________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Protecting SUN OS Systems Against SATAN
April 7, 1995 900 PST Number F-21
_____________________________________________________________________
PROBLEM: SATAN, a tool for scanning Unix systems was released on
April 5. The tools identifies exploitable vulnerabilities,
most of which can be patched.
PLATFORM: This bulletins focuses on SATAN's impact on SUN OS
Systems.
DAMAGE: Anyone running SATAN can gain vulnerability information
that can be exploited with other tools to gain privileged
access.
SOLUTION: Update all SUN OS systems with the patches identified
below.
AVAILABILITY: All patches are available now.
_____________________________________________________________________
VULNERABILITY When SATAN was released via the Internet on April 5, it
ASSESSMENT: is available to anyone, including system administrators
and security specialists who protect corporate systems.
It is also available to others who could use it to gain
information about unpatched system vulnerabilities and
then exploit these vulnerabilities with other tools to
gain unauthorized access.
_____________________________________________________________________
CRITICAL Information for patching SUN OS Vulnerabilities
CIAC has obtained information from Sun Microsystems describing the
specific patches for the vulnerabilities SATAN will scan for. Specific
patch details are provided below.
[BEGINNING OF SUNOS BULLETIN]
------------------------------------------------------------------------
SUN MICROSYSTEMS SECURITY BULLETIN: #00130, 4 April 1995
------------------------------------------------------------------------
I. Discussion of SATAN's potential impact
Many people have asked for our evaluation of the package. What can
it do? How will it be used? What steps, if any, should
administrators of Sun systems take in reaction to the software's
release? Our answers here are based on our study of a pre-release
version made available to UNIX vendors last month.
A. What can it do?
SATAN provides a new and easy way to test UNIX systems for the
presence of several well-known security holes. None of the
problems probed for are new. Each one (in the version we have
seen) has already been discussed in previous CERT and Sun bulletins
and each can be countered either by installing the appropriate
patch or fixing a system configuration flaw. SATAN does not
introduce a distinct new threat to UNIX systems.
B. How will it be used?
Its authors, free-lance programmers Dan Farmer of the U.S. and
Wietse Venema of the Netherlands, intend SATAN as a protective tool
for system and network administrators. Its simple point-and-click
interface and broad distribution, however, make it likely that
SATAN will also be used to locate vulnerable systems for malicious
reasons.
C. What steps should system administrators take?
Sun recommends that customers:
1. Install all available security patches. A comprehensive list is
included in this bulletin.
2. Tighten up system and network configurations to close the other
security holes probed by SATAN. We have included here a set of
specific recommendations as a guide for your use.
3. Obtain a copy of SATAN and study it. Learn how it can be used
and familiarize yourself with its attacks.
II. List of currently available security patches.
Solaris 1.1 (SunOS 4.1.3) Patches Containing Security Fixes:
--------------------------------------------------------------
100103-12 SunOS 4.1.3;4.1.3_U1: set file permissions to more secure
mode
100272-07 SunOS 4.1.3: Security update for in.comsat.
100296-04 SunOS 4.1.1, 4.1.2, 4.1.3: netgroup exports to world
100305-15 SunOS 4.1.1, 4.1.2, 4.1.3: lpr Jumbo Patch
100372-02 * SunOS 4.1.1;4.1.2;4.1.3: tfs and c2 do not work together
100377-19 SunOS 4.1.3: sendmail jumbo patch
100383-06 SunOS 4.0.3;4.1;4.1.1;4.1.2;4.1.3: rdist security and hard
links enhancement,
100482-06 SunOS 4.1;4.1.1;4.1.2;4.1.3: ypserv and ypxfrd fix, plus DNS
fix
100507-06 SunOS 4.1.1, 4.1.2, 4.1.3: tmpfs jumbo patch
100513-04 * SunOS 4.1.1;4.1.2;4.1.3: Jumbo tty patch
100564-07 * SunOS 4.1.2, 4.1.3: C2 Jumbo patch
100567-04 SunOS 4.1,4.1.1, 4.1.2, 4.1.3: mfree and icmp redirect
security patch
100593-03 SunOS 4.1.3: Security update for dump.
100623-03 SunOS 4.1.2;4.1.3: UFS jumbo patch
100630-02 SunOS 4.1.1, 4.1.2, 4.1.3: SECURITY: methods to exploit
login/su
100631-01 SunOS 4.1 4.1.1 4.1.2 4.1.3: env variables can be used to
exploit login
100890-10 SunOS 4.1.3: domestic libc jumbo patch
100891-10 SunOS 4.1.3: international libc jumbo patch
100909-03 SunOS 4.1.1;4.1.2;4.1.3: Security update for syslogd.
101072-02 SunOS 4.1.1;4.1.2;4.1.3: Non-related data filled the last
block tarfile
101080-01 SunOS 4.1.1 4.1.2 4.1.3: security problem with expreserve
101200-03 SunOS 4.1.3: Breach of security using modload
101480-01 SunOS 4.1.1;4.1.2;4.1.3: Security update for in.talkd.
101481-01 SunOS 4.1.3: Security update for shutdown.
101482-01 SunOS 4.1.3, 4.1.2, 4.1.1: Security update for write.
101640-03 SunOS 4.1.3: in.ftpd logs password info when -d option is
used.
102023-03 SunOS 4.1.3: Root access possible via forced passwd race
condition
100448-02 OpenWindows 3.0: loadmodule is a security hole.
100452-68 OpenWindows 3.0: XView 3.0 Jumbo Patch
100478-01 OpenWindows 3.0: xlock crashes leaving system open
Solaris 1.1.1 (SunOS 4.1.3_U1) Patches Containing Security Fixes:
-------------------------------------------------------------------
100103-12 SunOS 4.1.3;4.1.3_U1: set file permissions to more secure
mode
101434-03 SunOS 4.1.3_U1: lpr Jumbo Patch
101436-08 SunOS 4.1.3_U1: patch for mail executable
101440-01 SunOS 4.1.3_U1: security problem: methods to exploit login/su
101558-04 SunOS 4.1.3_U1: international libc jumbo patch
101579-01 SunOS 4.1.3_U1: Security problem with expreserve for Solaris
1.1.1
101587-01 SunOS 4.1.3_U1: security patch for mfree and icmp redirect
101621-02 SunOS 4.1.3_U1: Jumbo tty patch
101665-04 SunOS 4.1.3_U1: sendmail jumbo patch
101679-01 SunOS 4.1.3_U1: Breach of security using modload
101759-02 SunOS 4.1.3_U1: domestic libc jumbo patch
102060-01 SunOS 4.1.3_U1: Root access possible via passwd race
condition
100448-02 OpenWindows 3.0: loadmodule is a security hole.
100452-68 OpenWindows 3.0: XView 3.0 Jumbo Patch
100478-01 OpenWindows 3.0: xlock crashes leaving system open
Solaris 1.1.2 (SunOS 4.1.4) Patches Containing Security Fixes:
----------------------------------------------------------------
102414-01 SunOS 4.1.4: mail jumbo patch
102423-01 SunOS 4.1.4: Sendmail jumbo patch
100448-02 OpenWindows 3.0: loadmodule is a security hole.
100452-68 OpenWindows 3.0: XView 3.0 Jumbo Patch
100478-01 OpenWindows 3.0: xlock crashes leaving system open
Solaris 2.2 Patches Containing Security Fixes:
------------------------------------------------
100999-71 SunOS 5.2: jumbo kernel patch
101090-01 SunOS 5.2: fixes security hole in expreserve
101301-03 SunOS 5.2: security bug & tar fixes
101842-01 SunOS 5.2: sendmail jumbo patch
Solaris 2.3 Patches Containing Security Fixes:
------------------------------------------------
101318-70 SunOS 5.3: Jumbo patch for kernel (includes libc, lockd)
101327-08 SunOS 5.3: security and miscellaneous tar fixes
101572-03 SunOS 5.3: cron and at fixes
101582-03 * SunOS 5.3: POINT PATCH: Password aging & NIS+ don't work
(together)
101615-02 SunOS 5.3: miscellaneous utmp fixes
101620-01 * SunOS 5.3: keyserv has a file descriptor leak
101631-02 SunOS 5.3: kd and ms fixes
101712-01 SunOS 5.3: uucleanup isn't careful enough when sending mail
101736-03 * SunOS 5.3: nisplus patch
101739-07 SunOS 5.3: sendmail jumbo patch - security
101786-02 * SunOS 5.3: inetd fixes
102034-01 SunOS 5.3: portmapper security hole
102167-01 SunOS 5.3: dns fix
102220-02 * SunOS 5.3: libbsm fixes
101513-06 * OpenWindows 3.3: Security loophole cm with access list and
permissions
101889-03 OpenWindows 3.3: filemgr forked executable ff.core has a
security hole.
Solaris 2.4 Patches Containing Security Fixes:
------------------------------------------------
101945-23 SunOS 5.4: jumbo patch for kernel
102044-01 SunOS 5.4: bug in mouse code makes "break root" attack
possible
102066-04 SunOS 5.4: sendmail bug fixes
102070-01 SunOS 5.4: Bugfix for rpcbind/portmapper
102216-01 SunOS 5.4: NFS client starts using unreserved UDP port
numbers
102218-02 * SunOS 5.4: libbsm fixes
102277-02 * SunOS 5.4: nss_nisplus.so.1 fixes
102336-01 * SunOS 5.4: POINT PATCH: 1091205 - Password aging & NIS+
don't work
102922-01 * SunOS 5.4: inetd fix
Solaris 2.4_x86 Patches Containing Security Fixes:
------------------------------------------------
101946-12 SunOS 5.4_x86: jumbo patch for kernel
101982-02 SunOS 5.4_x86: login & security fixes
102064-04 SunOS 5.4_x86: sendmail bug fixes
102071-01 SunOS 5.4_x86: Bugfix for rpcbind/portmapper
102217-01 SunOS 5.4_x86: NFS client starts using unreserved UDP port
numbers
102219-02 * SunOS 5.4_x86: libbsm fixes
*=indicates if a security patch is not listed in the Recommended Patch
List, usually because the patch is determined to be more application dependent and
may not be generally relevant.
III. Set of recommended procedures
........................................................................
Improving security on your Sun workstation
4 April 1995
........................................................................
This document is intended as a "cookbook" for improving security on
Sun workstations.
In addition to following the steps below, you should consult the following CERT
documents for guidance on improving the security of your systems:
ftp://info.cert.org/tech_tips/security_info
ftp://info.cert.org/tech_tips/anonymous_ftp
ftp://info.cert.org/tech_tips/packet_filtering
Notes on this document:
SunOS versions 4.x will be referenced as "4.x", Solaris versions 2.x
will be referenced as "5.x" in this document.
........................................................................
a. Security patches
Install all applicable security patches for the OS you are
running. It is important to keep up with the security patches.
The patches change over time. Keep your internet machines up to
date. SunSolve Online provides an easy way of doing this: select
the appropriate patches, and add them to your "notify" list. You
will be notified any time the patches are revised.
b. Single user boot security
Set up servers to ensure a password must be given upon single
user boot. Additionally, remote login as root should be
disabled. Root logins can still be accomplished, but users must
first login as a user and then su to root. This is done for
logging and accountability purposes.
SunOS:
Remove all of the "secure" keywords from all /etc/ttytab
entries.
Solaris:
Include the line "CONSOLE=/dev/console" in
/etc/default/login file.
c. Trust
Servers should not trust any other server or host, including
dump servers. "Trust" is defined as trusted network access via
the files:
/.rhosts, /etc/hosts.equiv and ~/.rhosts
If servers must trust others, trust should be given to a user as
well as a host. The /.rhosts, /etc/hosts.equiv and ~/.rhosts
file should contain two entries per line, one entry for the host
and an additional entry for the particular user that is to be
trusted from the host.
Example:
Trust user bgp from host umnp1
umnp1 bgp
d. Root's Path
Root's path should be restricted. The root user should not
include the current directory in the search path. Root's .cshrc,
.login or .profile files should not contain the current
directory in the execute path for commands. remove any "." or
":.:" entry from /.cshrc, /.profile and /.login files.
e. NIS
Master slave servers should not use NIS for password
information. Additionally, under SunOS, NIS clients should
contain strings which specify the server in their /etc/password
file of the form "+servername" as opposed to the default of
"+::-:0:". Under 5.x, NIS clients should bind using a list of
servers (see ypinit -c) as opposed to using a broadcast to find
a server.
f. Aliases
Remove the "decode" alias in /etc/aliases. The file permissions
for /etc/aliases should be 0644 and owned by root.
g. Login accounting file permissions
The /etc/utmp file should not be world writable.
chmod 644 /etc/utmp
h. Turn off all unnecessary RPC services
Comment out the rpc services that aren't needed in the
/etc/inetd.conf file (4.x) or the /etc/inet/inetd.conf file.
In particular, disable the following services: rexd, fingerd,
systat, netstat, rusersd, sprayd, and *uucpd.
Make sure to restart inetd once the changes are made:
5.x:
# ps -ef | grep inetd
4.x:
# ps -auxww | grep inetd
both:
root 121 1 80 Mar 22 ? 2:52
/usr/sbin/inetd -s
# kill -HUP 121
i. TFTPD
Disable tftpd. If it must be running, configure it to run within
a particular directory by specifying the "-s /tftpboot" in the
/etc/inetd.conf file (4.x) or the /etc/inet/inetd.conf file
(5.x).
4.x:
tftp dgram udp wait root /usr/etc/in.tftpd in.tftpd -s
/tftpboot
5.x:
tftp dgram udp wait root /usr/sbin/in.tftpd in.tftpd -s
/tftpboot
j. Passwords
All local and NIS passwords should have a password. The *uucp,
bin, audit, sys, ftp, nobody, daemon, news and sync accounts
should be disabled by adding a "*" in the password field (4.x)
or a "NP" in the /etc/shadow file password field (5.x).
The login shell should be set to /bin/false for all the
specified accounts as well. The uucp accounts (if any) should
have the shell set to /usr/lib/uucp/uucico.
k. UID restrictions
No accounts other than root should have the user id (UID) of 0.
l. NFS Export restrictions
NFS exports should be restricted to particular hosts, and no
exports should be writable.
For example, in 4.x the /etc/exports file could contain:
/home -access=upk1,ro
or for 5.x the /etc/dfs/dfstab file could contain:
share -F nfs -o ro=upk1 /home
m. NFS mount restrictions
NFS mount file systems with the "nosuid" options if at all:
4.x:
mount -o nosuid,bg big1:/home /bighome
5.x:
mount -F nfs -o nosuid,bg big1:/home /bighome
n. NIS configuration
If the server is an NIS master server, it should be configured
not to include the password maps, or at least not include the
actual encrypted password information. Additionally, yppasswdd
should be turned off on the NIS server since NIS clients will
not need to change the NIS password information.
o. EEPROM Security
The eeprom on the server should be set to require a password
before being booted from CD or tape from the prom monitor:
eeprom secure=command
p. IP Spoofing
Many of the above attacks can be combined with IP spoofing
to allow false IP authentication to occur. Configure firewall
routers to prevent externally initiated connections, as
described in the recent CERT bulletin (CA-95:01).
q. Passwords
If you ftp or telnet or rlogin across an insecure network,
your password has traveled cleartext across networks which
might be traced by sniffers. Change your password as soon as
possible.
r. Security Checks
Perform regular security checks of the system (weekly at least).
APPENDICES
A. How to obtain Sun security patches
1. If you have a support contract
Customers with Sun support contracts can obtain the patches listed
here--and all other Sun security patches--from:
- Local Sun answer centers, worldwide
- SunSolve Online, and SunSITEs worldwide
The patches are available via World Wide Web at
http://sunsolve1.sun.com.
You should also contact your answer center if you have a support
contract and:
- You need assistance in installing a patch
- You need additional patches
- You want an existing patch ported to another platform
- You believe you have encountered a bug in a Sun patch
- You want to know if a patch exists, or when one will be ready
2. If you do not have a support contract
Sun also makes its security patches available to customers who do
not have a support contract, via anonymous ftp:
- In the US, from /systems/sun/sun-dist on ftp.uu.net
- In Europe, from ~ftp/sun/fixes on ftp.eu.net
In some cases patches will appear on the European site a day or
two after a bulletin is released.
Sun does not furnish patches to any external distribution sites
other than the ones mentioned here.
3. About the checksums
Patches announced in a Sun security bulletin are uploaded to the
ftp.*.net sites just before the bulletin is released, and seldom
updated. In contrast, the "supported" patch databases are
refreshed nightly, and will often contain newer versions of a patch
incorporating changes which are not security-related.
So that you can quickly verify the integrity of the patch files
themselves, we supply checksums for the tar archives in each
bulletin. The listed checksums should always match those on the
ftp.*.net systems. (The rare exceptions are listed in the
"checksums" file there.)
Normally, the listed checksums will also match the patches on the
SunSolve database. However, this will not be true if we have
changed (as we sometimes do) the README file in the patch after the
bulletin has been released.
In the future we plan to provide checksum information for the
individual components of a patch as well as the compressed archive
file. This will allow customers to determine, if need be, which
file(s) have been changed since we issued the bulletin containing
the checksums.
If you would like assistance in verifying the integrity of a patch
file please contact this office or your local answer center.
B. How to report or inquire about Sun security problems
If you discover a security problem with Sun software or wish to
inquire about a possible problem, contact one or more of the
following:
- Your local Sun answer centers
- Your representative computer security response team, such as
CERT
- This office. Address postal mail to:
Sun Security Coordinator
MS MPK2-04
2550 Garcia Avenue Mountain
View, CA 94043-1100
Phone: 415-688-9081
Fax: 415-688-9101
E-mail: security-alert@Sun.COM
We strongly recommend that you report problems to your local Answer
Center. In some cases they will accept a report of a security bug
even if you do not have a support contract. An additional
notification to the security-alert alias is suggested but should
not be used as your primary vehicle for reporting a bug.
C. How to obtain Sun security bulletins
1. Subscription information
Sun Security Bulletins are available free of charge as part of
our Customer Warning System. It is not necessary to have a Sun
support contract in order to receive them.
To subscribe to this bulletin series, send mail to the address
"security-alert@Sun.COM" with the subject "subscribe CWS
your-mail-address" and a message body containing affiliation and
contact information. To request that your name be removed from the
mailing list, send mail to the same address with the subject
"unsubscribe CWS your-mail-address". Do not include other requests
or reports in a subscription message.
Due to the volume of subscription requests we receive, we cannot
guarantee to acknowledge requests. Please contact this office if
you wish to verify that your subscription request was received, or
if you would like your bulletin delivered via postal mail or fax.
2. Obtaining old bulletins
Sun Security Bulletins are archived on ftp.uu.net (in the same
directory as the patches) and on SunSolve. Please try these
sources first before contacting this office for old bulletins.
------------
[End of SUNOS Bulletin]
CIAC recently released CIAC NOTES 07a article (April 5, 1995) that is devoted to
SATAN. The article was based on beta-releases of SATAN and is applicable to the
current version 1.0 release of SATAN. There were no major operational changes
between the latest beta release and the current version 1.0 public release. By
configuring a system correctly, installing all the latest patches, and monitoring
system usage, most of SATAN's techniques can be countered, or at a minimum
detected. Unfortunately, complete protection from SATAN is difficult. Most of the
vulnerabilities it looks for are easily addressable, but some do not yet have
satisfactory solutions.
CIAC has recently written a program to defend against SATAN and other similar tools.
The program, called Courtney, monitors the connections to the ports probed by SATAN.
When an attack by SATAN takes place, the offending host will be reported.
CIAC has also make available the current release of SATAN
SATAN is made up of HyperText Markup Language (HTML) documents, C code, and Perl
scripts which generate HTML code dynamically. It requires an HTML viewer (Mosaic,
Netscape, or Lynx), a C compiler, and PERL version 5. The user simply interacts with
a WWW client, entering necessary data into forms. The control panel for SATAN
provides four hypertext options: Target Selection, Reporting & Data Analysis,
Documentation, and Configuration & Administration.
Refer to CIAC Notes 7 for an indepth look at SATAN.
________________________________________________________________________________
CIAC wishes to thank Mark Graff of Sun Microsystems for their response to this
problem.
________________________________________________________________________________
CIAC is the computer security incident response team for the U.S. Department of
Energy. Services are available free of charge to DOE and DOE contractors.
For emergencies and off-hour assistance, DOE and DOE contractor sites can contact
CIAC 24-hours a day via an integrated voicemail and SKYPAGE number. To use this
service, dial 1-510-422-8193 or 1-800-759-7243 (SKYPAGE). The primary SKYPAGE PIN
number, 8550070 is for the CIAC duty person. A second PIN, 8550074 is for the CIAC
Project Leader. CIAC's FAX number is 510-423-8002, and the STU-III number is 510-
423-2604. Send E-mail to ciac@llnl.gov.
Previous CIAC notices, anti-virus software, and other information are available on
the CIAC Bulletin Board and the CIAC Anonymous FTP server. The CIAC Bulletin Board
is accessed at 1200 or 2400 baud at 510-423-4753 and 9600 baud at 510-423-3331. The
CIAC Anonymous FTP server is available on the Internet at ciac.llnl.gov (IP address
128.115.19.53).
CIAC has several self-subscribing mailing lists for electronic publications: CIAC-
BULLETIN, CIAC-NOTES , SPI-ANNOUNCE, and SPI-NOTES.To subscribe (add yourself) to
one of our mailing lists, send requests of the following form to ciac-
listproc@llnl.gov:
subscribe list-name LastName, FirstName PhoneNumber
For additional information or assistance, please contact CIAC:
Voice: 510-422-8193
FAX: 510-423-8002
STU-III: 510-423-2604
E-mail: ciac@llnl.gov
ATTENTION!! CIAC now has a web server at http://ciac.llnl.gov.
This document was prepared as an account of work sponsored by an agency of the
United States Government. Neither the United States Government nor the University of
California nor any of their employees, makes any warranty, express or implied, or
assumes any legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process disclosed, or
represents that its use would not infringe privately owned rights. Reference herein
to any specific commercial products, process, or service by trade name, trademark,
manufacturer, or otherwise, does not necessarily constitute or imply its
endorsement, recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed herein do not
necessarily state or reflect those of the United States Government or the University
of California, and shall not be used for advertising or product endorsement
purposes.
CIAC BULLETINS ISSUED IN FY95 (Previous bulletins available from CIAC)
(F-01) SGI IRIX serial_ports Vulnerability
(F-02) Summary of HP Security Bulletins
(F-03) Restricted Distribution
(F-04) Security Vulnerabilities in DECnet/OSI for OpenVMS
(F-05) SCO Unix at, login, prwarn, sadc, and pt_chmod
Patches Available
(F-06) Novell UnixWare sadc, urestore, and suid_exec Vulnerabilities
(F-07) New and Revised HP Bulletins
(F-08) Internet Address Spoofing and Hijacked Session Attacks
(F-09) Unix /bin/mail Vulnerabilities
(F-10) HP-UX Remote Watch
(F-11) Unix NCSA httpd Vulnerability
(F-12) Kerberos Telnet Encryption Vulnerability
(F-13) Unix sendmail vulnerabilities
(F-14) HP-UX Malicious Code Sequences
(F-15) HP-UX ÔatÕ and ÔcronÕ vulnerabilities
(F-16) SGI IRIX Desktop Permissions Tool Vulnerability
(F-17) Cray TCP/IP Sequence Number Spoofing
(F-18) MPE/iX Vulnerabilities
(F-19) Protecting HP-UX Systems Against SATAN
(F-20) Security Administrator Tool for Analyzing Networks (SATAN)
CIAC NOTES ISSUED IN FY1995 (Previous Notes available from CIAC)
04c December 8, 1994
05d January 11, 1995
06 March 22, 1995
07 March 29, 1995
08 April 4, 1995
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
