________________________________________________________________ THE COMPUTER INCIDENT ADVISORY CAPABILITY CIAC ADVISORY NOTICE ________________________________________________________________ Announcement of Vulnerability in the SunOS Restore Utility The Computer Incident Advisory Capability (CIAC) has learned of a vulnerability in SunOS. This vulnerability is in the restore utility. Because restore is setuid to root, it allows an ordinary user to obtain unauthorized privileges. This vulnerability is found in all SunOS 4.x systems (4.0, 4.0.1, and 4.0.3). This vulnerability can, however, be exploited by only users who have an account on a SunOS 4.x system. Sun Microsystems is aware of this vulnerability (Sun Bug 1019265) and is developing a permanent solution in a future SunOS release. However, until this fix is available, you should install one of two temporary fixes: Temporary Solution 1: Make restore non-setuid, using the following workaround: chmod 750 /usr/etc/restore This solution is appropriate for systems that do restore locally and uses the root account to do restores. It eliminates the vulnerability in restore. However, in addition to making store non-setuid, this solution makes restore unreadable and non-executable by ordinary (non-root) users, and restricts the use of remote restore by these users. For example, with SunOS, a user who is not root cannot get a privileged port. If temporary solution 1 has been implemented, an ordinary user who requests a remote tape drive to do restore would discover that restore would be unable to obtain a privileged port. Therefore, the remote tape drive would not work. Temporary Solution 2: Using the following workaround: cd /usr/etc chgrp operator restore chmod 4550 restore You should use this solution if you do remote restore outside of the root account. You may substitute "operator" with any other group that contains the users you want to use restore. The group "operator" is a default group on SunOS 4.x. With this method, restore still is still setuid and vulnerable, but you will have an accountable group of users who can use restore. The 4550 makes restore readable and executable by root and the group you specified, and unreadable by everyone else. Thus, this solution does not totally disable the remote restore capability, but allows designated user groups to have this capability. In addition, as a security prevention measurement, we suggest that you restrict the accessability of dump. The "dump" utility, the partner of restore, is frequently used to do backups on a system. Restore is used to extract the files that dump has stored on tape. CIAC's recommendation is to make dump unreadable, non-executable and unwriteable to everyone by using the following workaround: chmod 6750 /usr/etc/dump This will restrict access of dump by allowing its use only by root and the group to which dump belongs (eg. operator, staff, or wheel). For further information, contact: Ana Maria de Alvare' Computer Incident Advisory Capability Lawrence Livermore National Laboratory P.O. Box 808, L-303 Livermore, CA 94550 (415) 422-7007 or (FTS) 532-7007 anamaria@lll-lcc.llnl.gov