_____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ INFORMATION BULLETIN 18 New and Upgraded Security Patches Available For SunOS November 11, 1992, 1200 PST Number D-04 ______________________________________________________________________________ PROBLEMS: Various security vulnerabilities. PLATFORMS: SunOS 4.1.3, 4.1.2, 4.1.1, 4.1, 4.0.3 and 5.0 (Solaris 2.0FCS). DAMAGE: Unauthorized root access and privileges, denial of service, other damage as noted below. SOLUTION: Apply Sun Patches as described. ______________________________________________________________________________ Critical Information about SunOS Security Patches CIAC has received information from Sun Microsystems regarding the availability of the following eighteen security patches for SunOS versions 4.1.3, 4.1.2, 4.1.1, 4.1, 4.0.3 and Solaris 2.0FCS (which contains SunOS 5.0). The patches are available through your local Sun Answer Center and via anonymous ftp. In the U.S., ftp to ftp.uu.net and retrieve the patches from the /systems/sun/sun-dist directory. In Europe, ftp to mcsun.eu.net and retrieve the patches from the ~ftp/sun/fixes directory. The patches are contained in compressed tar files named [patch].tar.Z. For example, if you wish to obtain patch 100103-11, the tarfile would be 100103-11.tar.Z. Each patch has been checksummed using the SunOS "sum" command so its validity can be verified by the end user. If you find that the checksum differs from that listed below, please contact Sun Microsystems or CIAC for confirmation before using the patch. To install the patches on your system, follow the instructions contained in the README files which accompany each patch. The following ten patches (except for the last, which is a new patch) are new revisions, superseding older patch versions, and they all include fixes for new bugs. All designated versions of SunOS should be upgraded with these patches. Refer to the CIAC bulletins listed, or contact CIAC for more information on each vulnerability. A brief description of each patch is provided. Patch Checksum SunOS Versions CIAC Bulletins ----- -------- -------------- -------------- 100103-11 19847 6 4.1.3, 4.1.2, 4.1.1, 4.1 B-26 A shell script modifies file permissions to a more secure mode. The script changes the permissions for two additional files: /var/yp/`domainname`/mail.aliases.dir and /var/yp/`domainname`/mail.aliases.pag 100173-09 28314 788 4.1.3, 4.1.2, 4.1.1, 4.1 C-28 NFS jumbo patch - Repairs a problem when accessing NFS mounted files as root. This patch requires that a new kernel be configured, made and installed. The installer needs to build a new kernel only once even if multiple patches are installed, as long as all the object files (".o" files) from all patches are loaded. 100267-09 55338 5891 4.1.1 (contact CIAC) This is the international version of the libc replacement with all 4.1.1 patches. New bug fixes include: innetgr may acknowledge false netgroup membership, undefined symbols when linking statically with "mblen()", mbtowc and mbstowcs give different results for same character. 100305-10 28781 368 4.1.3, 4.1.2, 4.1.1, 4.1 B-30, B-33 Fix for lpr, lpd, lpstat -v, passwd, delete, and system. This patch also contains a new bug fix for lpstat -v. 100377-05 29141 1076 4.1.3, 4.1.2, 4.1.1, 4.1 C-26, A-16 sendmail jumbo patch - Fixes sendmail, sendmail.mx Remedies five new bugs in sendmail. 100507-04 57590 61 4.1.3, 4.1.2, 4.1.1 (contact CIAC) tmpfs jumbo patch - Copying files from an NFS mounted partition to a tmpfs mount can result in a security breach. This patch requires that a new kernel be configured, made and installed. The installer needs to build a new kernel only once even if multiple patches are installed, as long as all the object files (".o" files) from all patches are loaded. 100513-01 20616 480 4.1.3, 4.1.2, 4.1.1, 4.1 B-10 tty jumbo patch - Consolidates many patches, including security patch 100188-02 (TIOCCONS redirection of console output/input). This patch requires that a new kernel be configured, made and installed. The installer needs to build a new kernel only once even if multiple patches are installed, as long as all the object files (".o" files) from all patches are loaded. 100201-06 13145 164 4.1.1, 4.1 (contact CIAC) C2 jumbo patch - Fixes delay with yppasswd when running C2 with NIS, unprivileged access to environment variables, and a problem where an image contains plaintext passwords and passwd.adjunct file. 100564-05 00115 824 4.1.3, 4.1.2 (contact CIAC) C2 jumbo patch - Fixes problem where an image contains plaintext passwords and passwd.adjunct file. 100723-01 22726 1 Solaris 2.0FCS/SunOS 5.0 new patch The Solaris 2.0FCS install leaves world-writable directories. NOTE: this patch contains a README file only. The README instructs the installer to run the following command as root after the installation of Solaris 2.0FCS/SunOS 5.0: #pkgchk -f correcting directory and file attributes incorrectly set during the installation process. The following patch is an upgrade for compatibility with SunOS versions 4.1.2 and 4.1.3. If you have a pre-4.1.2 system and have previously loaded this patch, you need not apply this to your system. 100372-02 22739 712 4.1.3, 4.1.2, 4.1.1 (contact CIAC) tfs and C2 do not work together. This patch is provided for C2 security, and is only necessary if you use C2 with tfs (translucent file service). The following seven patches are upgraded to be compatible with SunOS 4.1.3. If you have a pre-4.1.3 system and have previously loaded these patches, you need not apply these to your system. 100296-04 42492 40 4.1.3, 4.1.2, 4.1.1 C-06 Netgroup exports to world. 100482-03 27837 342 4.1.3, 4.1.2, 4.1.1, 4.1 C-25 ypserv, ypxfrd. Note: the /var/yp/securenets configuration file provided with this patch does not support blank lines. 100383-05 52230 135 4.1.3, 4.1.2, 4.1.1, 4.1, 4.0.3 C-04, C-08 rdist security enhancement. 100567-04 15728 11 4.1.3, 4.1.2, 4.1.1, 4.1 C-28 icmp redirects, mfree panic. This patch requires that a new kernel be configured, made and installed. The installer needs to build a new kernel only once even if multiple patches are installed, as long as all the object files (".o" files) from all patches are loaded. 100630-01 28074 39 4.1.3, 4.1.2, 4.1.1, 4.1 C-26 100631-01 44444 25 4.1.3, 4.1.2, 4.1.1, 4.1 C-26 login, su, LD_ environment variables. 100630-01 is the international version of /bin/login for systems not using the US Encryption Kit. /usr/bin/su and /usr/5bin/su from the international version are suitable for sites that use the US Encryption Kit. 100631-01 is the domestic version. To obtain 100631-01, contact your local Sun Answer Center. 100633-01 33264 20 4.1.3, 4.1.2, 4.1.1 (contact CIAC) Unbundled SunSHIELD ARM 1.0, "LD_" environment variables can be used to exploit login/su, international version. If you require additional assistance or wish to report a vulnerability, call CIAC at (510) 422-8193 or send e-mail to ciac@llnl.gov. FAX messages to: (510) 423-8002. For emergencies only, call 1-800-SKYPAGE and enter PIN number 855-0070 (primary) or 855-0074 (secondary). The CIAC Bulletin Board, Felicia, can be accessed at 1200 or 2400 baud at (510) 423-4753 and 9600 baud at (510) 423-3331. Previous CIAC bulletins and other information is available via anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60). CIAC wishes to thank Ken Pon of Sun Microsystems for the information used in this bulletin. PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Some of the other teams include the NASA NSI response team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to Docserver@First.Org with a null subject line, and the first line of the message reading: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.