ciac-08.sunos-restore
2b80ed165e6287624206f86a0af7b1dca7a35f72fac7b2c5c51d27badb2bac4b
________________________________________________________________
THE COMPUTER INCIDENT ADVISORY CAPABILITY
CIAC
ADVISORY NOTICE
________________________________________________________________
Announcement of Vulnerability in the SunOS Restore Utility
The Computer Incident Advisory Capability (CIAC) has learned of a vulnerability
in SunOS. This vulnerability is in the restore utility. Because restore is
setuid to root, it allows an ordinary user to obtain unauthorized privileges.
This vulnerability is found in all SunOS 4.x systems (4.0, 4.0.1, and 4.0.3).
This vulnerability can, however, be exploited by only users who have an account
on a SunOS 4.x system.
Sun Microsystems is aware of this vulnerability (Sun Bug 1019265) and is
developing a permanent solution in a future SunOS release. However, until
this fix is available, you should install one of two temporary fixes:
Temporary Solution 1: Make restore non-setuid, using the following
workaround:
chmod 750 /usr/etc/restore
This solution is appropriate for systems that do restore locally and uses
the root account to do restores. It eliminates the vulnerability in restore.
However, in addition to making store non-setuid, this solution makes restore
unreadable and non-executable by ordinary (non-root) users, and restricts the
use of remote restore by these users. For example, with SunOS, a user who is
not root cannot get a privileged port. If temporary solution 1 has been
implemented, an ordinary user who requests a remote tape drive to do restore
would discover that restore would be unable to obtain a privileged port.
Therefore, the remote tape drive would not work.
Temporary Solution 2: Using the following workaround:
cd /usr/etc
chgrp operator restore
chmod 4550 restore
You should use this solution if you do remote restore outside of the root
account. You may substitute "operator" with any other group that contains
the users you want to use restore. The group "operator" is a default group
on SunOS 4.x. With this method, restore still is still setuid and vulnerable,
but you will have an accountable group of users who can use restore. The
4550 makes restore readable and executable by root and the group you specified,
and unreadable by everyone else. Thus, this solution does not totally disable
the remote restore capability, but allows designated user groups to have
this capability.
In addition, as a security prevention measurement, we suggest that you restrict
the accessability of dump. The "dump" utility, the partner of restore, is
frequently used to do backups on a system. Restore is used to extract the
files that dump has stored on tape. CIAC's recommendation is to make dump
unreadable, non-executable and unwriteable to everyone by using the following
workaround:
chmod 6750 /usr/etc/dump
This will restrict access of dump by allowing its use only by root and the
group to which dump belongs (eg. operator, staff, or wheel).
For further information, contact:
Ana Maria de Alvare'
Computer Incident Advisory Capability
Lawrence Livermore National Laboratory
P.O. Box 808, L-303
Livermore, CA 94550
(415) 422-7007 or (FTS) 532-7007
anamaria@lll-lcc.llnl.gov