4 version of the patch can be used on all sun4, sun4c, and sun4m systems. The patches to the other utilities cover the sun3, sun3x, sun4, sun4c, and sun4m architectures. The OS versions covered by the patches are 4.1.1, 4.1.2, and 4.1.3. Ten patch combinations are available in the patch file for each of the six utilities. In the table below we show patch numbers and file names for each of the seven compressed tar files. In the following table we show the BSD and SVR4 checksums. We have also included MD5 digital signatures. Program Patch ID Patch File Name ------- --------- --------------- rdist 100383-06 100383-06.tar.Z dump 100593-03 100593-03.tar.Z in.comsat 100272-07 100272-07.tar.Z in.talkd 101480-01 101480-01.tar.Z shutdown 101481-01 101481-01.tar.Z syslogd 100909-02 100909-02.tar.Z write 101482-01 101482-01.tar.Z Program BSD SVR4 MD5 Digital Signature Checksum Checksum ------- --------- --------- -------------------------------- rdist 58984 121 9125 241 F8F78DDAB19AF5EFABB9BD66FC8F5C1A dump 52095 242 41650 484 CDBA530226E8735FAE2BD9BCBFA47DD0 in.comsat 26553 39 64651 78 912FF4A0CC8D16A10EECBD7BE102D45C in.talkd 47917 44 32598 88 5C3DFD6F90F739100CFA4AA4C97F01DF shutdown 46562 80 56079 159 BFC257EC795D05646FFA733D1C03855B syslogd 61539 108 38239 216 B5F70772384A3E58678C9C1F52D81190 write 61148 41 48636 81 F93276529AA9FC25B35679EBF00B2D6F The checksums shown above are from the BSD-based checksum (on 4.1.x, /bin/sum; on Solaris 2.x, /usr/ucb/sum) and from the SVR4 version on Solaris 2.x (/usr/bin/sum). IV. How to obtain Sun security patches A. If you have a support contract Customers with Sun support contracts can obtain the patches listed here--and all other Sun security patches--from: - Local Sun answer centers, worldwide - SunSolve Online Please refer to the bug ID and patch ID when requesting patches from Sun answer centers. You should also contact your answer center if you have a support contract and: - You need assistance in installing a patch - You need additional patches - You want an existing patch ported to another platform - You believe you have encountered a bug in a Sun patch - You want to know if a patch exists, or when one will be ready B. If you do not have a support contract Sun also makes its security patches available to customers who do not have a support contract, via anonymous ftp: - In the US, from /systems/sun/sun-dist on ftp.uu.net - In Europe, from ~ftp/sun/fixes on ftp.eu.net Patches announced in a Sun security bulletin are uploaded to these two sites just before the bulletin is released, and seldom updated. In contrast, the "supported" patch databases are refreshed nightly, and will often contain newer versions of a patch, incorporating changes which are not security-related. V. How to report or inquire about Sun security problems If you discover a security problem with Sun software or wish to inquire about a possible problem, contact one or more of the following: - Your local Sun answer centers - Your representative computer security response team, such as CERT - This office. Address postal mail to: Sun Security Coordinator MS MPK2-04 2550 Garcia Avenue Mountain View, CA 94043-1100 Phone: 415-688-9081 Fax: 415-688-9101 E-mail: security-alert@Sun.COM We strongly recommend that you report problems to your local Answer Center. In some cases they will accept a report of a security bug even if you do not have a support contract. An additional notification to the security-alert alias is suggested but should not be used as your primary vehicle for reporting a bug. VI. How to obtain Sun security bulletins A. Subscription information Sun Security Bulletins are available free of charge as part of our Customer Warning System. It is not necessary to have a Sun support contract in order to receive them. To subscribe to this bulletin series, send mail to the address "security-alert@Sun.COM" with the subject "subscribe CWS [mail-address]" and a message body containing affiliation and contact information. To request that your name be removed from the mailing list, send mail to the same address with the subject "unsubscribe CWS [mail-address]". Do not include other requests or reports in a subscription message. Due to the volume of subscription requests we receive, we cannot guarantee to acknowledge requests. Please contact this office if you wish to verify that your subscription request was received, or if you would like your bulletin delivered via postal mail or fax. B. Obtaining old bulletins Recent bulletins (#119 and later) are archived on ftp.uu.net, in the same directory as the patches. Many earlier bulletins are available from SunSolve. Please try these sources first before contacting this office for old bulletins. ------------