|
_______________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Sun Security Patches and Software Updates March 19, 1993 1400 PST Number D-11 __________________________________________________________________________ PROBLEM: Security vulnerabilities in SunOS, DNI, and PC-NFS. PLATFORM: All Sun platforms running SunOS 4.0.3 or later, including Solaris 2.0 and 2.1. DAMAGE: Unauthorized root access, denial of service, and other as detailed below. SOLUTION: Apply Sun patches and/or obtain software upgrades. __________________________________________________________________________ Critical Facts about Sun Security Patches and Software Upgrades CIAC has received information from Sun Microsystems regarding the availability of new and updated security patches for the SunOS operating system. Sun Microsystems has also announced the availability of new versions of its DECnet Interface (DNI) and PC-NFS software packages that correct security vulnerabilities of previous releases. PATCH INFORMATION ================= Sun security patches are available through your local Sun Answer Center and via anonymous ftp. In the U.S., ftp to ftp.uu.net and retrieve the patches from the /systems/sun/sun-dist directory. In Europe, ftp to mcsun.eu.net and retrieve the patches from the /sun/fixes directory. The patches are contained in compressed tarfiles named [patch].tar.Z. For example, if you wish to obtain patch 100891-01, the corresponding compressed tarfile would be named 100891-01.tar.Z. Each compressed tarfile has been checksummed using the SunOS "sum" command. After retrieving each patch, the checksum should be recomputed and compared to those listed in this bulletin. If you find that the checksum for a patch differs from those listed below, please contact Sun Microsystems or CIAC for confirmation before using the patch. To install the patches, follow the instructions contained in the README files that accompany each patch. Patches Providing New or Additional Security Features ===================================================== The following patches are either new security patches or new versions of existing patches that provide additional security features or support additional Sun platforms. CIAC recommends the installation of all applicable security patches. Patch Checksum SunOS Versions ----- -------- -------------- 100891-01 33195 3075 4.1.3 libc replacement - Corrects insecure handling of netgroups and fixes a bug in xlock that could cause it to crash and leave the system unprotected. 100884-01 03775 2610 5.1 (Solaris 2.1) Closes security vulnerability with the srmmu window handler. 100833-02 49753 155 5.1 (Solaris 2.1) Required for use of Sun's unbundled Basic Security Module (BSM) with Solaris 2.1. 100623-03 56063 141 4.1.2, 4.1.3 UFS Jumbo Patch - Non-random file handles can be guessed. This patch should be applied after the most recent version of 100173. 100448-01 29285 5 4.1.1, 4.1.2, 4.1.3 OpenWindows 3.0 loadmodule Patch - This release adds support for SunOS 4.1.3. Sites running SunOS 4.1.1 or 4.1.2 do not need to install this patch again if it was previously installed. 100305-11 38582 500 4.1, 4.1.1, 4.1.2, 4.1.3 This patch fixes incorrect user ID checking in /usr/ucb/lpr. 100121-09 57589 360 4.1 NFS Jumbo Patch - This patch adds support for sun4e architectures. Other architectures need not reinstall the patch if a previous version was installed. Patches Updated with Non-security Features ========================================== The following security patches have been updated with non-security related enhancements. Systems with previous versions of these patches already installed do not need install the new versions unless the additional non-security related enhancements are desired. Patch Checksum SunOS Versions ----- -------- -------------- 100513-02 34315 483 4.1, 4.1.1, 4.1.2, 4.1.3 Jumbo tty Patch - This release fixes a tty bug that can cause system crashes. Previous releases corrected a vulnerability that allowed console input and output to be redirected. 100482-04 06594 342 4.1, 4.1.1, 4.1.2, 4.1.3 ypserv and ypxfrd security patch - Corrects incorrect DNS lookup failures when a host is up but has no nameserver running. Previous releases of this patch corrected a condition that allowed NIS to distribute maps, including the password map, to anyone. Note: the /var/yp/securenets configuration file cannot contain blank lines. 100452-28 07299 1688 4.1, 4.1.1, 4.1.2, 4.1.3 XView 3.0 Jumbo Patch - This release fixes several OpenWindows and XView bugs, including problems with mailtool and filemgr. Previous releases corrected a problem with cmdtool that allowed the disclosure of passwords. 100383-06 58984 121 4.0.3, 4.1, 4.1.1, 4.1.2, 4.1.3 rdist Patch - This release allows /usr/ucb/rdist to transfer hard linked files. Previous releases of this patch corrected a bug that allowed users to gain root access. 100224-06 57647 54 4.1.1, 4.1.2, 4.1.3 /bin/mail Jumbo Patch - This release corrects a problem that caused /bin/mail to crash. Previous releases corrected a problem that allowed /bin/mail to be used to invoke a root shell. 100173-10 48086 788 4.1.1, 4.1.2, 4.1.3 NFS Jumbo Patch - This release corrects poor NFS write append performance. Previous versions of this patch corrected a bug with the handling of setuid programs copied to NFS file systems. DECnet Interface (DNI) Update ============================= Versions of Sun's DNI product prior to 7.0.1 are known to have two security vulnerabilities: - dni_rc_ins creates an rc script with world writable permissions. - Files copied to VAX/VMS systems using dnicp are assigned incorrect permissions. To close the vulnerabilities, Sun recommends that you upgrade to DNI version 7.0.1. Sun has distributed the upgrade free of charge to all customers with a DNI support contract. Those customers not on software support should obtain the upgrade through their standard Sun sales channels. PC-NFS Update ============= The PC-NFS printing and authentication daemon pcnfsd allows unauthorized access to the system. It is recommended that sites with pcnfsd installed upgrade to the latest version. The latest version of pcnfsd may be obtained free of charge via anonymous ftp from bcm.tmc.edu in the /pcnfs directory and from src.doc.ic.ac.uk in the /pub/sun/pc-nfs directory in a file named pcnfsd.93.02.16.tar.Z. For additional information or assistance, please contact CIAC at (510) 422-8193 / FTS or send E-mail to ciac@llnl.gov. FAX messages to (510) 423-8002 / FTS. Previous CIAC bulletins and other information are available via anonymous ftp from irbis.llnl.gov (IP address 128.115.19.60). CIAC wishes to thank Ken Pon and Mark Allen of Sun Microsystems for their assistance in the preparation of this bulletin. PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.