TUCoPS :: SunOS/Solaris :: cert0069.txt

SunOS and Solaris vulnerabilities


-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
CA-93:15                         CERT Advisory
                               October 21, 1993
            /usr/lib/sendmail, /bin/tar, and /dev/audio Vulnerabilities 
- -----------------------------------------------------------------------------

The CERT Coordination Center has learned of several vulnerabilities
affecting Sun Microsystems, Inc. (Sun) operating systems. Three
separate vulnerabilities are described in this advisory.  The first 
and third vulnerabilities affect all versions of SunOS 4.1.x and all
versions of Solaris 2.x.  The second affects all systems running any 
version of Solaris 2.x (but does not affect SunOS 4.1.x systems). 

Patches can be obtained from local Sun Answer Centers worldwide as
well as through anonymous FTP from the ftp.uu.net (192.48.96.9) system
in the /systems/sun/sun-dist directory.  In Europe, these patches are
available from ftp.eu.net in the /sun/fixes directory.

Information concerning specific patches is outlined below. Please note 
that Sun sometimes updates patch files.  If you find that the checksum 
is different, please contact Sun.

- -----------------------------------------------------------------------------

I.   /usr/lib/sendmail Vulnerability

     This vulnerability affects all versions of SunOS 4.1.x including
     4.1.1, 4.1.2, 4.1.3, 4.1.3c, and all versions of Solaris 2.x
     including Solaris 2.1 (SunOS 5.1) and Solaris 2.2 (SunOS 5.2).
     Sun is preparing a version of this patch for Solaris 2.3 but no
     patch ID is available at this time.

     ** This vulnerability is being actively exploited and we strongly
        recommend that sites take immediate and corrective action. **

     A. Description

        A vulnerability exists in /usr/lib/sendmail such that remote
        users may gain access to affected systems.

     B. Impact

        Unauthorized access to affected systems may occur.

     C. Solution

        1.  Obtain and install the appropriate patch following the
            instructions included with the patch.

        System       Patch ID   Filename         BSD         Solaris
                                                 Checksum    Checksum
        ------       --------   ---------------  ---------   -----------
        SunOS 4.1.x  100377-07  100377-07.tar.Z  36122  586  11735 1171
        Solaris 2.1  100840-03  100840-03.tar.Z  01153  194  39753  388
        Solaris 2.2  101077-03  101077-03.tar.Z  49343  177  63311  353

        The checksums shown above are from the BSD-based checksum
        (on 4.1.x, /bin/sum; on Solaris, /usr/ucb/sum) and from the SVR4
        version that Sun has released with Solaris (/usr/bin/sum).


II.  Solaris 2.x /bin/tar Vulnerability

     This vulnerability exists in all versions of Solaris 2.x including
     Solaris 2.1 and Solaris 2.2.  Information about patches for current 
     versions of Solaris is described below.  Sun is preparing a patch 
     for the upcoming Solaris 2.3 release. The patch ID will be 101327-01, 
     and it will be available as soon as Solaris 2.3 is shipped.

     This vulnerability does not exist in SunOS 4.1.x systems.

     A. Description
        
        A security vulnerability exists in /bin/tar such that tarfiles
        created using this utility may incorporate portions of the
        /etc/passwd file.  

     B. Impact

        Usernames and other information from /etc/passwd and /etc/group
        may be disclosed. However, since Solaris 2.x uses shadow passwords,
        encrypted passwords should not appear in /etc/passwd and therefore
        should not be disclosed by this vulnerability.

     C. Solution

        We recommend that all affected sites take the following steps
        to secure their systems.

        1.  Obtain and install the appropriate patch following the
            instructions included with the patch.

        System       Patch ID   Filename         BSD         Solaris
                                                 Checksum    Checksum
        ------       --------   ---------------  ---------   -----------
        Solaris 2.1  100975-02  100975-02.tar.Z  37034 374   13460  747 
        Solaris 2.2  101301-01  101301-01.tar.Z  22089 390    4703  779 

        The checksums shown above are from the BSD-based checksum 
        (on 4.1.x, /bin/sum; on Solaris, /usr/ucb/sum) and from the SVR4 
        version that Sun has released with Solaris 2.x (/usr/bin/sum).

        2.  If your site is not using shadow passwords, we recommend
            that all passwords be changed, especially those for
            sensitive accounts such as root.

        3.  Depending upon the sensitivity of the information contained
            in the /etc/passwd file, sites may wish to replace existing
            tar files where this is possible.  Restoring an existing
            archive file, and then producing a new tarfile with the
            patched tar, will result in a clean archive file.

        
III. /dev/audio Vulnerability

     This vulnerability affects all Sun systems with microphones. This
     includes all versions of SunOS 4.1.x including 4.1.1, 4.1.2, 4.1.3,
     4.1.3c, and all versions of Solaris 2.x including Solaris 2.1 
     (SunOS 5.1) and Solaris 2.2 (SunOS 5.2).  Sun is addressing this 
     problem in Solaris 2.3.

     A. Description

        /dev/audio is set to a default mode of 666. There is also no
        indication to the user of the system that the microphone is on.

     B. Impact

        Any user with access to the system can eavesdrop on conversations
        held in the vicinity of the microphone. 

     C. Solution

        To prevent unauthorized listening with the microphone, the
        permissions of the audio data device (/dev/audio) should allow 
        only the user logged in on the console of the machine to read 
        /dev/audio. To prevent unauthorized changes in playback and record 
        settings, the permissions on /dev/audioctl should be similarly 
        changed.

        *** Any site seriously concerned about the security risks
        associated with the microphone should either switch off the
        microphone, or unplug the microphone to prevent unauthorized
        listening. ***

        1. Restricting access on 4.x systems

        Use fbtab(5) to restrict the access to these devices. See the
        man page for more information about this procedure.

        2. Restricting access on Solaris 2.x systems

        To restrict access to these devices to a specific users, the 
        permissions on the device files must be manually changed.

        As root:

        # chmod 600 /dev/audio
        # chown <console user's username>.<desired group> /dev/audio
        # chmod 600 /dev/audioctl
        # chown <console user's username>.<desired group> /dev/audio


- ---------------------------------------------------------------------------
The CERT Coordination Center wishes to thank Paul De Bra, Department
of Computing Science, Eindhoven University of Technology; David Slade of
Bellcore; and Mabry Tyson of SRI for reporting these vulnerabilities, and 
Sun Microsystems, Inc. for their response to these problems.
- ---------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in FIRST (Forum of Incident
Response and Security Teams).

Internet E-mail: cert@cert.org
Telephone: 412-268-7090 (24-hour hotline)
           CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
           and are on call for emergencies during other hours.

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890

Past advisories, information about FIRST representatives, and other
information related to computer security are available for anonymous FTP
from cert.org (192.88.209.5).

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMaMxSnVP+x0t4w7BAQHblAQAp7xhLyTHXaWhg11gSqrhUBQhhSUo4Kxo
4GGkfIQk2Gr0i3/v/qxl6N3dOwFuKKEh7R7fEiz8lby1YPpVARYx/HAuQ2qmLwhs
0LIgkvAtN5FD8V7ZEKjru8k3Ctvda4n95fyqm+ViV2r3uMNtJZHMYB+F/Pf/nsjD
TAnBB6vTPiA=
=2raZ
-----END PGP SIGNATURE-----


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH