_____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ INFORMATION BULLETIN Summary of SunOS Security Patches August 6, 1993 1200 PDT Number D-20 __________________________________________________________________________ PROBLEM: Security vulnerabilities in all versions of SunOS. PLATFORM: All Sun Microsystems workstations. DAMAGE: Unauthorized access to system and files, denial of service. SOLUTION: Apply appropriate security patches. __________________________________________________________________________ Critical Information about SunOS Security Patches This bulletin is an update to CIAC Bulletin C-29. CIAC has compiled a list of all security related patches currently available from Sun Microsystems. The patches have been grouped by SunOS version and are detailed below. CIAC recommends the installation of any applicable patches that either are not currently present on a system or are present in the form of an older version of the patch. Sun security patches are available through both your Sun Answer Center and anonymous FTP. In the U.S., ftp to ftp.uu.net (IP 192.48.96.9) and retrieve the patches from the directory /systems/sun/sun-dist. In Europe, ftp to mcsun.eu.net (IP 192.16.202.1) and retrieve the patches from the /sun/fixes directory. The patches are contained in compressed tarfiles with filenames based on the ID number of the patch (e.g. patch 100085-03 is contained in the file 100085-03.tar.Z), and must be retrieved using FTP's binary transfer mode. After obtaining the patches, compute the checksum of each compressed tarfile and compare with the values indicated below. For example, the command "/usr/bin/sum 100085-03.tar.Z" should return "44177 740". Please note that Sun Microsystems occasionally updates patch files, resulting in a changed checksum. If you should find a checksum that differs from those listed below, please contact Sun Microsystems or CIAC for verification before using the patch. The patches may be extracted from the compressed tarfiles using the commands uncompress and tar. For example, to extract patch 100085-03 from the compressed tarfile 100085-03.tar.Z, execute the commands "uncompress 100085-03.tar.Z" and "tar xvf 100085-03.tar". For specific instructions regarding the installation of a particular patch, consult the README file accompanying each patch. As multiple patches may affect the same files, it is recommended that patches be installed chronologically by revision date, with the exception of patches for which an explicit order is specified. ======================= SunOS 5.2 (Solaris 2.2) ======================= Patch ID Last Revised Checksum Description --------- ------------ ---------- ------------------------------------- 101090-01 28-Jun-93 44985 54 expreserve can overwrite any file ======================= SunOS 5.1 (Solaris 2.1) ======================= Patch ID Last Revised Checksum Description --------- ------------ ---------- ------------------------------------- 100833-02 12-Jan-93 24412 309 C2 auditing missing in some programs 100840-01 12-Jan-93 25050 220 sendmail bypasses mailhost 100884-01 12-Feb-93 63299 5220 Security fixes for sun4m machines 101089-01 28-Jun-93 4501 54 expreserve can overwrite any file ======================= SunOS 5.0 (Solaris 2.0) ======================= Patch ID Last Revised Checksum Description --------- ------------ ---------- ------------------------------------- 100723-01 24-Aug-92 49406 2 Incorrect permissions after install 101119-01 28-Jun-93 61863 54 expreserve can overwrite any file =========== SunOS 4.1.3 =========== Patch ID Last Revised Checksum Description --------- ------------ ---------- ------------------------------------- 100448-01 10-Dec-91 29285 5 OpenWindows 3.0 loadmodule hole 100478-01 14-Feb-92 64588 58 OpenWindows 3.0 xlock vulnerability 100296-04 18-Jun-92 42492 40 File systems exported incorrectly 100507-04 3-Sep-92 57590 61 tmpfs file system vulnerability 100372-02 8-Sep-92 22739 712 tfs fails under C2 100377-05 15-Sep-92 29141 1076 sendmail security holes 100103-11 29-Sep-92 19847 6 Permissions incorrect on many files 100567-04 27-Oct-92 15728 11 ICMP packets can be forged 100564-05 11-Nov-92 00115 824 C2 jumbo patch 100482-04 16-Nov-92 06594 342 ypserv will send NIS maps to anyone 100513-02 2-Dec-92 34315 483 Console can be redirected 100623-03 11-Dec-92 56063 141 NFS file handles can be guessed 100173-10 7-Jan-93 48086 788 NFS jumbo patch 100383-06 26-Jan-93 58984 121 rdist can create setuid root files 100452-28 29-Jan-93 07299 1688 cmdtool may reveal passwords 100305-11 12-Feb-93 38582 500 The lp daemon can delete system files 100891-01 19-Feb-93 33195 3075 Netgroup and xlock vulnerabilities 100224-06 5-Mar-93 57647 54 mail and rmail can invoke root shells 101080-01 9-Jun-93 45221 13 expreserve can overwrite any file =========== SunOS 4.1.2 =========== Patch ID Last Revised Checksum Description --------- ------------ ---------- ------------------------------------- 100184-02 14-Dec-90 06627 33 OpenWindows 2.0 vulnerability 100448-01 10-Dec-91 29285 5 OpenWindows 3.0 loadmodule hole 100478-01 14-Feb-92 64588 58 OpenWindows 3.0 xlock vulnerability 100630-01 18-May-92 28074 39 Environment variables vulnerability 100633-01 22-May-92 33264 20 Environment variables with Sun's ARM 100296-04 18-Jun-92 42492 40 File systems exported incorrectly 100376-04 16-Jul-92 12884 100 Integer division vulnerability 100507-04 3-Sep-92 57590 61 tmpfs file system vulnerability 100372-02 8-Sep-92 22739 712 tfs fails under C2 100377-05 15-Sep-92 29141 1076 sendmail security holes 100103-11 29-Sep-92 19847 6 Permissions incorrect on many files 100567-04 27-Oct-92 15728 11 ICMP packets can be forged 100564-05 11-Nov-92 00115 824 C2 jumbo patch 100482-04 16-Nov-92 06594 342 ypserv will send NIS maps to anyone 100513-02 2-Dec-92 34315 483 Console can be redirected 100623-03 11-Dec-92 56063 141 NFS file handles can be guessed 100173-10 7-Jan-93 48086 788 NFS jumbo patch 100383-06 26-Jan-93 58984 121 rdist can create setuid root files 100452-28 29-Jan-93 07299 1688 cmdtool may reveal passwords 100305-11 12-Feb-93 38582 500 The lp daemon can delete system files 100224-06 5-Mar-93 57647 54 mail and rmail can invoke root shells 101080-01 9-Jun-93 45221 13 expreserve can overwrite any file =========== SunOS 4.1.1 =========== Patch ID Last Revised Checksum Description --------- ------------ ---------- ------------------------------------- 100085-03 5-Sep-90 44177 740 Sunview selection_svc vulnerability 100184-02 14-Dec-90 06627 33 OpenWindows 2.0 vulnerability 100125-05 8-Jul-91 41964 164 telnet permits password capture 100424-01 12-Nov-91 63070 50 NFS file handles can be guessed 100448-01 10-Dec-91 29285 5 OpenWindows 3.0 loadmodule hole 100478-01 14-Feb-92 64588 58 OpenWindows 3.0 xlock vulnerability 100630-01 18-May-92 28074 39 Environment variables vulnerability 100633-01 22-May-92 33264 20 Environment variables with Sun's ARM 100296-04 18-Jun-92 42492 40 File systems exported incorrectly 100376-04 16-Jul-92 12884 100 Integer division vulnerability 100507-04 3-Sep-92 57590 61 tmpfs file system vulnerability 100372-02 8-Sep-92 22739 712 tfs fails under C2 100377-05 15-Sep-92 29141 1076 sendmail security holes 100103-11 29-Sep-92 19847 6 Permissions incorrect on many files 100567-04 27-Oct-92 15728 11 ICMP packets can be forged 100201-06 5-Nov-92 13145 164 C2 jumbo patch 100267-09 6-Nov-92 55338 5891 Netgroup membership check fails 100482-04 16-Nov-92 06594 342 ypserv will send NIS maps to anyone 100513-02 2-Dec-92 34315 483 Console can be redirected 100173-10 7-Jan-93 48086 788 NFS jumbo patch 100383-06 26-Jan-93 58984 121 rdist can create setuid root files 100452-28 29-Jan-93 07299 1688 cmdtool may reveal passwords 100305-11 12-Feb-93 38582 500 The lp daemon can delete system files 100224-06 5-Mar-93 57647 54 mail and rmail can invoke root shells 101080-01 9-Jun-93 45221 13 expreserve can overwrite any file ========= SunOS 4.1 ========= Patch ID Last Revised Checksum Description --------- ------------ ---------- ------------------------------------- 100101-02 7-Aug-90 42872 34 ptrace security vulnerability 100085-03 5-Sep-90 44177 740 Sunview selection_svc vulnerability 100184-02 14-Dec-90 06627 33 OpenWindows 2.0 vulnerability 100125-05 8-Jul-91 41964 164 telnet permits password capture 100630-01 18-May-92 28074 39 Environment variables vulnerability 100376-04 16-Jul-92 12884 100 Integer division vulnerability 100377-05 15-Sep-92 29141 1076 sendmail security holes 100103-11 29-Sep-92 19847 6 Permissions incorrect on many files 100567-04 27-Oct-92 15728 11 ICMP packets can be forged 100201-06 5-Nov-92 13145 164 C2 jumbo patch 100482-04 16-Nov-92 06594 342 ypserv will send NIS maps to anyone 100513-02 2-Dec-92 34315 483 Console can be redirected 100383-06 26-Jan-93 58984 121 rdist can create setuid root files 100452-28 29-Jan-93 07299 1688 cmdtool may reveal passwords 100305-11 12-Feb-93 38582 500 The lp daemon can delete system files 100121-09 24-Feb-93 57589 360 NFS jumbo patch 101080-01 9-Jun-93 45221 13 expreserve can overwrite any file ====================== SunOS 4.0.3 and 4.0.3c ====================== Patch ID Last Revised Checksum Description --------- ------------ ---------- ------------------------------------- 100100-01 30-Jul-90 43821 588 sendmail permits root level access 100101-02 7-Aug-90 42872 34 ptrace security vulnerability 100085-03 5-Sep-90 44177 740 Sunview selection_svc vulnerability 100184-02 14-Dec-90 06627 33 OpenWindows 2.0 vulnerability 100125-05 8-Jul-91 41964 164 telnet permits password capture 100383-06 26-Jan-93 58984 121 rdist can create setuid root files ============ SunOS 4.0.2i ============ Patch ID Last Revised Checksum Description --------- ------------ ---------- ------------------------------------- 100108-01 22-Aug-90 50309 146 sendmail security vulnerability ===================== SunOS 4.0.1 and 4.0.2 ===================== Patch ID Last Revised Checksum Description --------- ------------ ---------- ------------------------------------- 100085-03 5-Sep-90 44177 740 Sunview selection_svc vulnerability For additional information or assistance, please contact CIAC at (510) 423-9878 or send E-mail to ciac@llnl.gov. FAX messages to (510) 423-8002. Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.