============================================================================= SUN MICROSYSTEMS SECURITY BULLETIN: #00138, 17 APRIL 1997 ============================================================================= BULLETIN TOPICS In this bulletin Sun announces the release of security-related patches for Solaris 2.5 (SunOS 5.5) and Solaris 2.5.1 (SunOS 5.5.1). These patches relate to vulnerabilities in the volume management library, libvolmgt.so.1, which can result in root access if exploited. The programs eject and fdformat dynamically link the libvolmgt.so.1 library. Sun estimates that patches for Solaris 2.3 (SunOS 5.3) and Solaris 2.4 (SunOS 5.4) for the same vulnerabilities will be available within 1 week of the date of this bulletin. Sun strongly recommends that you install these patches immediately on every affected system. Exploitation scripts for eject and fdformat were made public last month. I. Who is Affected, and What to Do II. Understanding the Vulnerabilities III. List of Patches IV. Checksum Table APPENDICES A. How to obtain Sun security patches B. How to report or inquire about Sun security problems C. How to obtain Sun security bulletins or short status updates Sun acknowledges with thanks the CERT Coordination Center (Carnegie Mellon University) and AUSCERT for their assistance in the preparation of this bulletin. Sun, CERT/CC, and AUSCERT are members of FIRST, the Forum of Incident Response and Security Teams. For more information about FIRST, visit the FIRST web site at "http://www.first.org/". Keywords: eject, fdformat, volume management Patchlist: 104776-01, 104777-01 103024-02, 103044-02 101907-14, 101908-14, 101331-07 Cross-Ref: ----------- Permission is granted for the redistribution of this Bulletin, so long as the Bulletin is not edited and is attributed to Sun Microsystems. Portions may also be excerpted for re-use in other security advisories so long as proper attribution is included. Any other use of this information without the express written consent of Sun Microsystems is prohibited. Sun Microsystems expressly disclaims all liability for any misuse of this information by any third party. ============================================================================= SUN MICROSYSTEMS SECURITY BULLETIN: #00138, 17 APRIL 1997 ============================================================================= I. Who is Affected, and What to Do SunOS versions 5.3, 5.4, 5.5, 5.5_x86, 5.5.1, and 5.5.1_x86 are vulnerable. SunOS versions 4.1.3_U1 and 4.1.4 are not vulnerable. Install the patches listed in III. for SunOS versions 5.5, 5.5_x86, 5.5.1, and 5.5.1_x86. Sun estimates that patches for SunOS 5.4, SunOS 5.4_x86, and 5.3 will be released within 1 week from the date of this bulletin. In the meantime, Sun recommends, as a workaround, that setuid permission be removed from the eject and fdformat programs by using commands such as the following: chmod 555 /usr/bin/eject chmod 555 /usr/bin/fdformat The same vulnerabilities have been fixed in the upcoming release of Solaris 2.6. II. Understanding the Vulnerabilities A. eject Buffer Overflow Vulnerability Removable media devices that do not have an eject button or removable media devices that are managed by Volume Management use the eject program. Due to insufficient bounds checking on arguments in the volume management library, libvolmgt.so.1, it is possible to overwrite the internal stack space of the eject program. If exploited, this vulnerability can be used to gain root access on attacked systems. B. fdformat Buffer Overflow Vulnerability The fdformat program formats diskettes and PCMCIA memory cards. The program also uses the same volume management library, libvolmgt.so.1, and is exposed to the same vulnerability as the eject program. III. List of Patches The vulnerabilities relating to eject and fdformat in the volume management library are fixed by the following patches: OS version Patch ID ---------- -------- SunOS 5.5.1 104776-01 SunOS 5.5.1_x86 104777-01 SunOS 5.5 103024-02 SunOS 5.5_x86 103044-02 SunOS 5.4 101907-14 (to be released in 1 week) SunOS 5.4_x86 101908-14 (to be released in 1 week) SunOS 5.3 101331-07 (to be released in 1 week) IV. Checksum Table In the checksum table we show the BSD and SVR4 checksums and MD5 digital signatures for the compressed tar archives. File BSD SVR4 MD5 Name Checksum Checksum Digital Signature --------------- --------- --------- -------------------------------- 104776-01.tar.Z 01572 121 22359 241 21E84190D22646A7A7C330D2C88AF1A9 104777-01.tar.Z 16759 122 5357 243 7D1E7640C98E308CB829B3C0754291CC 103024-02.tar.Z 04867 121 18968 241 F9451B9BE28389EC4A5B7B79E8B04B44 103044-02.tar.Z 26729 121 63537 241 D3FB1C1AD4CF72422F6002E56D357988 The checksums shown above are from the BSD-based checksum (on 4.1.x, /bin/sum; on SunOS 5.x, /usr/ucb/sum) and from the SVR4 version on on SunOS 5.x (/usr/bin/sum). APPENDICES A. How to obtain Sun security patches 1. If you have a support contract Customers with Sun support contracts can obtain any patches listed in this bulletin (and any other patches--and a list of patches) from: - SunSolve Online - Local Sun answer centers, worldwide - SunSITEs worldwide The patches are available via World Wide Web at http://sunsolve.sun.com. You should also contact your answer center if you have a support contract and: - You need assistance in installing a patch - You need additional patches - You want an existing patch ported to another platform - You believe you have encountered a bug in a Sun patch - You want to know if a patch exists, or when one will be ready 2. If you do not have a support contract Customers without support contracts may now obtain security patches, "recommended" patches, and patch lists via SunSolve Online. Sun does not furnish patches to any external distribution sites other than the ones mentioned here. The ftp.uu.net and ftp.eu.net sites are no longer supported. 3. About the checksums So that you can quickly verify the integrity of the patch files themselves, we supply in each bulletin checksums for the tar archives. Occasionally, you may find that the listed checksums do not match the patches on the SunSolve or SunSite database. This does not necessarily mean that the patch has been tampered with. More likely, a non-substantive change (such as a revision to the README file) has altered the checksum of the tar file. The SunSolve patch database is refreshed nightly, and will sometimes contain versions of a patch newer than the one on which the checksums were based. In the future we may provide checksum information for the individual components of a patch as well as the compressed archive file. This would allow customers to determine, if need be, which file(s) have been changed since we issued the bulletin containing the checksums. In the meantime, if you would like assistance in verifying the integrity of a patch file please contact this office or your local answer center. B. How to report or inquire about Sun security problems If you discover a security problem with Sun software or wish to inquire about a possible problem, contact one or more of the following: - Your local Sun answer centers - Your representative computer security response team, such as CERT - This office. Address postal mail to: Sun Security Coordinator MS MPK17-103 2550 Garcia Avenue Mountain View, CA 94043-1100 Email: security-alert@sun.com We strongly recommend that you report problems to your local Answer Center. In some cases they will accept a report of a security bug even if you do not have a support contract. An additional notification to the security-alert alias is suggested but should not be used as your primary vehicle for reporting a bug. C. How to obtain Sun security bulletins or short status updates 1. Subscription information Sun Security Bulletins are available free of charge as part of our Customer Warning System. It is not necessary to have a Sun support contract in order to receive them. To receive information or to subscribe or unsubscribe from our mailing list, send mail to security-alert@sun.com with a subject line containing one of the following commands. Subject Information Returned/Action Taken ------- --------------------------------- HELP An explanation of how to get information LIST A list of current security topics QUERY [topic] The mail containing the question is relayed to a Security Coordinator for a response. REPORT [topic] The mail containing the text is treated as a security bug report and forwarded to a Security Coordinator for handling. Please note that this channel of communications does not supersede the use of Sun Solution Centers for this purpose. Note also that we do not recommend that detailed problem descriptions be sent in plain text. SEND topic Summary of the status of selected topic. (To retrieve a Sun Security Bulletin, supply the number of the bulletin, as in "SEND #103".) SUBSCRIBE Sender is added to the CWS (Customer Warning System) list. The subscribe feature requires that the sender include on the subject line the word "cws" and the reply email address. So the subject line might look like the following: SUBSCRIBE cws your-email-address UNSUBSCRIBE Sender is removed from the CWS list. Should your email not fit into one of the above subjects, a help message will be returned to you. Due to the volume of subscription requests we receive, we cannot guarantee to acknowledge requests. Please contact this office if you wish to verify that your subscription request was received, or if you would like your bulletin delivered via postal mail or fax. 2. Obtaining old bulletins Sun Security Bulletins are available via the security-alert alias and on SunSolve. Please try these sources first before contacting this office for old bulletins. ---------- ------------- End Forwarded Message -------------