__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Sun libc/libnsl vulnerabilities (Sun Bulletin #00137a)
December 13, 1996 18:00 GMT Number H-06a
______________________________________________________________________________
PROBLEM: A buffer over-run vulnerability exists in the libc and libnsl
libraries under Solaris 2.5 and 2.5.1 that can allow an
unauthorized user to gain access to the system and root
privileges.
PLATFORM: Solaris 2.5 and 2.5.1 ONLY; SunOS 4.1.X systems are not
vulnerable.
DAMAGE: An unauthorized user (whether internal or external) could gain
access to the system and gain root privileges.
SOLUTION: Apply the patches recommended by the vendor as listed below.
______________________________________________________________________________
VULNERABILITY Any Sun system running versions 2.5 or 2.5.1 of the Solaris
ASSESSMENT: operating system could be attacked by a local or remote user
and gain root access. A vulnerability script has been widely
published to exploit this vulnerability.
______________________________________________________________________________
[ Begin Sun Bulletin ]
=============================================================================
SUN MICROSYSTEMS SECURITY BULLETIN: #00137a, 11 Dec 1996
=============================================================================
ADDENDUM
This is an amended version of Sun Microsystems Security Bulletin #00137,
which discussed recently released security patches for Solaris 2.5 and
2.5.1. The changes correct two mistakes. No new information is provided.
The original bulletin, released 20 Nov 1996, stated:
Since the current version (v1.0) of SISS, the Solaris Internet
Server Supplement, is based largely on 2.5.1 code, it too is
vulnerable.
In fact, SISS v1.0 (the only version to date) is *not* vulnerable to this
attack.
The original version of the bulletin also contained a typographical
error. References to Solaris "5.1.1" should instead read "5.5.1".
This amended version of the bulletin contains corrections for both
errors. We regret any inconvenience caused by the inaccuracies in the
original version of the bulletin.
BULLETIN TOPICS
In this bulletin Sun announces the release of security-related patches
for Solaris 2.5 (SunOS 5.5) and Solaris 2.5.1 (SunOS 5.5.1). The
patches relate to a single problem involving vulnerabilities in both
the libc and libnsl libraries.
Sun strongly recommends that you install these patches immediately on
every affected system. An exploitation script was publicly released
earlier this week for this vulnerability and the script is now widely
distributed. Many 2.5 and 2.5.1 systems are therefore currently
vulnerable to attack. Earlier versions of SunOS, including 4.1.x, do
not have the bug and are not vulnerable.
As of this writing Sun is aware of no successful attacks based on this
problem.
I. Who is Affected, and What to Do
II. Understanding the Vulnerability
III. List of Patches
IV. Checksum Table
APPENDICES
A. How to obtain Sun security patches
B. How to report or inquire about Sun security problems
C. How to obtain Sun security bulletins or short status updates
Send Replies or Inquiries To:
Mark Graff
Sun Security Coordinator
MS MPK17-103
2550 Garcia Avenue
Mountain View, CA 94043-1100
Phone: 415-786-5274
Fax: 415-786-7994
E-mail: security-alert@Sun.COM
Sun acknowledges with thanks the CERT Coordination Center (Carnegie
Mellon University), AUSCERT, and Marko Laakso (University of Oulu) for
their assistance in the preparation of this bulletin.
Sun, CERT/CC, and AUSCERT are all members of FIRST, the Forum of Incident
Response and Security Teams. For more information about FIRST, visit
the FIRST web site at "http://www.first.org/".
Keywords: gethostbyname, root, libc, libnsl
Patchlist: 103187-09, 103188-09, 103612-06, 103613-06, 103614-06
Cross-Ref:
-----------
Permission is granted for the redistribution of this Bulletin, so long
as the Bulletin is not edited and is attributed to Sun Microsystems.
Portions may also be excerpted for re-use in other security advisories
so long as proper attribution is included.
Any other use of this information without the express written consent
of Sun Microsystems is prohibited. Sun Microsystems expressly disclaims
all liability for any misuse of this information by any third party.
=============================================================================
SUN MICROSYSTEMS SECURITY BULLETIN: #00137a, 11 Dec 1996
=============================================================================
I. Who is Affected, and What to Do
Sun has verified that this vulnerability affects all supported Solaris
2.5 (SunOS 5.5) and Solaris 2.5.1 (SunOS 5.5.1) systems. Earlier
versions of SunOS, including 4.1.x, do not have the bug and are not
vulnerable.
Installing and running the software provided in these patches completely
closes the vulnerability. For information about how to obtain these and
other Sun patches, see Appendix A.
To see which version of SunOS your system is running, use a command such as:
% uname -a
If your system is running SunOS 5.5 or 5.5.1, it is vulnerable.
II. Understanding the Vulnerability
If exploited, this vulnerability can be used to gain root access on
attacked systems. The attack could be initiated from a remote system.
Even penetration through a firewall may be possible, depending upon
which services and applications (such as rlogin) are allowed to pass
through the firewall.
Because this vulnerability is located in two key system libraries, many
setuid/setgid system utilities are affected and possibly exploitable.
There has been a buffer over-run vulnerability discovered in both the
libc and the libnsl libraries under Solaris 2.5/2.5.1. Many setuid and
setgid programs, as well as network programs running with root
privileges, are dynamically linked against these libraries. This
vulnerability has the potential for any program using these libraries,
running with root privileges, to be exploited, giving root privileges.
III. List of Patches
The patches required to close this vulnerability are listed below.
A. Solaris 2.x (SunOS 5.x) patches
Patches which replace the affected libraries and executables are available
for every supported version of SunOS 5.x.
OS version Patch ID
---------- ---------
SunOS 5.5 103187-09
SunOS 5.5_X86 103188-09
SunOS 5.5.1 103612-06
SunOS 5.5.1_x86 103613-06
SunOS 5.5.1_ppc 103614-06
B. Solaris 1.x (SunOS 4.1.x) patches
No patches are needed for SunOS 4.1.x, which is not vulnerable.
IV. Checksum Table
In the checksum table we show the BSD and SVR4 checksums and MD5 digital
signatures for the compressed tar archives.
File BSD SVR4 MD5
Name Checksum Checksum Digital Signature
--------------- ----------- --------- --------------------------------
103187-09.tar.Z 55543 2779 1318 5557 2AF86E9126BB8B0505743D0283C175A6
103188-09.tar.Z 21952 2523 13621 5046 E0455AAC6DF587E9F9EC88082B9613B2
103612-06.tar.Z 29415 2752 38423 5503 56DF3214D8C5CC58C9AC223C9C7ACEBC
103613-06.tar.Z 30698 2501 29921 5002 7E27DF259B595231188D2725E2B6AE59
103614-06.tar.Z 05172 2766 46856 5532 193E63B9C5E2B829D59B1FCBE2E2981F
The checksums shown above are from the BSD-based checksum (on 4.1.x,
/bin/sum; on SunOS 5.x, /usr/ucb/sum) and from the SVR4 version on
on SunOS 5.x (/usr/bin/sum).
APPENDICES
A. How to obtain Sun security patches
1. If you have a support contract
Customers with Sun support contracts can obtain any patches listed
in this bulletin (and any other patches--and a list of patches) from:
- SunSolve Online
- Local Sun answer centers, worldwide
- SunSITEs worldwide
The patches are available via World Wide Web at http://sunsolve.sun.com.
You should also contact your answer center if you have a support
contract and:
- You need assistance in installing a patch
- You need additional patches
- You want an existing patch ported to another platform
- You believe you have encountered a bug in a Sun patch
- You want to know if a patch exists, or when one will be ready
2. If you do not have a support contract
Customers without support contracts may now obtain security patches,
"recommended" patches, and patch lists via SunSolve Online.
Sun does not furnish patches to any external distribution sites
other than the ones mentioned here. The ftp.uu.net and ftp.eu.net
sites are no longer supported.
3. About the checksums
So that you can quickly verify the integrity of the patch files
themselves, we supply in each bulletin checksums for the tar archives.
Occasionally, you may find that the listed checksums do not match
the patches on the SunSolve or SunSite database. This does not
necessarily mean that the patch has been tampered with. More likely,
a non-substantive change (such as a revision to the README file)
has altered the checksum of the tar file. The SunSolve patch database
is refreshed nightly, and will sometimes contain versions of a patch
newer than the one on which the checksums were based.
In the future we may provide checksum information for the
individual components of a patch as well as the compressed archive
file. This would allow customers to determine, if need be, which
file(s) have been changed since we issued the bulletin containing
the checksums.
In the meantime, if you would like assistance in verifying the
integrity of a patch file please contact this office or your local
answer center.
B. How to report or inquire about Sun security problems
If you discover a security problem with Sun software or wish to
inquire about a possible problem, contact one or more of the
following:
- Your local Sun answer centers
- Your representative computer security response team, such as CERT
- This office. Address postal mail to:
Sun Security Coordinator
MS MPK17-103
2550 Garcia Avenue
Mountain View, CA 94043-1100
Phone: 415-786-5274
Fax: 415-786-7994
E-mail: security-alert@Sun.COM
We strongly recommend that you report problems to your local Answer
Center. In some cases they will accept a report of a security bug
even if you do not have a support contract. An additional notification
to the security-alert alias is suggested but should not be used as your
primary vehicle for reporting a bug.
C. How to obtain Sun security bulletins or short status updates
1. Subscription information
Sun Security Bulletins are available free of charge as part of
our Customer Warning System. It is not necessary to have a Sun
support contract in order to receive them.
To receive information or to subscribe or unsubscribe from our
mailing list, send mail to security-alert@sun.com with a subject
line containing one of the following commands.
Subject Information Returned/Action Taken
------- ---------------------------------
HELP An explanation of how to get information
LIST A list of current security topics
QUERY [topic] The mail containing the question is relayed to
a Security Coordinator for a response.
REPORT [topic] The mail containing the text is treated as a
security bug report and forwarded to a Security
Coordinator for handling. Please note that this
channel of communications does not supersede
the use of Sun Solution Centers for this
purpose. Note also that we do not recommend
that detailed problem descriptions be sent in
plain text.
SEND topic Summary of the status of selected topic. (To
retrieve a Sun Security Bulletin, supply the
number of the bulletin, as in "SEND #103".)
SUBSCRIBE Sender is added to the CWS (Customer
Warning System) list. The subscribe feature
requires that the sender include on the subject
line the word "cws" and the reply email
address. So the subject line might look like
the following:
SUBSCRIBE cws graff@sun.com
UNSUBSCRIBE Sender is removed from the CWS list.
Should your email not fit into one of the above subjects, a help
message will be returned to you.
Due to the volume of subscription requests we receive, we cannot
guarantee to acknowledge requests. Please contact this office if
you wish to verify that your subscription request was received, or
if you would like your bulletin delivered via postal mail or fax.
2. Obtaining old bulletins
Sun Security Bulletins are available via the security-alert alias
and on SunSolve. Please try these sources first before contacting
this office for old bulletins.
------------
[ End Sun Bulletin ]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Sun Microsystems for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 510-422-8193
FAX: +1 510-423-8002
STU-III: +1 510-423-2604
E-mail: ciac@llnl.gov
For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://ciac.llnl.gov/
Anonymous FTP: ciac.llnl.gov (128.115.19.53)
Modem access: +1 (510) 423-4753 (28.8K baud)
+1 (510) 423-3331 (28.8K baud)
CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
information and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector
(SPI) software updates, new features, distribution and
availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the
use of SPI products.
Our mailing lists are managed by a public domain software package
called ListProcessor, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and
valid information for LastName FirstName and PhoneNumber when sending
E-mail to ciac-listproc@llnl.gov:
subscribe list-name LastName, FirstName PhoneNumber
e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36
You will receive an acknowledgment containing address, initial PIN,
and information on how to change either of them, cancel your
subscription, or get help.
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
H-07: Sendmail SIGHUP-smtpd Vulnerability
H-08: lpr Buffer Overrun Vulnerability
H-09: HP 9000 Access Vulnerability
H-10: HP-UX Security Vulnerabilities (passwd, fpkg2swpkg, newgrp)
H-11: sendmail Group Permissions Vulnerability
H-12: IBM AIX(r) 'SYN Flood' and 'Ping o' Death' Vulnerabilities
H-13: IBM AIX(r) Security Vulnerabilities (gethostbyname, lquerypv)
H-14: SGI IRIX Vulnerabilities (systour, OutOfBox, cdplayer, datman)
H-15: Korn Shell (ksh) suid_exec Vulnerability
H-16: HP-UX Security Vulnerabilities (chfn, Remote Watch)
RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC)
Notes 07 - 3/29/95 A comprehensive review of SATAN
Notes 08 - 4/4/95 A Courtney update
Notes 09 - 4/24/95 More on the "Good Times" virus urban legend
Notes 10 - 6/16/95 PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability
in S/Key, EBOLA Virus Hoax, and Caibua Virus
Notes 11 - 7/31/95 Virus Update, Hats Off to Administrators,
America On-Line Virus Scare, SPI 3.2.2 Released,
The Die_Hard Virus
Notes 12 - 9/12/95 Securely configuring Public Telnet Services, X
Windows, beta release of Merlin, Microsoft Word
Macro Viruses, Allegations of Inappropriate Data
Collection in Win95
Notes 96-01 - 3/18/96 Java and JavaScript Vulnerabilities, FIRST
Conference Announcement, Security and Web Search
Engines, Microsoft Word Macro Virus Update
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
