_____________________________________________________
                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /   
                          \___  __|__  /   \  \___
            _____________________________________________________

INFORMATION BULLETIN

Sun Announces Patches for automountd Vulnerability


May 5, 1994 1200 PDT                                            Number E-18
______________________________________________________________________________

PROBLEM:        Vulnerability in Solaris 2.3 "automountd".
PLATFORM:       Sun: Solaris 2.3 only. No other Sun OSs are affected.
DAMAGE:         The vulnerability allows a user with an unprivileged account 
                to get root access on a Solaris 2.3 system.
SOLUTION:       Retrieve and install  the indicated  patch.
______________________________________________________________________________

VULNERABILITY   As of the date of this bulletin, Sun has had no reports of 
ASSESSMENT:     this hole being exploited, but the hole is serious, and CIAC
                strongly recommends that this patch be installed.
______________________________________________________________________________

                  Critical Information about Sun Patches

CIAC has received information from Sun Microsystems regarding the availability 
of Sun patch 101329-15 which will fix the automountd vulnerability. The 
following text is from the Sun Microsystems Security Bulletin #00127a, which 
supersedes bulletin #00127 issued on 5/4/94.

    Patch 101329-15 fixes a bug in the Solaris 2.3 version of automountd
    which allows a user with an unprivileged account on a 2.3 system to
    gain root access.

    No reports of this vulnerability being exploited have yet come to the
    attention of this office. We nevertheless recommend that all affected
    customers close this very serious security hole.

    The automountd fix is bundled into the Solaris 2.3 jumbo NIS+ patch.
    The first version of the patch to contain the security fix was
    101329-10; but we recommend the installation of the latest version
    (currently 101329-15).

    This bug is not found in any other SunOS version, including Solaris x86.
    The fix has been integrated into the upcoming Solaris 2.4 release.

    NOTE: The original version of this bulletin, issued yesterday,
    referred to version -13 of the patch as the latest. Shortly after
    the bulletin was issued, however, version -15 (skipping -14) was
    released, superseding the earlier version on SunSolve. For that
    reason--and also to correct a last-minute typographical error--we
    are issuing this revised bulletin. We apologize for the error and
    regret any inconvenience.

    To assist those who have already installed version -13 in deciding
    whether to install -15 as well, we provide here a summary of the bugs
    first fixed in the newer version. None specifically relate to security.
    
    1163847 automountd doesn't work with Apollo pathnames which start with //
    1153274 machine panics with recursive mutex_enter while using automounter
    1156518 Cannot mount mvs/nfs mounts using autofs under Solaris 2.2 & 2.3.

The following table contains the checksums for the NIS+ patch (#101329-15).
______________________________________________________________________________
File Name        BSD Checksum SVR4 Checksum MD5 Digital Signature
101329-15.tar.Z  55492 843    46189 1685    19AA042484727A5DE9CB21199858071A  
______________________________________________________________________________
The checksums shown in the table are from the BSD-based checksum program 
distributed with the system software (on 4.1.x, /bin/sum; on Solaris 2.x, 
/usr/ucb/sum) and from the SVR4 version checksum program distributed with 
Solaris 2.x (/usr/bin/sum).  MD5 software can be retrieved via anonymous FTP 
from irbis.llnl.gov in the file /pub/util/crypto/md5.tar (MD5 checksum of 
md5.tar: B6B90CC7C56353FC643DF25B6F730D21).

Individuals with Sun support contracts may obtain these patches from their 
local Sun Answer Center or from SunSolve Online. Security  patches are also 
available without a support contract via anonymous FTP from ftp.uu.net (IP 
address 192.48.96.9) in the directory /systems/sun/sun-dist.
______________________________________________________________________________
CIAC would like to thank Mark Graff of Sun Microsystems for the information 
contained in this advisory.
______________________________________________________________________________

For additional information or assistance, please contact CIAC:
    Voice:   510-422-8193
    FAX:     510-423-8002
    STU-III: 510-423-2604
    E-mail:  ciac@llnl.gov

Previous CIAC Bulletins and other information are available via anonymous
FTP from irbis.llnl.gov (IP address 128.115.19.60).

CIAC has two self-subscribing mailing lists for its two types of electronic
publications: 1. Advisories (highest priority, time critical information) or
Bulletins (important computer security information) and 2. Notes (computer
security articles of general interest).  Our mailing lists are managed by a
public domain software package called ListProcessor, which ignores E-mail
header subject lines.  To subscribe (add yourself) to one of our mailing 
lists,
send E-mail to: ciac-listproc@llnl.gov with the following request as the E-
mail
message body, substituting CIAC-BULLETIN or CIAC-NOTES for [list-name] and 
valid information for the other items in parentheses:
        subscribe  [list-name]  Full_Name  Phone_number
______________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins.  If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations and
their constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line: send
first-contacts.

This document was prepared as an account of work sponsored by an agency of the
United States Government.  Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights.  Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring 
by the United States Government or the University of California. The views and
opinions of authors expressed herein do not necessarily state or reflect those
of the United States Government nor the University of California, and shall
not be used for advertising or product endorsement purposes.