Merit Joint Technical Staff
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
CERT Vendor-Initiated Bulletin VB-96.18 - Sun Microsystems, Inc.
- From: Jeff Ogden
- Date: Mon Nov 25 09:40:05 1996
Please pass this information on to Unix system administrators at your
organization with responsibility for Sun's Solaris operating system or
Sun's Solaris Internet Server Supplement (SISS).
-Jeff Ogden
Merit
>Date: Thu, 21 Nov 1996 16:25:38 -0500
>From: CERT Bulletin <cert-advisory@cert.org>
>To: cert-advisory@cert.org
>Subject: CERT Vendor-Initiated Bulletin VB-96.18 - Sun Microsystems, Inc.
>Reply-To: cert-advisory-request@cert.org
>Organization: CERT(sm) Coordination Center - +1 412-268-7090
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>=============================================================================
>CERT(sm) Vendor-Initiated Bulletin VB-96.18
>November 21, 1996
>
>Topic: Vulnerabilities in libc and libnsl libraries
>Source: Sun Microsystems, Inc.
>
>To aid in the wide distribution of essential security information, the CERT
>Coordination Center is forwarding the following information from Sun
>Microsystems, Inc. Sun urges you to act on this information as soon as
>possible. Sun contact information is included in the forwarded text below;
>please contact them if you have any questions or need further information.
>
>
>=======================FORWARDED TEXT STARTS HERE============================
>
>=============================================================================
> SUN MICROSYSTEMS SECURITY BULLETIN: #00137, 20 Nov 1996
>=============================================================================
>
>BULLETIN TOPICS
>
>In this bulletin Sun announces the release of security-related patches
>for Solaris 2.5 (SunOS 5.5) and Solaris 2.5.1 (SunOS 5.5.1). The
>patches relate to a single problem involving vulnerabilities in both
>the libc and libnsl libraries.
>
>Sun strongly recommends that you install these patches immediately on
>every affected system. An exploitation script was publicly released
>earlier this week for this vulnerability and the script is now widely
>distributed. Many 2.5 and 2.5.1 systems are therefore currently
>vulnerable to attack. Earlier versions of SunOS, including 4.1.x, do
>not have the bug and are not vulnerable.
>
>Since the current version (v1.0) of SISS, the Solaris Internet Server
>Supplement, is based largely on 2.5.1 code, it too is vulnerable. The
>vulnerability will be fixed in the next version of SISS.
>
>As of this writing Sun is aware of no successful attacks based on this
>problem.
>
>
>I. Who is Affected, and What to Do
>
>II. Understanding the Vulnerability
>
>III. List of Patches
>
>IV. Checksum Table
>
>
>APPENDICES
>
>A. How to obtain Sun security patches
>
>B. How to report or inquire about Sun security problems
>
>C. How to obtain Sun security bulletins or short status updates
>
>
> Send Replies or Inquiries To:
>
> Mark Graff
> Sun Security Coordinator
> MS MPK17-103
> 2550 Garcia Avenue Mountain
> View, CA 94043-1100
>
> Phone: 415-786-5274
> Fax: 415-786-7994
> E-mail: security-alert@Sun.COM
>
>
>Sun acknowledges with thanks the CERT Coordination Center (Carnegie
>Mellon University), AUSCERT, and Marko Laakso (University of Oulu) for
>their assistance in the preparation of this bulletin.
>
>Sun, CERT, and AUSCERT are all members of FIRST, the Forum of Incident
>Response and Security Teams. For more information about FIRST, visit
>the FIRST web site at "http://www.first.org/";.
>
>Keywords: gethostbyname, root, libc, libnsl
>Patchlist: 103187-09, 103188-09, 103612-06, 103613-06, 103614-06
>Cross-Ref:
>
> -----------
>
>Permission is granted for the redistribution of this Bulletin, so long
>as the Bulletin is not edited and is attributed to Sun Microsystems.
>Portions may also be excerpted for re-use in other security advisories
>so long as proper attribution is included.
>
>Any other use of this information without the express written consent
>of Sun Microsystems is prohibited. Sun Microsystems expressly disclaims
>all liability for any misuse of this information by any third party.
>
>=============================================================================
> SUN MICROSYSTEMS SECURITY BULLETIN: #00137, 20 Nov 1996
>=============================================================================
>
>
>I. Who is Affected, and What to Do
>
>Sun has verified that this vulnerability affects all supported Solaris
>2.5 (SunOS 5.5) and Solaris 2.5.1 (SunOS 5.5.1) systems. Earlier
>versions of SunOS, including 4.1.x, do not have the bug and are not
>vulnerable.
>
>Installing and running the software provided in these patches completely
>closes the vulnerability. For information about how to obtain these and
>other Sun patches, see Appendix A.
>
>To see which version of SunOS your system is running, use a command such as:
>
> % uname -a
>
>If your system is running SunOS 5.5 or 5.5.1, it is vulnerable.
>
>
>II. Understanding the Vulnerability
>
>If exploited, this vulnerability can be used to gain root access on
>attacked systems. The attack could be initiated from a remote system.
>Even penetration through a firewall may be possible, depending upon
>which services and applications (such as rlogin) are allowed to pass
>through the firewall.
>
>Because this vulnerability is located in two key system libraries, many
>setuid/setgid system utilities are affected and possibly exploitable.
>
>There has been a buffer over-run vulnerability discovered in both the
>libc and the libnsl libraries under Solaris 2.5/2.5.1. Many setuid and
>setgid programs, as well as network programs running with root
>privileges, are dynamically linked against these libraries. This
>vulnerability has the potential for any program using these libraries,
>running with root privileges, to be exploited, giving root privileges.
>
>
>III. List of Patches
>
>The patches required to close this vulnerability are listed below.
>
> A. Solaris 2.x (SunOS 5.x) patches
>
> Patches which replace the affected libraries and executables are available
> for every supported version of SunOS 5.x.
>
> OS version Patch ID
> ---------- ---------
> SunOS 5.5 103187-09
> SunOS 5.5_X86 103188-09
> SunOS 5.5.1 103612-06
> SunOS 5.5.1_x86 103613-06
> SunOS 5.5.1_ppc 103614-06
>
>
> B. Solaris 1.x (SunOS 4.1.x) patches
>
> No patches are needed for SunOS 4.1.x, which is not vulnerable.
>
>
>IV. Checksum Table
>
>In the checksum table we show the BSD and SVR4 checksums and MD5 digital
>signatures for the compressed tar archives.
>
>File BSD SVR4 MD5
>Name Checksum Checksum Digital Signature
>- --------------- ----------- ---------
>--------------------------------
>103187-09.tar.Z 55543 2779 1318 5557 2AF86E9126BB8B0505743D0283C175A6
>103188-09.tar.Z 21952 2523 13621 5046 E0455AAC6DF587E9F9EC88082B9613B2
>103612-06.tar.Z 29415 2752 38423 5503 56DF3214D8C5CC58C9AC223C9C7ACEBC
>103613-06.tar.Z 30698 2501 29921 5002 7E27DF259B595231188D2725E2B6AE59
>103614-06.tar.Z 05172 2766 46856 5532 193E63B9C5E2B829D59B1FCBE2E2981F
>
>The checksums shown above are from the BSD-based checksum (on 4.1.x,
>/bin/sum; on SunOS 5.x, /usr/ucb/sum) and from the SVR4 version on
>on SunOS 5.x (/usr/bin/sum).
>
>
>APPENDICES
>
>A. How to obtain Sun security patches
>
> 1. If you have a support contract
>
> Customers with Sun support contracts can obtain any patches listed
> in this bulletin (and any other patches--and a list of patches) from:
>
> - SunSolve Online
> - Local Sun answer centers, worldwide
> - SunSITEs worldwide
>
> The patches are available via World Wide Web at http://sunsolve1.sun.com.
>
> You should also contact your answer center if you have a support
> contract and:
>
> - You need assistance in installing a patch
> - You need additional patches
> - You want an existing patch ported to another platform
> - You believe you have encountered a bug in a Sun patch
> - You want to know if a patch exists, or when one will be ready
>
> 2. If you do not have a support contract
>
> Customers without support contracts may now obtain security patches,
> "recommended" patches, and patch lists via SunSolve Online.
>
> Sun does not furnish patches to any external distribution sites
> other than the ones mentioned here. The ftp.uu.net and ftp.eu.net
> sites are no longer supported.
>
> 3. About the checksums
>
> So that you can quickly verify the integrity of the patch files
> themselves, we supply in each bulletin checksums for the tar archives.
>
> Occasionally, you may find that the listed checksums do not match
> the patches on the SunSolve or SunSite database. This does not
> necessarily mean that the patch has been tampered with. More likely,
> a non-substantive change (such as a revision to the README file)
> has altered the checksum of the tar file. The SunSolve patch database
> is refreshed nightly, and will sometimes contain versions of a patch
> newer than the one on which the checksums were based.
>
> In the future we may provide checksum information for the
> individual components of a patch as well as the compressed archive
> file. This would allow customers to determine, if need be, which
> file(s) have been changed since we issued the bulletin containing
> the checksums.
>
> In the meantime, if you would like assistance in verifying the
> integrity of a patch file please contact this office or your local
> answer center.
>
>
>B. How to report or inquire about Sun security problems
>
>If you discover a security problem with Sun software or wish to
>inquire about a possible problem, contact one or more of the
>following:
>
> - Your local Sun answer centers
> - Your representative computer security response team, such as CERT
> - This office. Address postal mail to:
>
> Sun Security Coordinator
> MS MPK17-103
> 2550 Garcia Avenue
> Mountain View, CA 94043-1100
>
> Phone: 415-786-5274
> Fax: 415-786-7994
> E-mail: security-alert@Sun.COM
>
>We strongly recommend that you report problems to your local Answer
>Center. In some cases they will accept a report of a security bug
>even if you do not have a support contract. An additional notification
>to the security-alert alias is suggested but should not be used as your
>primary vehicle for reporting a bug.
>
>
>C. How to obtain Sun security bulletins or short status updates
>
> 1. Subscription information
>
> Sun Security Bulletins are available free of charge as part of
> our Customer Warning System. It is not necessary to have a Sun
> support contract in order to receive them.
>
> To receive information or to subscribe or unsubscribe from our
> mailing list, send mail to security-alert@sun.com with a subject
> line containing one of the following commands.
>
>
> Subject Information Returned/Action Taken
> ------- ---------------------------------
>
> HELP An explanation of how to get information
>
> LIST A list of current security topics
>
> QUERY [topic] The mail containing the question is relayed to
> a Security Coordinator for a response.
>
> REPORT [topic] The mail containing the text is treated as a
> security bug report and forwarded to a Security
> Coordinator for handling. Please note that this
> channel of communications does not supersede
> the use of Sun Solution Centers for this
> purpose. Note also that we do not recommend
> that detailed problem descriptions be sent in
> plain text.
>
> SEND topic Summary of the status of selected topic. (To
> retrieve a Sun Security Bulletin, supply the
> number of the bulletin, as in "SEND #103".)
>
> SUBSCRIBE Sender is added to the CWS (Customer
> Warning System) list. The subscribe feature
> requires that the sender include on the subject
> line the word "cws" and the reply email
> address. So the subject line might look like
> the following:
>
> SUBSCRIBE cws graff@sun.com
>
> UNSUBSCRIBE Sender is removed from the CWS list.
>
>
> Should your email not fit into one of the above subjects, a help
> message will be returned to you.
>
> Due to the volume of subscription requests we receive, we cannot
> guarantee to acknowledge requests. Please contact this office if
> you wish to verify that your subscription request was received, or
> if you would like your bulletin delivered via postal mail or fax.
>
> 2. Obtaining old bulletins
>
> Sun Security Bulletins are available via the security-alert alias
> and on SunSolve. Please try these sources first before contacting
> this office for old bulletins.
>
> ------------
>
>
>========================FORWARDED TEXT ENDS HERE=============================
>
>If you believe that your system has been compromised, contact the CERT
>Coordination Center or your representative in the Forum of Incident Response
>and Security Teams (FIRST).
>
>We strongly urge you to encrypt any sensitive information you send by email.
>The CERT Coordination Center can support a shared DES key and PGP. Contact
>the CERT staff for more information.
>
>Location of CERT PGP key
> ftp://info.cert.org/pub/CERT_PGP.key
>
>
>CERT Contact Information
>- ------------------------
>Email cert@cert.org
>
>Phone +1 412-268-7090 (24-hour hotline)
> CERT personnel answer 8:30-5:00 p.m. EST
> (GMT-5)/EDT(GMT-4), and are on call for
> emergencies during other hours.
>
>Fax +1 412-268-6989
>
>Postal address
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> USA
>
>CERT publications, information about FIRST representatives, and other
>security-related information are available from
> http://www.cert.org/
> ftp://info.cert.org/pub/
>
>CERT advisories and bulletins are also posted on the USENET newsgroup
> comp.security.announce
>
>To be added to our mailing list for CERT advisories and bulletins, send your
>email address to
> cert-advisory-request@cert.org
>
>
>CERT is a service mark of Carnegie Mellon University.
>
>This file: ftp://info.cert.org/pub/cert_bulletins/VB-96.18.sun
>
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.2
>
>iQCVAwUBMpSyoHVP+x0t4w7BAQHwJAQAmVMC1mKFM2ozpk37jXjfqqQccvWbjzI3
>P3mLuRGw3ibaHSVmYetwqVFEcg0X3c+/EqZ+gw36du8DuSDI5lEVe0e75JnbGPch
>DiY7Mt719ySiSNv2rCnraLBIIadpAeN0z8xqYbuy3kdiMXWCiAhuVxnKv+6V40OY
>gQJ5sWpEu08=
>=wRdJ
>-----END PGP SIGNATURE-----
>
- - - - - - - - - - - - - - - - -
|
