From: Mark.Graff@Eng.Sun.COM ( Mark Graff ) Date: Tue, 4 Apr 1995 23:17:50 -0700 To: cws@liberty.Eng.Sun.COM Subject: Sun Security Bulletin #130 ----------------------------------------------------------------------------- SUN MICROSYSTEMS SECURITY BULLETIN: #00130, 4 April 1995 ----------------------------------------------------------------------------- BULLETIN TOPICS In this bulletin Sun discusses the potential impact of the release of "SATAN", a public domain software package which probes UNIX systems for security holes. We also include here a list of available security patches for each supported SUNOS release, and a set of procedures we recommend to help protect Sun systems against external attack. SATAN is expected to be released at 8:00am EST tomorrow, 5 April 1995. This package is the same one discussed in the recent CERT bulletin CA-95:06. I. Discussion of SATAN's potential impact on customer systems. II. List of currently available Sun security patches. III. Set of recommended security procedures. APPENDICES A. How to obtain Sun security patches B. How to report or inquire about Sun security problems C. How to obtain Sun security bulletins /\ Send Replies or Inquiries To: \\ \ \ \\ / Mark Graff / \/ / / Sun Security Coordinator / / \//\ MS MPK3 \//\ / / 2550 Garcia Avenue / / /\ / Mountain View, CA 94043-1100 / \\ \ Phone: 415-688-9081 \ \\ Fax: 415-688-9764 \/ E-mail: security-alert@Sun.COM ----------- Permission is granted for the redistribution of this Bulletin for the purpose of alerting Sun customers to problems, as long as the Bulletin is not edited and is attributed to Sun Microsystems. Any other use of this information without the express written consent of Sun Microsystems is prohibited. Sun Microsystems expressly disclaims all liability for any misuse of this information by any third party. ----------------------------------------------------------------------------- SUN MICROSYSTEMS SECURITY BULLETIN: #00130, 4 April 1995 ----------------------------------------------------------------------------- I. Discussion of SATAN's potential impact Many people have asked for our evaluation of the package. What can it do? How will it be used? What steps, if any, should administrators of Sun systems take in reaction to the software's release? Our answers here are based on our study of a pre-release version made available to UNIX vendors last month. A. What can it do? SATAN provides a new and easy way to test UNIX systems for the presence of several well-known security holes. None of the problems probed for are new. Each one (in the version we have seen) has already been discussed in previous CERT and Sun bulletins and each can be countered either by installing the appropriate patch or fixing a system configuration flaw. SATAN does not introduce a distinct new threat to UNIX systems. B. How will it be used? Its authors, free-lance programmers Dan Farmer of the U.S. and Wietse Venema of the Netherlands, intend SATAN as a protective tool for system and network administrators. Its simple point-and-click interface and broad distribution, however, make it likely that SATAN will also be used to locate vulnerable systems for malicious reasons. C. What steps should system administrators take? Sun recommends that customers: 1. Install all available security patches. A comprehensive list is included in this bulletin. 2. Tighten up system and network configurations to close the other security holes probed by SATAN. We have included here a set of specific recommendations as a guide for your use. 3. Obtain a copy of SATAN and study it. Learn how it can be used and familiarize yourself with its attacks. II. List of currently available security patches. Solaris 1.1 (4.1.3) =================== Security patches ++++++++++++++++ o 100103-12: [README] SunOS 4.1.3;4.1.3_U1: set file permissions to more secure mode (9658 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 100272-07: [README] SunOS 4.1.3: Security update for in.comsat. (39489 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 100296-04: [README] SunOS 4.1.1, 4.1.2, 4.1.3: netgroup exports to world (40128 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 100305-15: [README] SunOS 4.1.1, 4.1.2, 4.1.3: lpr Jumbo Patch (507355 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 100372-02: [README] * SunOS 4.1.1;4.1.2;4.1.3: tfs and c2 do not work together (729205 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 100377-19: [README] SunOS 4.1.3: sendmail jumbo patch (216573 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 100383-06: [README] SunOS 4.0.3;4.1;4.1.1;4.1.2;4.1.3: rdist security and hard links enhancement, (123493 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 100482-06: [README] SunOS 4.1;4.1.1;4.1.2;4.1.3: ypserv and ypxfrd fix, plus DNS fix (670354 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 100507-06: [updated] [README] SunOS 4.1.1, 4.1.2, 4.1.3: tmpfs jumbo patch (62787 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 100513-04: [README] * SunOS 4.1.1;4.1.2;4.1.3: Jumbo tty patch (531383 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 100564-07: [README] * SunOS 4.1.2, 4.1.3: C2 Jumbo patch (2534211 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 100567-04: [README] SunOS 4.1,4.1.1, 4.1.2, 4.1.3: mfree and icmp redirect security patch (10277 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 100593-03: [README] SunOS 4.1.3: Security update for dump. (247471 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 100623-03: [README] SunOS 4.1.2;4.1.3: UFS jumbo patch (143981 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 100630-02: [README] SunOS 4.1.1, 4.1.2, 4.1.3: SECURITY: methods to exploit login/su (40552 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 100631-01: [README] SunOS 4.1 4.1.1 4.1.2 4.1.3: env variables can be used to exploit login (25432 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 100890-10: [README] SunOS 4.1.3: domestic libc jumbo patch (3131283 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 100891-10: [README] SunOS 4.1.3: international libc jumbo patch (3161107 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 100909-03: [README] SunOS 4.1.1;4.1.2;4.1.3: Security update for syslogd. (53666 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 101072-02: [README] SunOS 4.1.1;4.1.2;4.1.3: Non-related data filled the last block tarfile (245215 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 101080-01: [README] SunOS 4.1.1 4.1.2 4.1.3: security problem with expreserve (11790 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 101200-03: [README] SunOS 4.1.3: Breach of security using modload (30894 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 101480-01: [README] SunOS 4.1.1;4.1.2;4.1.3: Security update for in.talkd. (44653 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 101481-01: [README] SunOS 4.1.3: Security update for shutdown. (80997 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 101482-01: [README] SunOS 4.1.3, 4.1.2, 4.1.1: Security update for write. (41407 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 101640-03: [README] SunOS 4.1.3: in.ftpd logs password info when -d option is used. (142453 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 102023-03: [README] SunOS 4.1.3: Root access possible via forced passwd race condition (39521 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 100448-02: [README] OpenWindows 3.0: loadmodule is a security hole. (4460 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 100452-68: [README] OpenWindows 3.0: XView 3.0 Jumbo Patch (1690398 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 100478-01: [README] OpenWindows 3.0: xlock crashes leaving system open (58475 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solaris 1.1.1 (4.1.3_U1) ======================== Security patches ++++++++++++++++ o 100103-12: [README] SunOS 4.1.3;4.1.3_U1: set file permissions to more secure mode (9658 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 101434-03: [README] SunOS 4.1.3_U1: lpr Jumbo Patch (122313 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 101436-08: [README] SunOS 4.1.3_U1: patch for mail executable (16166 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 101440-01: [README] SunOS 4.1.3_U1: security problem: methods to exploit login/su (6832 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 101558-04: [README] SunOS 4.1.3_U1: international libc jumbo patch (3134886 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 101579-01: [README] SunOS 4.1.3_U1: Security problem with expreserve for Solaris 1.1.1 (15231 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 101587-01: [README] SunOS 4.1.3_U1: security patch for mfree and icmp redirect (12685 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 101621-02: [README] SunOS 4.1.3_U1: Jumbo tty patch (108693 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 101665-04: [README] SunOS 4.1.3_U1: sendmail jumbo patch (217621 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 101679-01: [README] SunOS 4.1.3_U1: Breach of security using modload (10358 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 101759-02: [README] SunOS 4.1.3_U1: domestic libc jumbo patch (3143334 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 102060-01: [README] SunOS 4.1.3_U1: Root access possible via passwd race condition (22711 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 100448-02: [README] OpenWindows 3.0: loadmodule is a security hole. (4460 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 100452-68: [README] OpenWindows 3.0: XView 3.0 Jumbo Patch (1690398 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 100478-01: [README] OpenWindows 3.0: xlock crashes leaving system open (58475 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solaris 2.2 =========== Security patches ++++++++++++++++ o 100999-71: [updated] [README] SunOS 5.2: jumbo kernel patch (6918935 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 101090-01: [README] SunOS 5.2: fixes security hole in expreserve (34800 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 101301-03: [README] SunOS 5.2: security bug & tar fixes (411973 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 101842-01: [README] SunOS 5.2: sendmail jumbo patch - security (196513 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solaris 2.3 =========== Security patches ++++++++++++++++ o 101318-70: [README] SunOS 5.3: Jumbo patch for kernel (includes libc, lockd) (9409417 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 101327-08: [README] SunOS 5.3: security and miscellaneous tar fixes (426364 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 101572-03: [README] SunOS 5.3: cron and at fixes (97117 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 101582-03: [README] * SunOS 5.3: POINT PATCH: Password aging & NIS+ don't work (together) (48120 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 101615-02: [README] SunOS 5.3: miscellaneous utmp fixes (69639 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 101620-01: [README] * SunOS 5.3: keyserv has a file descriptor leak (48740 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 101631-02: [README] SunOS 5.3: kd and ms fixes (125951 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 101712-01: [README] SunOS 5.3: uucleanup isn't careful enough when sending mail (54101 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 101736-03: [README] * SunOS 5.3: nisplus patch (58635 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 101739-07: [README] SunOS 5.3: sendmail jumbo patch - security (218819 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 101786-02: [README] * SunOS 5.3: inetd fixes (60339 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 102034-01: [README] SunOS 5.3: portmapper security hole (62029 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 102167-01: [README] SunOS 5.3: dns fix (55095 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 101513-06: [README] * OpenWindows 3.3: Security loophole cm with access list and permissions (1590849 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 101889-03: [README] OpenWindows 3.3: filemgr forked executable ff.core has a security hole. (62231 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solaris 2.4 =========== Security patches ++++++++++++++++ o 101981-02: [not avail] [README] SunOS 5.4: SECURITY: login & security fixes (112925 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 102044-01: [README] SunOS 5.4: bug in mouse code makes "break root" attack possible (118585 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 102066-04: [README] SunOS 5.4: sendmail bug fixes (218829 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 102070-01: [README] SunOS 5.4: Bugfix for rpcbind/portmapper (65827 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 102216-01: [README] SunOS 5.4: NFS client starts using unreserved UDP port numbers (112925 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 102336-01: [README] * SunOS 5.4: POINT PATCH: 1091205 - Password aging & NIS+ don't work (62331 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 102922-01: [README] * SunOS 5.4: inetd fix (60357 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solaris 2.4_x86 =============== Security patches ++++++++++++++++ o 101946-12: [README] SunOS 5.4_x86: jumbo patch for kernel (2203251 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 101982-02: [README] SunOS 5.4_x86: login & security fixes (1138395 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 102064-04: [README] SunOS 5.4_x86: sendmail bug fixes (191493 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 102071-01: [README] SunOS 5.4_x86: Bugfix for rpcbind/portmapper (61813 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o 102217-01: [README] SunOS 5.4_x86: NFS client starts using unreserved UDP port numbers (99433 bytes) o ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ III. Set of recommended procedures ........................................................................ Improving security on your Sun workstation 4 April 1995 ........................................................................ This document is intended as a "cookbook" for improving security on Sun workstations. In addition to following the steps below, you should consult the following CERT documents for guidance on improving the security of your systems: ftp://info.cert.org/tech_tips/security_info ftp://info.cert.org/tech_tips/anonymous_ftp ftp://info.cert.org/tech_tips/packet_filtering Notes on this document: SunOS versions 4.x will be referenced as "4.x", Solaris versions 2.x will be referenced as "5.x" in this document. ........................................................................ a. Security patches Install all applicable security patches for the OS you are running. It is important to keep up with the security patches. The patches change over time. Keep your internet machines up to date. SunSolve Online provides an easy way of doing this: select the appropriate patches, and add them to your "notify" list. You will be notified any time the patches are revised. b. Single user boot security Set up servers to ensure a password must be given upon single user boot. Additionally, remote login as root should be disabled. Root logins can still be accomplished, but users must first login as a user and then su to root. This is done for logging and accountability purposes. SunOS: Remove all of the "secure" keywords from all /etc/ttytab entries. Solaris: Include the line "CONSOLE=/dev/console" in /etc/default/login file. c. Trust Servers should not trust any other server or host, including dump servers. "Trust" is defined as trusted network access via the files: /.rhosts, /etc/hosts.equiv and ~/.rhosts If servers must trust others, trust should be given to a user as well as a host. The /.rhosts, /etc/hosts.equiv and ~/.rhosts file should contain two entries per line, one entry for the host and an additional entry for the particular user that is to be trusted from the host. Example: Trust user bgp from host umnp1 umnp1 bgp d. Root's Path Root's path should be restricted. The root user should not include the current directory in the search path. Root's .cshrc, .login or .profile files should not contain the current directory in the execute path for commands. remove any "." or ":.:" entry from /.cshrc, /.profile and /.login files. e. NIS Master slave servers should not use NIS for password information. Additionally, under SunOS, NIS clients should contain strings which specify the server in their /etc/password file of the form "+servername" as opposed to the default of "+::-:0:". Under 5.x, NIS clients should bind using a list of servers (see ypinit -c) as opposed to using a broadcast to find a server. f. Aliases Remove the "decode" alias in /etc/aliases. The file permissions for /etc/aliases should be 0644 and owned by root. g. Login accounting file permissions The /etc/utmp file should not be world writable. chmod 644 /etc/utmp h. Turn off all unnecessary RPC services Comment out the rpc services that aren't needed in the /etc/inetd.conf file (4.x) or the /etc/inet/inetd.conf file. In particular, disable the following services: rexd, fingerd, systat, netstat, rusersd, sprayd, and *uucpd. Make sure to restart inetd once the changes are made: 5.x: # ps -ef | grep inetd 4.x: # ps -auxww | grep inetd both: root 121 1 80 Mar 22 ? 2:52 /usr/sbin/inetd -s # kill -HUP 121 i. TFTPD Disable tftpd. If it must be running, configure it to run within a particular directory by specifing the "-s /tftpboot" in the /etc/inetd.conf file (4.x) or the /etc/inet/inetd.conf file (5.x). 4.x: tftp dgram udp wait root /usr/etc/in.tftpd in.tftpd -s /tftpboot 5.x: tftp dgram udp wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot j. Passwords All local and NIS passwords should have a password. The *uucp, bin, audit, sys, ftp, nobody, daemon, news and sync accounts should be disabled by adding a "*" in the password field (4.x) or a "NP" in the /etc/shadow file password field (5.x). The login shell should be set to /bin/false for all the specified accounts as well. The uucp accounts (if any) should have the shell set to /usr/lib/uucp/uucico. k. UID restrictions No accounts other than root should have the user id (UID) of 0. l. NFS Export restrictions NFS exports should be restricted to particular hosts, and no exports should be writable. For example, in 4.x the /etc/exports file could contain: /home -access=upk1,ro or for 5.x the /etc/dfs/dfstab file could contain: share -F nfs -o ro=upk1 /home m. NFS mount restrictions NFS mount file systems with the "nosuid" options if at all: 4.x: mount -o nosuid,bg big1:/home /bighome 5.x: mount -F nfs -o nosuid,bg big1:/home /bighome n. NIS configuration If the server is an NIS master server, it should be configured not to include the password maps, or at least not include the actual encrypted password information. Additionally, yppasswdd should be turned off on the NIS server since NIS clients will not need to change the NIS password information. o. EEPROM Security The eeprom on the server should be set to require a password before being booted from CD or tape from the prom monitor: eeprom secure=command p. IP Spoofing Many of the above attacks can be combined with IP spoofing to allow false IP authentication to occur. Configure firewall routers to prevent externally initiated connections, as described in the recent CERT bulletin (CA-95:01). q. Passwords If you ftp or telnet or rlogin across an insecure network, your password has traveled cleartext across networks which might be traced by sniffers. Change your password as soon as possible. r. Security Checks Perform regular security checks of the system (weekly at least). APPENDICES A. How to obtain Sun security patches 1. If you have a support contract Customers with Sun support contracts can obtain the patches listed here--and all other Sun security patches--from: - Local Sun answer centers, worldwide - SunSolve Online, and SunSITEs worldwide The patches are available via World Wide Web at http://sunsolve1.sun.com. You should also contact your answer center if you have a support contract and: - You need assistance in installing a patch - You need additional patches - You want an existing patch ported to another platform - You believe you have encountered a bug in a Sun patch - You want to know if a patch exists, or when one will be ready 2. If you do not have a support contract Sun also makes its security patches available to customers who do not have a support contract, via anonymous ftp: - In the US, from /systems/sun/sun-dist on ftp.uu.net - In Europe, from ~ftp/sun/fixes on ftp.eu.net In some cases patches will appear on the European site a day or two after a bulletin is released. Sun does not furnish patches to any external distribution sites other than the ones mentioned here. 3. About the checksums Patches announced in a Sun security bulletin are uploaded to the ftp.*.net sites just before the bulletin is released, and seldom updated. In contrast, the "supported" patch databases are refreshed nightly, and will often contain newer versions of a patch incorporating changes which are not security-related. So that you can quickly verify the integrity of the patch files themselves, we supply checksums for the tar archives in each bulletin. The listed checksums should always match those on the ftp.*.net systems. (The rare exceptions are listed in the "checksums" file there.) Normally, the listed checksums will also match the patches on the SunSolve database. However, this will not be true if we have changed (as we sometimes do) the README file in the patch after the bulletin has been released. In the future we plan to provide checksum information for the individual components of a patch as well as the compressed archive file. This will allow customers to determine, if need be, which file(s) have been changed since we issued the bulletin containing the checksums. If you would like assistance in verifying the integrity of a patch file please contact this office or your local answer center. B. How to report or inquire about Sun security problems If you discover a security problem with Sun software or wish to inquire about a possible problem, contact one or more of the following: - Your local Sun answer centers - Your representative computer security response team, such as CERT - This office. Address postal mail to: Sun Security Coordinator MS MPK2-04 2550 Garcia Avenue Mountain View, CA 94043-1100 Phone: 415-688-9081 Fax: 415-688-9101 E-mail: security-alert@Sun.COM We strongly recommend that you report problems to your local Answer Center. In some cases they will accept a report of a security bug even if you do not have a support contract. An additional notification to the security-alert alias is suggested but should not be used as your primary vehicle for reporting a bug. C. How to obtain Sun security bulletins 1. Subscription information Sun Security Bulletins are available free of charge as part of our Customer Warning System. It is not necessary to have a Sun support contract in order to receive them. To subscribe to this bulletin series, send mail to the address "security-alert@Sun.COM" with the subject "subscribe CWS your-mail-address" and a message body containing affiliation and contact information. To request that your name be removed from the mailing list, send mail to the same address with the subject "unsubscribe CWS your-mail-address". Do not include other requests or reports in a subscription message. Due to the volume of subscription requests we receive, we cannot guarantee to acknowledge requests. Please contact this office if you wish to verify that your subscription request was received, or if you would like your bulletin delivered via postal mail or fax. 2. Obtaining old bulletins Sun Security Bulletins are archived on ftp.uu.net (in the same directory as the patches) and on SunSolve. Please try these sources first before contacting this office for old bulletins. ------------