Search the FAQ Archives

3 - A - B - C - D - E - F - G - H - I - J - K - L - M
N - O - P - Q - R - S - T - U - V - W - X - Y - Z
faqs.org - Internet FAQ Archives

computer-security/security-patches FAQ


[ Usenet FAQs | Web FAQs | Documents | RFC Index | Neighborhoods ]
Archive-name: computer-security/security-patches
Posting-frequency: monthly
Last-modified: 1996/7/15
Version: 3.0

See reader questions & answers on this topic! - Help others by sharing your knowledge
Security Patches FAQ

Version: 3.0
----------------------------------------------------------------------------
This Security FAQ is a resource provided by:

     Internet Security Systems, Inc.
     Suite 660, 41 Perimeter Center East          Tel: (770) 395-0150
     Atlanta, Georgia 30346                       Fax: (770) 395-1972

----------------------------------------------------------------------------
To get the newest updates of Security files check the following services:

     http://www.iss.net/
     ftp ftp.iss.net /pub/faq/

To subscibe to the update mailing list, Alert, send an e-mail to
request-alert@iss.net and, in the text of your message (not the subject
line), write:

     subscribe alert

----------------------------------------------------------------------------

Security Patches FAQ for your System: The Patch List

As new systems become accessible by networks there is a need for security.
Many systems are shipped insecure which puts the responsibility on the
customers to find and apply patches. This FAQ will be a guide for the many
administrators who want to secure their systems.

This FAQ is broken down into the different sections:

  1. Generic Things to Look For
  2. Type of Operating System and its Vulnerabilities.
        o AIX
        o DEC
        o HPUX
        o NEXT
        o SCO
        o Sun Microsystems
        o SGI
  3. Particular Vulnerabilities
        o FTP
        o Sendmail
        o HTTPd (WWW)
        o Rdist
        o IP Spoofing attacks
        o Hijacking terminal connections
  4. Unpatched Vulnerabilities (Bugs that the Vendor has not Fixed)

----------------------------------------------------------------------------

Part 1 - Generic Things to Look For

   * Firewalling is one of the best methods of stopping pontential
     intruders. Block all UDP traffic except for DNS and nameserver ports.
     Block all source routing and rlogin and rsh at the router if possible.

   * Run ISS (Internet Security Scanner) regulary. This package allows an
     administrator to do an audit of the network and notify him of any
     security misconfigurations or anomalies that allow intruders in
     therefore allowing him to take corrective measures before his network
     is compromised. It is available on ftp://aql.gatech.edu/pub/security/

   * Run Tiger regularly. It is available on net.tamu.edu:/pub/security/TAMU

     Password Security

        o Use one-time password technology like s/key. This package makes
          sniffing passwords useless since the password that goes over the
          network is only used once. It is available on
          ftp:thumper.bellcore.com:/pub/nmh/skey

        o Shadowing passwords is useful against dictionary passwd cracking
          attacks.

        o Replace passwd with a program that will not allow your users to
          pick easy passwords.

        o Check for all easy-to-guess passwords with Crack which is
          available on ftp://ftp.cert.org/pub/tools/ by Alec Muffett
          (alecm@sun.com) .

   * Do a rpcinfo -p command and check to make sure rexd is not running.

   * TFTP should be turned off unless needed because it can be used to grab
     password files remotely.

   * Make sure there is no '+' in /etc/hosts.equiv or any .rhosts.

   * Make sure there are no '#' in /etc/hosts.equiv or any .rhosts.

   * Make sure there are no funny commands in any .forward.

   * Make sure there are no cleartext passwords in any .netrc.

   * Do a showmount -e command to see your exports and make sure they are
     restricted to only trusted hosts. Make sure all exports have an access
     list.

   * Use Xauthority when using X11 or openwin.

   * You may want to remove the suid from rdist, chill, pstat, and arp. They
     are known to cause security problems on generic default machine.

   * Run tripwire regularly. It is available on
     ftp://coast.cs.purdue.edu/pub/COAST/

   * Run COPS regulary. It is available on ftp://ftp.cert.org/pub/tools/

   * Run a TCP Wrapper. It is available on
     ftp://ftp.win.tue.nl/pub/security/

   * Identd may help locate accounts that intruders are using on remote and
     local machines. It is on ftp.lysator.liu.se:/pub/ident/servers

----------------------------------------------------------------------------

Part 2 - Type of Operating System and its Vulnerabilities

To find some of the newer patches, using archie and xarchie can be a useful
tool. Some caution must be used when using patches obtained from FTP sites.
It is known that some ftp sites have been compromised in the past and files
were replaced with trojans. Please verify the checksums for the patches.
----------------------------------------------------------------------------

AIX

Fixdist is a X Windows front end to the AIX PTF (Patch) Database. Fixdist
package available at ftp:aix.boulder.ibm.com

Fixdist requirements:

     Software:
        o AIX for RISC System/6000 Version 3.2.4 or above.
        o AIX TCPIP Facilities (bosnet.tcpip.obj)
        o AIXwindows 1.2.0 (X11R4) or AIXwindows 1.2.3 (X11R5).

     Connection Requirements
        o The fixdist utility communicates to the ftp server using anonymous
          ftp. There is no mail transport or Telnet requirement. The server
          is currently available only on the Internet. If you are able to
          download the utility, you are fully enabled use fixdist.

     Fixdist does not "install" any PTFs onto your system. It just transfers
     the fixes to a target directory on your RISC System/6000.

     The AIX support line is at

          http://aix.boulder.ibm.com/pbin-usa/getobj.pl?/pdocs-usa/public.html/

     From that page, you can link to a forms-based keyword search, which you
     can use to query with the terms "aix" and "security". The direct link
     for the keyword search is:

          http://aix.boulder.ibm.com/pbin-usa/pub_search.pl

To turn off IP Forwarding and Source Routing, add the following to
/etc/rc.net:

     /usr/sbin/no -o ipforwarding=0
     /usr/sbin/no -o ipsendredirects=0
     /usr/sbin/no -o nonlocsrcroute=0

----------------------------------------------------------------------------

DEC

Security kits are available from Digital Equipment Corporation by contacting
your normal Digital support channel or by request via DSNlink for electronic
transfer.

Digital Equipment Corporation strongly urges Customers to upgrade to a
minimum of ULTRIX V4.4 and DEC OSF/1 V2.0 then apply the Security Enhanced
Kit.

- Please refer to the applicable Release Note information prior to upgrading
your installation.

KIT PART NUMBERS and DESCRIPTIONS

CSC PATCH #

CSCPAT_4060  V1.0   ULTRIX    V4.3 thru V4.4  (Includes DECnet-ULTRIX V4.2)
CSCPAT_4061  V1.0   DEC OSF/1 V1.2 thru V2.0

         These kits will not install on versions previous to ULTRIX V4.3
         or DEC OSF/1 V1.2.

The ULTRIX Security Enhanced kit replaces the following images:
/usr/etc/comsat                 ULTRIX V4.3, V4.3a, V4.4
/usr/ucb/lpr                    "                      "
/usr/bin/mail                   "                      "
/usr/lib/sendmail               "                      "
                    *sendmail - is a previously distributed solution.

/usr/etc/telnetd                ULTRIX V4.3, V4.3a only

For DECnet-ULTRIX V4.2  installations:

/usr/etc/dlogind
/usr/etc/telnetd.gw

The DEC OSF/1 Security Enhanced kit replaces the following images:

/usr/sbin/comsat                DEC OSF/1 V1.2, V1.3 V2.0
/usr/bin/binmail
/usr/bin/lpr                    "                       "

/usr/sbin/sendmail              DEC OSF/1 V1.2, V1.3  only
                    *sendmail - is a previously distributed solution.
/usr/bin/rdist                  "                       "
/usr/shlib/libsecurity.so       DEC OSF/1 V2.0 only

----------------------------------------------------------------------------

HPUX

In order to retrieve any document that is described in this index, send the
following in the TEXT PORTION OF THE MESSAGE to
support@support.mayfield.hp.com:

send doc xxxxxxxxxxxx

Summary of 'Security Bulletins Index' documents

Document Id    Description
HPSBMP9503-003 Security Vulnerability (HPSBMP9503-003) in MPE/iX releases
HPSBMP9503-002 Security Vulnerability (HPSBMP9503-002) in MPE/iX releases
HPSBMP9503-001 Security Vulnerability (HPSBMP9503-001) in MPE/iX releases
HPSBUX9502-024 /usr/lib/sendmail has two security vulnerabilities
HPSBUX9502-023 Security vulnerability in `at' & `cron'
HPSBUX9502-022 Security Vulnerability involving malicious users
HPSBUX9502-021 No current vulnerability in /bin/mail (or /bin/rmail)
HPSBUX9501-020 Security Vulnerability in HP Remote Watch
HPSBUX9411-019 Security Vulnerability in HP SupportWatch
HPSBUX9410-018 Security Vulnerability in xwcreate/gwind
HPSBUX9409-017 Security Vulnerability in CORE-DIAG fileset
HPSBUX9408-000 Sum and MD5 sums of HP-UX Security Bulletins
HPSBUX9408-016 Patch sums and the MD5 program
HPSBUX9407-015 Xauthority problem
HPSBUX9406-014 Patch file permissions vulnerability
HPSBUX9406-013 vhe_u_mnt allows unauthorized root access
HPSBUX9405-011 Security Vulnerability in HP GlancePlus
HPSBUX9405-009 PROBLEM:  Incomplete implementation of OSF/AES standard
HPSBUX9405-010 ftpd: SITE CHMOD / race condition vulnerability
HPSBUX9405-012 Security vulnerability in Multimedia Sharedprint
HPSBUX9404-007 HP-UX does not have ftpd SITE EXEC vulnerability
HPSBUX9404-008 Security Vulnerability in Vue 3.0
HPSBUX9402-006 Security Vulnerability in DCE/9000
HPSBUX9402-005 Security Vulnerability in Hpterm
HPSBUX9402-004 Promiscuous mode network interfaces
HPSBUX9402-003 Security Vulnerability in Subnetconfig
HPSBUX9312-002 Security Vulnerability in Xterm
HPSBUX9311-001 Security Vulnerability in Sendmail

If you would like to obtain a list of additional files available via the HP
SupportLine mail service, send the following in the TEXT PORTION OF THE
MESSAGE to support@support.mayfield.hp.com:

     send file_list

To get the newest security patch list:

     send security_info_list

To get the most current security patches for each version of OS:

     send hp-ux_patch_matrix

HP-patches and patch-information are available by WWW:

  1. with URL http://support.mayfield.hp.com/slx/html/ptc_hpux.html
     http://support.mayfield.hp.com/slx/html/ptc_get.html

  2. or by appending the following lines to your
     $HOME/.mosaic-hotlist-default and using the --> navigate --> hotlist
     option.

HP has a list of checksums for their security patches. Highly recommended
you always compare patches with the checksum for corruption and trojans.
----------------------------------------------------------------------------

NEXT

There are some security patches on
ftp.next.com:/pub/NeXTanswers/Files/Patches

     SendmailPatch.23950.1
     RestorePatch.29807.16

ftp.next.com:/pub/NeXTanswers/Files/Security contains some security
advisories.

Be sure to check for Rexd and uuencode alias.
----------------------------------------------------------------------------

SCO Unix

Current releases of SCO UNIX (3.2v4.2) and Open Desktop (3.0) has the
following security patches available:

     uod368b -- passwd
     oda377a -- xterm, scoterm, scosession, clean_screen

These can be downloaded from ftp.sco.com:/SLS. First get the file "info"
which lists the actual filenames and descriptions of the supplements.

Security problems were made aware by 8LGM in the following programs for SCO:

   * at(C)
   * login(M)
   * prwarn(C)
   * sadc(ADM)
   * pt_chmod

These programs, which allowed regular users to become SuperUser (root),
affect the following SCO Products:

   * SCO Unix System V/386 Release 3.2 Versions 4.2, 4.1, and 4.0
   * SCO Open Desktop Lite Release 3.0
   * SCO Open Desktop Release 3.0 and 2.0
   * SCO Open Server Network System Release 3.0
   * SCO Open Server Enterprise System Release 3.0

You need the following patches which are available at ftp.sco.com:/SSE:

     Binary             Patch
     ------             ------
     at(C)              sse001
     login(M)           sse002
     prwarn(C)          sse003
     sadc(ADM)          sse004
     pt_chmod           sse005

To contact SCO, send electronic mail to support@sco.com.

----------------------------------------------------------------------------

Sun Microsystems, Inc. SunOS 4.x and Solaris 2.x

Patches may be obtained via anonymous ftp from
ftp.uu.net:/systems/sun/sun-dist or from local Sun Answer Centers worldwide.
Sun makes lists of recommended patches (including security patches)
available to customers with support contracts via its Answer Centers and the
SunSolve service. The lists are uploaded on an informal basis to the
ftp.uu.net patch repository maintained by Sun for other customers, and
posted periodically on the comp.security.unix newsgroup.

Patches are also available via anonymous ftp from
sunsolve1.sun.com:/pub/patches online.sunsolve.sun.co.uk:/pub/patches/

Check out the the sunsolve www-page at http://online.sunsolve.sun.co.uk/

Below is a list of security patches that should be implemented. Please use
Sun's patch list for the authoritative answer. If you see any discrepencies
please notify Christopher Klaus (cklaus@iss.net).

100075-12       rpc.lockd jumbo patch for SunOS 4.1.3
101817-01       rpc.lockd jumbo patch for SunOS 4.1.x, x<3 (same as 10075-11).
100103-11       script to change file permissions to a more secure mode
100170-10       jumbo-patch ld-1.144 shared LD_LIBRARY_PATH -Bstatic SPARCworks
100173-09       NFS Jumbo Patch
100178-08       netd "broken server detection" breaks on fast machines
100249-09       automounter jumbo patch
100272-07       security hole in utmp writable
100283-03       in.routed mishandles gateways, multiple routes
100296-04       rpc.mountd exports to the world
100305-14       lpr package
100338-05       system crashes with assertion failed panic.(may be obsolete)
100342-03       NIS client needs long recovery time if server reboots
100359-06       streams jumbo patch
100383-06       rdist can be used to get root access
100421-03       rpc.rexd does not log appropriate accounting messages
100448-01       loadmodule
100482-04       ypxfrd exporting NIS maps to everybody
100507-04       tmpfs jumbo patch
100527-03       rsh uses old-style selects instead of 4.0 selects
100536-02       NFS can cause panic: assertion failed crashes
100557-02       ftp Jumbo patch
100564-07       C2 Jumbo patch
100567-04       mfree panic due to mbuf being freed twice
100593-03       security hole in utmp writable
100623-03       UFS jumbo patch
100909-02       security hole in utmp writable
101480-01       security hole in utmp writable
101481-01       security hole in utmp writable
101482-01       security hole in utmp writable
102060-01       Fixes the passwd -F hole.
101436-08       Fix for /bin/mail

Solaris 2.2 Recommended Patches:

100982-03  SunOS 5.2: fixes for kernel/fs/fifofs
100992-03  SunOS 5.2: streams related panics involving local transport
100999-71  SunOS 5.2: kernel jumbo patch
101014-05  SunOS 5.2: fixes for usr/lib/libsocket
101022-06  SunOS 5.2: NIS/NIS+ jumbo patches
101025-14  SunOS 5.2: Jumbo patch fixes for lp system
101031-02  SunOS 5.2: file descriptor limit is too low on inetd
101090-01  SunOS 5.2: fixes security hole in expreserve
101096-02  SunOS 5.2: fixes for rpcbind
101109-04  SunOS 5.2: fixes problems with ldterm, ptm, pts
101122-07  SunOS 5.2: fixes for the packaging utilities
101301-03  SunOS 5.2: security bug & tar fixes
101348-01  SunOS 5.2: system hangs due to mblk memory leak

Solaris 2.3 Recommended Patches:

101317-11  SunOS 5.3: lp jumbo patch
101318-59  SunOS 5.3: Jumbo patch for kernel (includes libc, lockd)
101327-08  SunOS 5.3: security and miscellaneous tar fixes
101331-05  SunOS 5.3: fixes for package utilities
101344-11  SunOS 5.3: Jumbo NFS patch security
101347-02  SunOS 5.3: fixes for ttcompat
101615-02  SunOS 5.3: miscellaneous utmp fixes
101631-02  SunOS 5.3: kd and ms fixes
101712-01  SunOS 5.3: uucleanup isn't careful enough when sending mail
102034-01  SunOS 5.3: portmapper security hole
101889-03  OpenWindows 3.3: filemgr forked executable ff.core has a se

Solaris 2.4 Recommended Patches:

101945-13  SunOS 5.4: jumbo patch for kernel
101959-02  SunOS 5.4: lp jumbo patch
101981-01  SunOS 5.4: SECURITY: su can display root password in the co
102007-01  SunOS 5.4: vnode v_count is not maintained correctly
102044-01  SunOS 5.4: bug in mouse code makes "break root" attack poss
102070-01  SunOS 5.4: Bugfix for rpcbind/portmapper

Sendmail patches are important. Check out Sendmail section.

Turn off IP-Forward on SunOs Kernel and kmem via:

     "echo ip_forwarding/W 0" | adb -w /vmunix /dev/kmem

To turn off source routed packets on Solaris 2.X. Edit /etc/rc.2.d/S69.inet
and change

     ndd -set /dev/ip ip_forwarding 0
     ndd -set /dev/ip ip_ip_forward_src_routed 0

reboot.

Source routing patch for SunOs 4.1.x
ftp.greatcircle.com:/pub/firewalls/digest/v03.n153.Z

To Secure a Sun console physically:
(for desktop sparc models)

     $su
     #eeprom security-mode=command
     Password:
     Retype password:
     #

(for other models)

     $su
     #eeprom secure=command
     Password:
     Retype password:
     #

This restricts access to the new command mode.

Remove suid from crash, devinfo. These both are known to be exploitable on
some Sun and are rarely used.
The following is a package of patches for SunOs from Australian group SERT:
ftp.sert.edu.au:/security/sert/tools/MegaPatch.1.7.tar.Z

Solaris 2.x Patches

Here are some file permission problems that exist on Solaris 2.3 and maybe
exist on Solaris 2.4 that you should check and correct. Many file permission
problems are fixed with a fix-mode module in the auto-install package:

ftp.fwi.uva.nl:/pub/solaris/auto-install/* .

After each patch installation, you will need to re-run the fix-mode.

  1. Problem: As distributed, /opt/SUNWdxlib contains many _world_ writeable
     files, including executables. A trojan may be inserted into an
     executable by any user allowing them access to the accounts of anyone
     executing it.

     Solution:

          "find /opt/SUNWdxlib -exec chmod go-w {} \;"

     Fix-modes will do a better job correcting permissions. You can do a
     simple check for trojans with:

          "pkgchk SUNWdxlib".

  2. Problem: By default, /var/nis/{hostname}.dict is _world_ writeable.
     "man -s4 nisfiles" says "This file is a dictionary that is used by the
     NIS+ database to locate its files." A quick look at it will show things
     like "/var/nis/{hostname}/passwd.org_dir". By changing this to, say,
     "/tmp/{hostname}/passwd.org_dir", it _may_ be possible to replace the
     NIS+ password (or any arbitrary) map with a bogus one. There are also
     many files in /var/nis/{hostname} that are world writeable. However,
     since /var/nis/{hostname} is root owned, mode 700, this shouldn't be a
     problem. It also shouldn't be necessary. All the files in
     /var/nis/{hostname} are world readable which is not a good way to have
     shadow passwords.

     Solution: By putting a "S00umask.sh" with contents "umask 022" in each
     /etc/rc?.d it will make sure that all daemons will start with an umask
     of 022.

     The default umask really should be 022, not 0.

     "strings /var/nis/{hostname}.dict" to make sure all the paths are sane,
     then to correct permissions:

          "chmod 644 /var/nis/{hostname}.dict"
          "chmod 700 /var/nis/{hostname}"
          "chmod 600 /var/nis/{hostname}/*"

  3. Problem: /etc/hostname.le0 is _world_ writeable. This allows anyone to
     change the address of the ethernet interface.

     Solution:

          "chmod 644 /etc/hostname.le0"

  4. Problem: /var/statmon, /var/statmon/sm, and /var/statmon/sm.bak are
     _world_ writeable directories. They are used by statd to "provide the
     crash and recovery functions for the locking services of NFS. You could
     trick an NFS client into thinking a server crashed.

     Solution:

          "find /var/statmon -exec chmod o-w {} \;"

  5. Problem: The following files are _world_ writeable:

          /var/adm/vold.log
          /var/log/syslog*
          /var/lp/logs/lpsched
          /var/lp/logs/lpNet
          /etc/mnttab
          /etc/path_to_inst.old
          /var/saf/_log
          /etc/rmtab

     Solution: It may not be possible to tighten up permissions on all the
     world writeable files out there without breaking something. However,
     it'd be a good idea to at least know what they are. Something like:

          "find / -user root \( -type d -o -type f \) -perm -2 -ls"

     will at least let you know which files may contain bogus information.
     Checking for other than root, bin, sys, lp, etc. group writeable files
     would be a good idea as well.

  6. Problem: Solaris still ships /usr/kvm/crash mode 2755 which allows
     anyone to read kmem.

     Solution: Change permission to 0755.

  7. Problem: /etc, /usr/ and /usr/sys may have mode 775 which allows groups
     to write over files.

     Solution: Change permissions to 755.

----------------------------------------------------------------------------

SGI

ftp.sgi.com and sgigate.sgi.com have a "/security" directory.

{3.3,4.0,5.0} including sendmail and lpr. lpr allowed anyone to get root
access.

Patch65 and patch34 correct vulnerability in SGI help system which enabled
users to gain root priviledges.

                Standard      System V       MD5
                Unix          Unix           Digital Signature
patch34.tar.Z:  11066 15627   1674 31253     2859d0debff715c5beaccd02b6bebded
patch65.tar:    63059 1220    15843 2440     af8c120f86daab9df74998b31927e397

Check for the Following: Default accounts with no passwords: 4DGifts, lp,
nuucp, demos, tutor, guest, tour

To Disable IP_Forwarding on SGI:
edit /usr/sysgen/master.d
change int ipforwarding = 1 to 0;
then recompile kernel by autoconfig -f; for IRIX 4.0.5

Remove suid from /usr/sbin/colorview
Remove suid from /usr/lib/vadmin/serial_ports on Irix 4.X
Remove suid from /usr/lib/desktop/permissions
Remove suid from /usr/bin/under

/usr/etc/arp is setgid sys in IRIX up to and including 5.2, allowing anyone
who can log into your machine to read files which should be readable only by
group 'sys'.
Remove suid from /usr/sbin/cdinstmgr
Remove suid from /etc/init.d/audio
chmod g-w /usr/bin/newgrp

/usr/sbin/printers has a bug in IRIX 5.2 (and possibly earlier 5.x versions)
which allows any user to become root.

/usr/sbin/sgihelp has a bug in IRIX 5.2 (and possibly earlier 5.x versions)
which allows any user to become root. This is so bad that the patch is
FTPable from ftp.sgi.com:/security/, and SGI is preparing a CD containing
only that patch.

The version of inst which comes with patch 34, which is required for
installation of all other patches (even those with lower numbers) saves old
versions of binaries in /var/inst/patchbase. It does not remove execution or
setuid permissions.

Irix has many built-in security knobs that you should know how to turn them
on.

Manpage                 Things to look for
-------         ---------------------------------------------------

login           setup /etc/default/login to log all attempts with
                SYSLOG=ALL, add support for external authentication
                programs with SITECHECK=/path/to/prog

portmap         use '-a  mask,match' to restrict most of the portmap
                services to a subset of hosts or networks
                use '-v' to log all unprivileged accesses to syslog

rshd            use '-l' to disable validation using .rhosts files
                use '-L' to log all access attempts to syslog

rlogind         use '-l' to disable validation using .rhosts files
                (beware, this was broken prior to IRIX 5.3)

fingerd         use '-l' to log all connections
                use '-S' to suppress information about login status,
                home directory, and shell
                use '-f msg-file' to make it just display that file

ipfilterd       IP packet filtering daemon

----------------------------------------------------------------------------

Part 3 - Particular Vulnerabilities

Ftp

Check the Sendmail Patches

IBM Corporation

A possible security exposure exists in the bos.obj sendmail subsystem in all
AIX releases.

The user can cause arbitrary data to be written into the sendmail queue
file. Non-privileged users can affect the delivery of mail, as well as run
programs as other users.

Workaround

A. Apply the patch for this problem. The patch is available from
software.watson.ibm.com. The files will be located in the /pub/aix/sendmail
in compressed tar format. The MD5 checksum for the binary file is listed
below, ordinary "sum" checksums follow as well.

           File            sum             MD5 Checksum
           ----            ---             ------------
           sendmail.tar.Z 35990           e172fac410a1b31f3a8c0188f5fd3edb

B. The official fix for this problem can be ordered as Authorized Program
Analysis Report (APAR) IX49257

To order an APAR from IBM in the U.S. call 1-800-237-5511 and ask for
shipment as soon as it is available (in approximately two weeks). APARs may
be obtained outside the U.S. by contacting a local IBM representative.

Motorola Computer Group (MCG)

The following MCG platforms are vulnerable:

     R40
     R32 running CNEP add-on product
     R3 running CNEP add-on product

The following MCG platforms are not vulnerable:

     R32 not including CNEP add-on product
     R3 not including CNEP add-on product
     R2
     VMEEXEC
     VERSADOS

The patch is available and is identified as "patch_43004 p001" or
"SCML#5552". It is applicable to OS revisions from R40V3 to R40V4.3. For
availability of patches for other versions of the product contact your
regional MCG office at the numbers listed below.

Obtain and install the appropriate patch according to the instructions
included with the patch.

The patch can be obtained through anonymous ftp from ftp.mcd.mot.com
[144.191.210.3] in the pub/patches/r4 directory. The patch can also be
obtained via sales and support channels. Questions regarding the patch
should be forwarded to sales or support channels.

For verification of the patch file:

        Results of      sum -r  == 27479 661
                        sum     == 32917 661
                        md5     == 8210c9ef9441da4c9a81c527b44defa6

Contact numbers for Sales and Support for MCG:

     United States (Tempe, Arizona)
     Tel: +1-800-624-0077
     Fax: +1-602-438-3865

     Europe (Brussels, Belgium)
     Tel: +32-2-718-5411
     Fax: +32-2-718-5566

     Asia Pacific / Japan (Hong Kong)
     Tel: +852-966-3210
     Fax: +852-966-3202

     Latin America / Australia / New Zealand (U.S.)
     Tel: +1 602-438-5633
     Fax: +1 602-438-3592

Open Software Foundation

The local vulnerability described in the advisory can be exploited in OSF's
OSF/1 R1.3 (this is different from DEC's OSF/1). Customers should apply the
relevant portions of cert's fix to their source base. For more information
please contact OSF's support organization at osf1-defect@osf.org.

The Santa Cruz Operation

SCO systems are not vulnerable to the IDENT problem. Systems running the
MMDF mail system are not vulnerable to the remote or local problems.

The following releases of SCO products are vulnerable to the local problems.

     SCO TCP/IP 1.1.x for SCO Unix System V/386 Operating System
     Release 3.2
     Versions 1.0 and 2.0
     SCO TCP/IP 1.2.x for SCO Unix System V/386 Operating System
     Release 3.2
     Versions 4.x
     SCO TCP/IP 1.2.0 for SCO Xenix System V/386 Operating System
     Release 2.3.4

     SCO Open Desktop Lite Release 3.0
     SCO Open Desktop Release 1.x, 2.0, and 3.0
     SCO Open Server Network System, Release 3.0
     SCO Open Server Enterprise System, Release 3.0

Patches are currently being developed for the release 3.0 and 1.2.1 based
products. The latest sendmail available from SCO, on Support Level
Supplement (SLS) net382d, is also vulnerable.

Contacts for further information:

e-mail: support@sco.COM

USA, Canada, Pacific Rim, Asia, Latin America 6am-5pm Pacific Daylight Time
(PDT)

1-408-425-4726 (voice)
1-408-427-5443 (fax)

Europe, Middle East, Africa: 9am-5:30pm British Standard Time (BST)

+44 (0)923 816344 (voice)
+44 (0)923 817781 (fax)

Sequent Computer Systems

Sequent customers should contact Sequent Customer Service and request the
Fastpatch for sendmail.

phone: 1-800-854-9969.
e-mail: service-question@sequent.com

Silicon Graphics, Inc.

At the time of writing of this document, patches/binaries are planned for
IRIX versions 4.x, 5.2, 5.3, 6.0, and 6.0.1 and will be available to all SGI
customers.

The patches/binaries may be obtained via anonymous ftp (ftp.sgi.com) or from
your support/service provider.

On the anonymous ftp server, the binaries/patches can be found in either
~ftp/patches or ~ftp/security directories along with more current pertinent
information.

For any issues regarding this patch, please, contact your support/service
provider or send email to cse-security-alert@csd.sgi.com .

Sony Corporation

        NEWS-OS 6.0.3   vulnerable; Patch SONYP6022 [sendmail] is available.
        NEWS-OS 6.1     vulnerable; Patch SONYP6101 [sendmail] is available.
        NEWS-OS 4.2.1   vulnerable; Patch 0101 [sendmail-3] is available.
                        Note that this patch is not included in 4.2.1a+.

Patches are available via anonymous FTP in the
/pub/patch/news-os/un-official directory on ftp1.sony.co.jp [202.24.32.18]:

        4.2.1a+/0101.doc        describes about patch 0101 [sendmail-3]
        4.2.1a+/0101_C.pch      patch for NEWS-OS 4.2.1C/a+C
        4.2.1a+/0101_R.pch      patch for NEWS-OS 4.2.1R/RN/RD/aRD/aRS/a+R

        6.0.3/SONYP6022.doc     describes about patch SONYP6022 [sendmail]
        6.0.3/SONYP6022.pch     patch for NEWS-OS 6.0.3

        6.1/SONYP6101.doc       describes about patch SONYP6101 [sendmail]
        6.1/SONYP6101.pch       patch for NEWS-OS 6.1

        Filename                BSD             SVR4
                                Checksum        Checksum
        --------------          ---------       ---------
        4.2.1a+/0101.doc        55361 2         19699 4
        4.2.1a+/0101_C.pch      60185 307       25993 614
        4.2.1a+/0101_R.pch      35612 502       31139 1004
        6.0.3/SONYP6022.doc     03698 2         36652 4
        6.0.3/SONYP6022.pch     41319 436       20298 871
        6.1/SONYP6101.doc       40725 2         3257 3
        6.1/SONYP6101.pch       37762 434       4624 868

        MD5 checksums are:
        MD5 (4.2.1a+/0101.doc) = c696c28abb65fffa5f2cb447d4253902
        MD5 (4.2.1a+/0101_C.pch) = 20c2d4939cd6ad6db0901d6e6d5ee832
        MD5 (4.2.1a+/0101_R.pch) = 840c20f909cf7a9ac188b9696d690b92
        MD5 (6.0.3/SONYP6022.doc) = b5b61aa85684c19e3104dd3c4f88c5c5
        MD5 (6.0.3/SONYP6022.pch) = 1e4d577f380ef509fd5241d97a6bcbea
        MD5 (6.1/SONYP6101.doc) = 62601c61aef99535acb325cf443b1b25
        MD5 (6.1/SONYP6101.pch) = 87c0d58f82b6c6f7811750251bace98c

If you need further information, contact your vendor.

Solbourne

Grumman System Support Corporation now performs all Solbourne software and
hardware support. Please contact them for further information.

e-mail: support@nts.gssc.com
phone: 1-800-447-2861

Sun Microsystems, Inc.

Sun has developed patches for all supported platforms and architectures,
including Trusted Solaris, Solaris x86, and Interactive Unix. Note that Sun
no longer supports the sun3 architecture and versions of the operating
system that precede 4.1.3.

Current patches are listed below.

         OS version      Patch ID    Patch File Name
         ----------      ---------   ---------------
         4.1.3           100377-19   100377-19.tar.Z
         4.1.3_U1        101665-04   101665-04.tar.Z
         5.3             101739-07   101739-07.tar.Z
         5.4             102066-04   102066-04.tar.Z
         5.4_x86         102064-04   102064-04.tar.Z

The patches can be obtained from local Sun Answer Centers and through
anonymous FTP from ftp.uu.net in the /systems/sun/sun-dist directory. In
Europe, the patches are available from mcsun.eu.net in the /sun/fixes
directory.

The patches are also available through the usual URL on World Wide Web.

Sun is issuing Security Bulletin #129 with details on February 22; the
patches will become available worldwide during the 24 hours to follow.

HTTPd (WWW)

There is a bug in NCSA v1.3 HTTP Web server that allows anyone to execute
commands remotely. The bug is due to overwriting a buffer. Please get the
newest patch from ftp.ncsa.uiuc.edu. More information is available from
http://hoohoo.ncsa.uiuc.edu/docs/patch_desc.html .

Rdist Patches

(Unless you really need rdist, chmod 000 rdist works fine.)

Apollo Domain/OS SR10.3 and SR10.3.5 (Fixed in SR10.4)
a88k PD92_P0316
m68k PD92_M0384

Cray Research, Inc. UNICOS 6.0/6.E/6.1 Field Alert #132 SPR 47600

IBM RS/6000 AIX levels 3005, 2006, 2007, and 3.2 apar ix23738
Patches may be obtained by calling Customer Support at 1-800-237-5511.

NeXT Computer, Inc. NeXTstep Release 2.x
Rdist available on the public NeXT FTP archives.

Silicon Graphics IRIX 3.3.x/4.0 (fixed in 4.0.1) Patches may be obtained via
anonymous ftp from sgi.com in the sgi/rdist directory.

Solbourne OS/MP 4.1A Patch ID P911121003

Sun Microsystems, Inc. SunOS 4.0.3/4.1/4.1.1 Patch ID 100383-06

IP Spoofing Vulnerabilities

IP Spoofing attacks allow an intruder to send packets as if they were coming
from a trusted host and some services based on IP based authenication allow
an intruder to execute commands. Because these packets appear to come from a
trusted host, it may be possible to by-pass firewall security. IP Spoofing
is more detailed in the following papers:

   * "Security Problems in the TCP/IP Protocol Suite" by Steve Bellovin. It
     is available for ftp from
     research.att.com:/dist/internet_security/ipext.ps.Z

   * "A Weakness in the 4.2BSD Unix TCP/IP Software," by Robert T. Morris.
     It is available for ftp from
     research.att.com:/dist/internet_security/117.ps.Z

Some of the services based on IP authenication are:

   * Rsh
   * Rlogin
   * NFS
   * NIS
   * X Windows
   * Services secured by TCP Wrappers access list.

It can help turn off these services especially Rsh and Rlogin.

You can filter out IP spoofed packets with certian routers with the use of
the input filter. Input filter is a feature on the following routers:

   * Bay Networks/Wellfleet, version 5 and later
   * Cabletron with LAN Secure
   * Cisco, RIS software version 9.21 and later
   * Livingston
   * NSC

TCP Wrapper in conjunction with Identd can help to stop IP spoofing because
then the intruder must not not only spoof the connection to Rsh/Rlogin, they
must spoof the information to identd which is not as trivial.

TCP Wrapper is available on ftp://ftp.win.tue.nl/pub/security/.
3.shar.Z

Identd is available on ftp.lysator.liu.se:/pub/ident/servers

Add the following to TCP Wrappers access list:

     ALL: UNKNOWN@ALL: DENY

This will drops all TCP connections where ident lookup fails.

Hijacking terminal connections

Intruders are using a kernel module called TAP that initially was used for
capturing streams which allows you to view what a person is typing. You can
use it to write to someone's steam, thus emulating that person typing a
command and allowing an intruder to "hijack" their session.

Tap is available on ftp.sterling.com /usenet/alt.sources/volume92/Mar in the
following files:

   * 920321.02.Z TAP - a STREAMS module/driver monitor (1.1)
   * 920322.01.Z TAP - a STREAMS module/driver monitor (1.5) repost
   * 920323.17.Z TAP - BIG BROTHERS STREAMS TAP DRIVER (1.24)

An intruder needs to install TAP as root. Therefore if you have installed
all patches and taken the necessary precautions to eliminate ways to obtain
root, the intruder has less chance of installing TAP. You can disable
loadable modules on SunOs 4.1.x by editing the kernel configuraion file
found in /sys/`arch -k`/conf directory and comment out the following line
with a "#" character:

     options VDDRV # loadable modules

Then build and install the new kernel:

     # /etc/config CONFIG_NAME
     # cd ../CONFIG_NAME
     # make
     # cp /vmunix /vmunix.orig
     # cp vmunix /
     # sync; sync; sync

Reboot the system to activate the new kernel. You can also try to detect the
Tap program by doing the following command:

     modstat

Modstat displays all loaded modules. An intruder could trojan modstat as
well therefore you may want to verify the checksum of modstat.
----------------------------------------------------------------------------

Part 4 - Unpatched Vulnerabilities

This is intended to let consumers know that these holes have already been
fully disclosed and everyone already knows about it. These are the
vulnerabilities that vendors are suppose to be releasing patches for ASAP.
Hopefully this list will stay short and small.

Vendor          Bug                 Result
Sun5.x          no promisc flags    Can not tell if machine is sniffing

----------------------------------------------------------------------------

Acknowledgements

I would like to thank the following people for the contribution to this FAQ
that has helped to update and shape it:

   * Jonathan Zanderson (jsz@ramon.bgu.ac.il)
   * Rob Quinn <rjq@phys.ksu.edu>
   * Dr.-Ing. Rudolf Theisen, <r.theisen@kfa-juelich.de>
   * Gerald (Jerry) R. Leslie <jleslie@dmccorp.com>
   * Walker Aumann (walkera@druggist.gg.caltech.edu)
   * Chris Ellwood (cellwood@gauss.calpoly.edu)
   * Dave Millar (millar@pobox.upenn.edu)
   * Paul Brooks (paul@turbosoft.com.au)

----------------------------------------------------------------------------

Copyright

This paper is Copyright (c) 1994, 1995, 1996
   by Christopher Klaus of Internet Security Systems, Inc.

Permission is hereby granted to give away free copies electronically. You
may distribute, transfer, or spread this paper electronically. You may not
pretend that you wrote it. This copyright notice must be maintained in any
copy made. If you wish to reprint the whole or any part of this paper in any
other medium excluding electronic medium, please ask the author for
permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

Address of Author

Please send suggestions, updates, and comments to:
Christopher Klaus <cklaus@iss.net> of Internet Security Systems, Inc.
<iss@iss.net>

Internet Security Systems, Inc.

ISS is the leader in network security tools and technology through
innovative audit, correction, and monitoring software. The Atlanta-based
company's flagship product, Internet Scanner, is the leading commercial
attack simulation and security audit tool. The Internet Scanner SAFEsuite is
based upon ISS' award-winning Internet Scanner and was specifically designed
with expanded capabilities to assess a variety of network security issues
confronting web sites, firewalls, servers and workstations. The Internet
Scanner SAFEsuite is the most comprehensive security assessment tool
available. For more information about ISS or its products, contact the
company at (770) 395-0150 or e-mail at iss@iss.net. ISS maintains a Home
Page on the World Wide Web at http://www.iss.net
-- 
Christopher William Klaus            Voice: (770)395-0150. Fax: (770)395-1972
Internet Security Systems, Inc.              "Internet Scanner SAFEsuite finds
Ste. 660,41 Perimeter Center East,Atlanta,GA 30346 your network security holes
Web: http://www.iss.net/  Email: cklaus@iss.net        before the hackers do."

User Contributions:

Comment about this article, ask questions, or add new information about this topic:

CAPTCHA


[ Usenet FAQs | Web FAQs | Documents | RFC Index ]

Send corrections/additions to the FAQ Maintainer:
cklaus@iss.net





Last Update March 27 2014 @ 02:11 PM