TUCoPS :: SunOS/Solaris :: n-025.txt

Vulnerability in RaQ 4 Servers (CIAC N-025) 

             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                         Vulnerability in RaQ 4 Servers
                          [CERTŪ Advisory CA-2002-35]

December 12, 2002 20:00 GMT                                       Number N-025
______________________________________________________________________________
PROBLEM:       A remotely exploitable vulnerability has been discovered in Sun 
               Cobalt RaQ 4 Server Appliances running Sun's Security Hardening 
               Package (SHP). 
PLATFORM:      Sun Cobalt RaQ 4 Server Appliances 
DAMAGE:        Exploiting this vulnerability could allow a remote attacker to 
               execute arbitrary code with superuser privileges. 
SOLUTION:      Check with your vendor for patches or workarounds. 
______________________________________________________________________________
VULNERABILITY  The risk is HIGH. An exploit is publicly available and may be 
ASSESSMENT:    circulating. Sun confirms that a remote root exploit does 
               affect the Sun/Cobalt RaQ4 platform if the SHP (Security 
               Hardening Patch) patch was installed. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-025.shtml 
 ORIGINAL BULLETIN:  http://www.cert.org/advisories/CA-2002-35.html 
 PATCHES:                                                                     
                     http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/49377 
______________________________________________________________________________
[***** Start CERTŪ Advisory CA-2002-35 *****]

CERTŪ Advisory CA-2002-35 Vulnerability in RaQ 4 Servers
Original release date: December 11, 2002
Last revised: --
Source: CERT/CC

A complete revision history can be found at the end of this file.

Systems Affected
Sun Cobalt RaQ 4 Server Appliances with the Security Hardening Package installed 
Overview
A remotely exploitable vulnerability has been discovered in Sun Cobalt RaQ 4 Server 
Appliances running Sun's Security Hardening Package (SHP). Exploitation of this 
vulnerability may allow remote attackers to execute arbitrary code with superuser 
privileges. 

I. Description
Cobalt RaQ 4 is a Sun Server Appliance. For background information on Cobalt RaQ 4, 
please see the COBALT RaQ 4 User Manual. Sun provides a Security Hardening Package 
(SHP) for Cobalt RaQ 4. Although the SHP is not installed by default, many users 
choose to install it on their RaQ 4 servers. For background information on the SHP, 
please see the SHP RaQ 4 User Guide. 

A vulnerability in the SHP may allow a remote attacker to execute arbitrary code on a 
Cobalt RaQ 4 Server Appliance. The vulnerability occurs in a cgi script that does not 
properly filter input. Specifically, overflow.cgi does not adequately filter input 
destined for the email variable. Because of this flaw, an attacker can use a POST 
request to fill the email variable with arbitrary commands. The attacker can then call 
overflow.cgi, which will allow the command the attacker filled the email variable with 
to be executed with superuser privileges. 

An exploit is publicly available and may be circulating. 

Further information about this vulnerability may be found in VU#810921 in the CERT/CC 
Vulnerability Notes Database. 

II. Impact
A remote attacker may be able to execute arbitrary code on a Cobalt RaQ 4 Server 
Appliance with the SHP installed. 


III. Solution
Apply a patch from your vendor
Appendix A contains information provided by vendors for this advisory. As vendors 
report new information to the CERT/CC, we will update this section and note the 
changes in our revision history. If a particular vendor is not listed below, we have 
not received their comments. Please contact your vendor directly. 

Workarounds
Block access to the Cobalt RaQ 4 administrative httpd server (typically ports 81/TCP 
and 444/TCP) at your network perimeter. Note that this will not protect vulnerable 
hosts within your network perimeter. It is important to understand your network 
configuration and service requirements before deciding what changes are appropriate. 
Caveats
The patch supplied by Sun removes the SHP completely. If your operation requires the 
use of the SHP, you may need to find a suitable alternative. 



Appendix A. - Vendor Information
Sun Microsystems
Sun confirms that a remote root exploit does affect the Sun/Cobalt RaQ4 platform if 
the SHP (Security Hardening Patch) patch was installed.

Sun has released a Sun Alert which describes how to remove the SHP patch:

    http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/49377

The removal patch is available from:
 
http://ftp.cobalt.sun.com/pub/packages/raq4/eng/RaQ4-en-Security-2.0.1-SHP_REM.pkg 
Appendix B. - References
CERT/CC Vulnerability Note: VU#810921 - http://www.kb.cert.org/vuls/id/810921 

Sun SHP RaQ 4 User Guide - 
http://www.sun.com/hardware/serverappliances/pdfs/support/RaQ_4_SHP_UG.pdf 

COBALT RaQ 4 User Manual - 
http://www.sun.com/hardware/serverappliances/pdfs/manuals/manual.raq4.pdf 


--------------------------------------------------------------------------------

grazer@digit-labs.org publicly reported this vulnerability. 


--------------------------------------------------------------------------------

Author: Ian A. Finlay. 



--------------------------------------------------------------------------------
This document is available from: http://www.cert.org/advisories/CA-2002-35.html 
--------------------------------------------------------------------------------

CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday 
through Friday; they are on call for emergencies during other hours, on U.S. holidays, 
and on weekends. 

Using encryption
We strongly urge you to encrypt sensitive information sent by email. Our public PGP 
key is available from 

http://www.cert.org/CERT_PGP.key 
If you prefer to use DES, please call the CERT hotline for more information. 

Getting security information
CERT publications and other security information are available from our web site 

http://www.cert.org/ 
To subscribe to the CERT mailing list for advisories and bulletins, send email to 
majordomo@cert.org. Please include in the body of your message


subscribe cert-advisory 

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and 
Trademark Office. 


--------------------------------------------------------------------------------

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering 
Institute is furnished on an "as is" basis. Carnegie Mellon University makes no 
warranties of any kind, either expressed or implied as to any matter including, but 
not limited to, warranty of fitness for a particular purpose or merchantability, 
exclusivity or results obtained from use of the material. Carnegie Mellon University 
does not make any warranty of any kind with respect to freedom from patent, trademark, 
or copyright infringement. 


--------------------------------------------------------------------------------
Conditions for use, disclaimers, and sponsorship information 

Copyright 2002 Carnegie Mellon University.

Revision History 

December 11, 2002: Initial release


[***** End CERTŪ Advisory CA-2002-35 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of CERT for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-015: SGI IRIX lpd Daemon Vulnerabilities via sendmail and dns
N-016: Buffer Overrun in Microsoft Data Access Components (MDAC)
N-017: Cisco PIX Multiple Vulnerabilities
N-018: Microsoft Cumulative Patch for Internet Explorer
N-019: Samba Encrypted Password Buffer Overrun Vulnerability
N-020: Red Hat Multiple Vulnerabilities in KDE
N-021: Cumulative Patch for Internet Explorer
N-022: Red Hat Updated wget packages fix directory traversal bug
N-023: Vulnerability in CIFS/9000 Samba Server2 2
N-024: Buffer Overflow Vulnerability in Solaris X Window Font Service

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH