_____________________________________________________
                  Computer Incident Advisory Capability
                          ___  __ __    _     ___
                         /       |     / \   /
                         \___  __|__  /___\  \___
         _____________________________________________________
                          Information Bulletin

               Security Problem in SunOS fsirand Program 

November 12, 1991, 1100 PDT                                Number C-6

_________________________________________________________________________
PROBLEM: fsirand (random number generator) program could potentially 
	 allow the guessing of NFS file handles
PLATFORM: SunOS 4.1.1 systems using NFS to export file systems.
DAMAGE: Allows potential unauthorized access to published file systems
SOLUTIONS: Apply patches as described below
_________________________________________________________________________
        Critical Facts about Problem with SunOS fsirand Program

Sun Microsystems has recently released a bulletin describing a security
problem (Sun Bug ID 1063470) in the fsirand (random number generator)
program in SunOS 4.1.1.  This problem allows a potential intruder to
guess NFS file handles, which could result in unauthorized access to
published NFS file systems.  Sun Microsystems has developed a patched
version of fsirand (Sun Patch ID 100424-01) that provides greater
randomness to the random number generator's seed.  Sun's bulletin 
also provides the following information:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
This patch should only be applied in conjunction with the latest
version of the NFS jumbo patch, currently 100173-07 for SunOS 4.1.1.
The NFS jumbo patch must be applied before the fsirand patch.  NFS
jumbo and fsirand patches are being developed and tested for SunOS
4.0.3 and 4.1.  An announcement will be made when these patches are
available.

In order to maintain a level of minimum security requirements on your
Sun gateway systems, please note the suggestions that follow.  Users
may also wish to follow the advice given below for their other file
servers that may be connected to potentially untrusted machines over a
network.

Sun recommends that you upgrade your version of SunOS to the most
recent available (currently SunOS 4.1.1), since many improvements to
the security of your system have been integrated into the most recent
base operating system.  In addition, you should install all security
related patches applicable to your current version of SunOS.

Sun suggests that you apply this patch and the NFS jumbo patch to your
server if it is a gateway machine or if it exports critical file
systems and is accessible across a potentially untrusted network (e.g.
the Internet). Please refer to the README of patch 100424-01 for
additional details.  The fsirand fixes have been incorporated into
SYS_V Rel 4.

After applying this patch, /usr/etc/fsirand (see man page fsirand(8))
should be run on all potentially exportable partitions.  Follow this
with a system reboot to complete the installation of random inode
generation numbers.

Gateway machines should also apply Patch-ID# 100296-02, which fixes the
mountd problem that allows an unprivileged client to take advantage of 
character strings in /etc/hosts and /etc/netgroup that are equal to or
greater than 256.

It is also strongly advised that /etc/exports (exports(5)) files on
servers be examined and modified, if necessary, to permit only the
level of file sharing that is necessary.  The exports(5) file allows an
administrator to limit the access (and type of access) of exported
directories to specific client machines.  For example, a directory can
be exported read-only and root access can be granted to a specified set
of clients only.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

If you obtain the patch from uunet (as described above), use the
following command to verify the downloaded patch from uunet.uu.net:

	> sum 100424-01.tar.Z  

The result should be:

	63070    50

If you do not obtain the above result after entering the sum command,
contact Sun or CIAC to obtain new checksum values.

For additional information or assistance, please contact CIAC:

     Tom Longstaff
     (510) 423-4416** or (FTS) 543-4416
     longstaf@llnl.gov

Send e-mail to ciac@llnl.gov or call CIAC at (510) 422-8193** or 
(FTS) 532-8193.

**Note area code has changed from 415, although the 415 area code will
work until Jan. 1992.

Sun Microsystems provided some of the information contained in this
bulletin.  Neither the United States Government nor the University of
California nor any of their employees, makes any warranty, expressed or
implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or
process disclosed, or represents that its use would not infringe
privately owned rights.  Reference herein to any specific commercial
products, process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or the
University of California.  The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government nor the University of California, and shall not be used for
advertising or product endorsement purposes.