----------------------------------------------------------------------------- SUN MICROSYSTEMS SECURITY BULLETIN: #00130A, 5 April 1995 ----------------------------------------------------------------------------- ADDENDUM This is an amended version of Sun Microsystems Security Bulletin #00130 containing an updated list of recently released security patches. BULLETIN TOPICS In this bulletin Sun discusses the potential impact of the release of "SATAN", a public domain software package which probes UNIX systems for security holes. We also include here a list of available security patches for each supported SUNOS release, and a set of procedures we recommend to help protect Sun systems against external attack. SATAN was released today, 5 April 1995. This package is the same one discussed in the recent CERT bulletin CA-95:06. I. Discussion of SATAN's potential impact on customer systems. II. List of currently available Sun security patches. III. Set of recommended security procedures. APPENDICES A. How to obtain Sun security patches B. How to report or inquire about Sun security problems C. How to obtain Sun security bulletins /\ Send Replies or Inquiries To: \\ \ \ \\ / Mark Graff / \/ / / Sun Security Coordinator / / \//\ MS MPK3 \//\ / / 2550 Garcia Avenue / / /\ / Mountain View, CA 94043-1100 / \\ \ Phone: 415-688-9081 \ \\ Fax: 415-688-9764 \/ E-mail: security-alert@Sun.COM ----------- Permission is granted for the redistribution of this Bulletin for the purpose of alerting Sun customers to problems, as long as the Bulletin is not edited and is attributed to Sun Microsystems. Any other use of this information without the express written consent of Sun Microsystems is prohibited. Sun Microsystems expressly disclaims all liability for any misuse of this information by any third party. ----------------------------------------------------------------------------- SUN MICROSYSTEMS SECURITY BULLETIN: #00130, 4 April 1995 ----------------------------------------------------------------------------- I. Discussion of SATAN's potential impact Many people have asked for our evaluation of the package. What can it do? How will it be used? What steps, if any, should administrators of Sun systems take in reaction to the software's release? Our answers here are based on our study of a pre-release version made available to UNIX vendors last month. A. What can it do? SATAN provides a new and easy way to test UNIX systems for the presence of several well-known security holes. None of the problems probed for are new. Each one (in the version we have seen) has already been discussed in previous CERT and Sun bulletins and each can be countered either by installing the appropriate patch or fixing a system configuration flaw. SATAN does not introduce a distinct new threat to UNIX systems. B. How will it be used? Its authors, free-lance programmers Dan Farmer of the U.S. and Wietse Venema of the Netherlands, intend SATAN as a protective tool for system and network administrators. Its simple point-and-click interface and broad distribution, however, make it likely that SATAN will also be used to locate vulnerable systems for malicious reasons. C. What steps should system administrators take? Sun recommends that customers: 1. Install all available security patches. A comprehensive list is included in this bulletin. 2. Tighten up system and network configurations to close the other security holes probed by SATAN. We have included here a set of specific recommendations as a guide for your use. 3. Obtain a copy of SATAN and study it. Learn how it can be used and familiarize yourself with its attacks. II. List of currently available security patches. Solaris 1.1 (SunOS 4.1.3) Patches Containing Security Fixes: -------------------------------------------------------------- 100103-12 SunOS 4.1.3;4.1.3_U1: set file permissions to more secure mode 100272-07 SunOS 4.1.3: Security update for in.comsat. 100296-04 SunOS 4.1.1, 4.1.2, 4.1.3: netgroup exports to world 100305-15 SunOS 4.1.1, 4.1.2, 4.1.3: lpr Jumbo Patch 100372-02 * SunOS 4.1.1;4.1.2;4.1.3: tfs and c2 do not work together 100377-19 SunOS 4.1.3: sendmail jumbo patch 100383-06 SunOS 4.0.3;4.1;4.1.1;4.1.2;4.1.3: rdist security and hard links enhancement, 100482-06 SunOS 4.1;4.1.1;4.1.2;4.1.3: ypserv and ypxfrd fix, plus DNS fix 100507-06 SunOS 4.1.1, 4.1.2, 4.1.3: tmpfs jumbo patch 100513-04 * SunOS 4.1.1;4.1.2;4.1.3: Jumbo tty patch 100564-07 * SunOS 4.1.2, 4.1.3: C2 Jumbo patch 100567-04 SunOS 4.1,4.1.1, 4.1.2, 4.1.3: mfree and icmp redirect security patch 100593-03 SunOS 4.1.3: Security update for dump. 100623-03 SunOS 4.1.2;4.1.3: UFS jumbo patch 100630-02 SunOS 4.1.1, 4.1.2, 4.1.3: SECURITY: methods to exploit login/su 100631-01 SunOS 4.1 4.1.1 4.1.2 4.1.3: env variables can be used to exploit login 100890-10 SunOS 4.1.3: domestic libc jumbo patch 100891-10 SunOS 4.1.3: international libc jumbo patch 100909-03 SunOS 4.1.1;4.1.2;4.1.3: Security update for syslogd. 101072-02 SunOS 4.1.1;4.1.2;4.1.3: Non-related data filled the last block tarfile 101080-01 SunOS 4.1.1 4.1.2 4.1.3: security problem with expreserve 101200-03 SunOS 4.1.3: Breach of security using modload 101480-01 SunOS 4.1.1;4.1.2;4.1.3: Security update for in.talkd. 101481-01 SunOS 4.1.3: Security update for shutdown. 101482-01 SunOS 4.1.3, 4.1.2, 4.1.1: Security update for write. 101640-03 SunOS 4.1.3: in.ftpd logs password info when -d option is used. 102023-03 SunOS 4.1.3: Root access possible via forced passwd race condition 100448-02 OpenWindows 3.0: loadmodule is a security hole. 100452-68 OpenWindows 3.0: XView 3.0 Jumbo Patch 100478-01 OpenWindows 3.0: xlock crashes leaving system open Solaris 1.1.1 (SunOS 4.1.3_U1) Patches Containing Security Fixes: ------------------------------------------------------------------- 100103-12 SunOS 4.1.3;4.1.3_U1: set file permissions to more secure mode 101434-03 SunOS 4.1.3_U1: lpr Jumbo Patch 101436-08 SunOS 4.1.3_U1: patch for mail executable 101440-01 SunOS 4.1.3_U1: security problem: methods to exploit login/su 101558-04 SunOS 4.1.3_U1: international libc jumbo patch 101579-01 SunOS 4.1.3_U1: Security problem with expreserve for Solaris 1.1.1 101587-01 SunOS 4.1.3_U1: security patch for mfree and icmp redirect 101621-02 SunOS 4.1.3_U1: Jumbo tty patch 101665-04 SunOS 4.1.3_U1: sendmail jumbo patch 101679-01 SunOS 4.1.3_U1: Breach of security using modload 101759-02 SunOS 4.1.3_U1: domestic libc jumbo patch 102060-01 SunOS 4.1.3_U1: Root access possible via passwd race condition 100448-02 OpenWindows 3.0: loadmodule is a security hole. 100452-68 OpenWindows 3.0: XView 3.0 Jumbo Patch 100478-01 OpenWindows 3.0: xlock crashes leaving system open Solaris 1.1.2 (SunOS 4.1.4) Patches Containing Security Fixes: ---------------------------------------------------------------- 102414-01 SunOS 4.1.4: mail jumbo patch 102423-01 SunOS 4.1.4: Sendmail jumbo patch 100448-02 OpenWindows 3.0: loadmodule is a security hole. 100452-68 OpenWindows 3.0: XView 3.0 Jumbo Patch 100478-01 OpenWindows 3.0: xlock crashes leaving system open Solaris 2.2 Patches Containing Security Fixes: ------------------------------------------------ 100999-71 SunOS 5.2: jumbo kernel patch 101090-01 SunOS 5.2: fixes security hole in expreserve 101301-03 SunOS 5.2: security bug & tar fixes 101842-01 SunOS 5.2: sendmail jumbo patch Solaris 2.3 Patches Containing Security Fixes: ------------------------------------------------ 101318-70 SunOS 5.3: Jumbo patch for kernel (includes libc, lockd) 101327-08 SunOS 5.3: security and miscellaneous tar fixes 101572-03 SunOS 5.3: cron and at fixes 101582-03 * SunOS 5.3: POINT PATCH: Password aging & NIS+ don't work (together) 101615-02 SunOS 5.3: miscellaneous utmp fixes 101620-01 * SunOS 5.3: keyserv has a file descriptor leak 101631-02 SunOS 5.3: kd and ms fixes 101712-01 SunOS 5.3: uucleanup isn't careful enough when sending mail 101736-03 * SunOS 5.3: nisplus patch 101739-07 SunOS 5.3: sendmail jumbo patch - security 101786-02 * SunOS 5.3: inetd fixes 102034-01 SunOS 5.3: portmapper security hole 102167-01 SunOS 5.3: dns fix 102220-02 * SunOS 5.3: libbsm fixes 101513-06 * OpenWindows 3.3: Security loophole cm with access list and permissions 101889-03 OpenWindows 3.3: filemgr forked executable ff.core has a security hole. Solaris 2.4 Patches Containing Security Fixes: ------------------------------------------------ 101945-23 SunOS 5.4: jumbo patch for kernel 102044-01 SunOS 5.4: bug in mouse code makes "break root" attack possible 102066-04 SunOS 5.4: sendmail bug fixes 102070-01 SunOS 5.4: Bugfix for rpcbind/portmapper 102216-01 SunOS 5.4: NFS client starts using unreserved UDP port numbers 102218-02 * SunOS 5.4: libbsm fixes 102277-02 * SunOS 5.4: nss_nisplus.so.1 fixes 102336-01 * SunOS 5.4: POINT PATCH: 1091205 - Password aging & NIS+ don't work 102922-01 * SunOS 5.4: inetd fix Solaris 2.4_x86 Patches Containing Security Fixes: ------------------------------------------------ 101946-12 SunOS 5.4_x86: jumbo patch for kernel 101982-02 SunOS 5.4_x86: login & security fixes 102064-04 SunOS 5.4_x86: sendmail bug fixes 102071-01 SunOS 5.4_x86: Bugfix for rpcbind/portmapper 102217-01 SunOS 5.4_x86: NFS client starts using unreserved UDP port numbers 102219-02 * SunOS 5.4_x86: libbsm fixes *=indicates if a security patch is not listed in the Recommended Patch List, usually because the patch is determined to be more application dependent and may not be generally relevant. III. Set of recommended procedures ........................................................................ Improving security on your Sun workstation 4 April 1995 ........................................................................ This document is intended as a "cookbook" for improving security on Sun workstations. In addition to following the steps below, you should consult the following CERT documents for guidance on improving the security of your systems: ftp://info.cert.org/tech_tips/security_info ftp://info.cert.org/tech_tips/anonymous_ftp ftp://info.cert.org/tech_tips/packet_filtering Notes on this document: SunOS versions 4.x will be referenced as "4.x", Solaris versions 2.x will be referenced as "5.x" in this document. ........................................................................ a. Security patches Install all applicable security patches for the OS you are running. It is important to keep up with the security patches. The patches change over time. Keep your internet machines up to date. SunSolve Online provides an easy way of doing this: select the appropriate patches, and add them to your "notify" list. You will be notified any time the patches are revised. b. Single user boot security Set up servers to ensure a password must be given upon single user boot. Additionally, remote login as root should be disabled. Root logins can still be accomplished, but users must first login as a user and then su to root. This is done for logging and accountability purposes. SunOS: Remove all of the "secure" keywords from all /etc/ttytab entries. Solaris: Include the line "CONSOLE=/dev/console" in /etc/default/login file. c. Trust Servers should not trust any other server or host, including dump servers. "Trust" is defined as trusted network access via the files: /.rhosts, /etc/hosts.equiv and ~/.rhosts If servers must trust others, trust should be given to a user as well as a host. The /.rhosts, /etc/hosts.equiv and ~/.rhosts file should contain two entries per line, one entry for the host and an additional entry for the particular user that is to be trusted from the host. Example: Trust user bgp from host umnp1 umnp1 bgp d. Root's Path Root's path should be restricted. The root user should not include the current directory in the search path. Root's .cshrc, .login or .profile files should not contain the current directory in the execute path for commands. remove any "." or ":.:" entry from /.cshrc, /.profile and /.login files. e. NIS Master slave servers should not use NIS for password information. Additionally, under SunOS, NIS clients should contain strings which specify the server in their /etc/password file of the form "+servername" as opposed to the default of "+::-:0:". Under 5.x, NIS clients should bind using a list of servers (see ypinit -c) as opposed to using a broadcast to find a server. f. Aliases Remove the "decode" alias in /etc/aliases. The file permissions for /etc/aliases should be 0644 and owned by root. g. Login accounting file permissions The /etc/utmp file should not be world writable. chmod 644 /etc/utmp h. Turn off all unnecessary RPC services Comment out the rpc services that aren't needed in the /etc/inetd.conf file (4.x) or the /etc/inet/inetd.conf file. In particular, disable the following services: rexd, fingerd, systat, netstat, rusersd, sprayd, and *uucpd. Make sure to restart inetd once the changes are made: 5.x: # ps -ef | grep inetd 4.x: # ps -auxww | grep inetd both: root 121 1 80 Mar 22 ? 2:52 /usr/sbin/inetd -s # kill -HUP 121 i. TFTPD Disable tftpd. If it must be running, configure it to run within a particular directory by specifying the "-s /tftpboot" in the /etc/inetd.conf file (4.x) or the /etc/inet/inetd.conf file (5.x). 4.x: tftp dgram udp wait root /usr/etc/in.tftpd in.tftpd -s /tftpboot 5.x: tftp dgram udp wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot j. Passwords All local and NIS passwords should have a password. The *uucp, bin, audit, sys, ftp, nobody, daemon, news and sync accounts should be disabled by adding a "*" in the password field (4.x) or a "NP" in the /etc/shadow file password field (5.x). The login shell should be set to /bin/false for all the specified accounts as well. The uucp accounts (if any) should have the shell set to /usr/lib/uucp/uucico. k. UID restrictions No accounts other than root should have the user id (UID) of 0. l. NFS Export restrictions NFS exports should be restricted to particular hosts, and no exports should be writable. For example, in 4.x the /etc/exports file could contain: /home -access=upk1,ro or for 5.x the /etc/dfs/dfstab file could contain: share -F nfs -o ro=upk1 /home m. NFS mount restrictions NFS mount file systems with the "nosuid" options if at all: 4.x: mount -o nosuid,bg big1:/home /bighome 5.x: mount -F nfs -o nosuid,bg big1:/home /bighome n. NIS configuration If the server is an NIS master server, it should be configured not to include the password maps, or at least not include the actual encrypted password information. Additionally, yppasswdd should be turned off on the NIS server since NIS clients will not need to change the NIS password information. o. EEPROM Security The eeprom on the server should be set to require a password before being booted from CD or tape from the prom monitor: eeprom secure=command p. IP Spoofing Many of the above attacks can be combined with IP spoofing to allow false IP authentication to occur. Configure firewall routers to prevent externally initiated connections, as described in the recent CERT bulletin (CA-95:01). q. Passwords If you ftp or telnet or rlogin across an insecure network, your password has traveled cleartext across networks which might be traced by sniffers. Change your password as soon as possible. r. Security Checks Perform regular security checks of the system (weekly at least). APPENDICES A. How to obtain Sun security patches 1. If you have a support contract Customers with Sun support contracts can obtain the patches listed here--and all other Sun security patches--from: - Local Sun answer centers, worldwide - SunSolve Online, and SunSITEs worldwide The patches are available via World Wide Web at http://sunsolve1.sun.com. You should also contact your answer center if you have a support contract and: - You need assistance in installing a patch - You need additional patches - You want an existing patch ported to another platform - You believe you have encountered a bug in a Sun patch - You want to know if a patch exists, or when one will be ready 2. If you do not have a support contract Sun also makes its security patches available to customers who do not have a support contract, via anonymous ftp: - In the US, from /systems/sun/sun-dist on ftp.uu.net - In Europe, from ~ftp/sun/fixes on ftp.eu.net In some cases patches will appear on the European site a day or two after a bulletin is released. Sun does not furnish patches to any external distribution sites other than the ones mentioned here. 3. About the checksums Patches announced in a Sun security bulletin are uploaded to the ftp.*.net sites just before the bulletin is released, and seldom updated. In contrast, the "supported" patch databases are refreshed nightly, and will often contain newer versions of a patch incorporating changes which are not security-related. So that you can quickly verify the integrity of the patch files themselves, we supply checksums for the tar archives in each bulletin. The listed checksums should always match those on the ftp.*.net systems. (The rare exceptions are listed in the "checksums" file there.) Normally, the listed checksums will also match the patches on the SunSolve database. However, this will not be true if we have changed (as we sometimes do) the README file in the patch after the bulletin has been released. In the future we plan to provide checksum information for the individual components of a patch as well as the compressed archive file. This will allow customers to determine, if need be, which file(s) have been changed since we issued the bulletin containing the checksums. If you would like assistance in verifying the integrity of a patch file please contact this office or your local answer center. B. How to report or inquire about Sun security problems If you discover a security problem with Sun software or wish to inquire about a possible problem, contact one or more of the following: - Your local Sun answer centers - Your representative computer security response team, such as CERT - This office. Address postal mail to: Sun Security Coordinator MS MPK2-04 2550 Garcia Avenue Mountain View, CA 94043-1100 Phone: 415-688-9081 Fax: 415-688-9101 E-mail: security-alert@Sun.COM We strongly recommend that you report problems to your local Answer Center. In some cases they will accept a report of a security bug even if you do not have a support contract. An additional notification to the security-alert alias is suggested but should not be used as your primary vehicle for reporting a bug. C. How to obtain Sun security bulletins 1. Subscription information Sun Security Bulletins are available free of charge as part of our Customer Warning System. It is not necessary to have a Sun support contract in order to receive them. To subscribe to this bulletin series, send mail to the address "security-alert@Sun.COM" with the subject "subscribe CWS your-mail-address" and a message body containing affiliation and contact information. To request that your name be removed from the mailing list, send mail to the same address with the subject "unsubscribe CWS your-mail-address". Do not include other requests or reports in a subscription message. Due to the volume of subscription requests we receive, we cannot guarantee to acknowledge requests. Please contact this office if you wish to verify that your subscription request was received, or if you would like your bulletin delivered via postal mail or fax. 2. Obtaining old bulletins Sun Security Bulletins are archived on ftp.uu.net (in the same directory as the patches) and on SunSolve. Please try these sources first before contacting this office for old bulletins. ------------