From: Pete Hammes (10/22/93) To: assist-bulletin@assist.ims.disa, Mail*Link¨ SMTP ASSIST 93-28 -----BEGIN PRIVACY-ENHANCED MESSAGE----- Proc-Type: 4,MIC-CLEAR Content-Domain: RFC822 Originator-Certificate: MIICozCCAgwCAQ8wDQYJKoZIhvcNAQECBQAwgYYxC zAJBgNVBAYTAlVTMSswKQYDVQQKEyJEZWZlbnNlIEluZm9ybWF0aW9uIFN5c3Rlb XMgQWdlbmN5MTAwLgYDVQQLEydDZW50ZXIgZm9yIEluZm9ybWF0aW9uIFN5c3Rlb XMgU2VjdXJpdHkxGDAWBgNVBAsTD0NvdW50ZXJtZWFzdXJlczAeFw05MzA5MDExN DU3NDFaFw05MzEyMTAxNDU3NDFaMIGxMQswCQYDVQQGEwJVUzErMCkGA1UEChMiR GVmZW5zZSBJbmZvcm1hdGlvbiBTeXN0ZW1zIEFnZW5jeTEwMC4GA1UECxMnQ2Vud GVyIGZvciBJbmZvcm1hdGlvbiBTeXN0ZW1zIFNlY3VyaXR5MRgwFgYDVQQLEw9Db 3VudGVybWVhc3VyZXMxEzARBgNVBAsTCk9wZXJhdGlvbnMxFDASBgNVBAMTC1Bld GUgSGFtbWVzMIGaMAoGBFUIAQECAgQAA4GLADCBhwKBgQDCgMkKVE04zogQU+Y/u 9XDNBempvY7gQDGwnFQp8Htv1pdn/GpVQmMshXVARhspGNsBy2+oOJoxgIIZeDtF /MhUeyZDAoVIvi+2uagxto5eb+T/jteVqplHen6BiwPnchvKuGCyPuT0+Q7bBsJG prQwqTSJoZvozE7CNk1XV0J7wIBAzANBgkqhkiG9w0BAQIFAAOBgQCZ0AezFPQMJ NssuHMKiuq63lu9vWs5jvJ1a201z+oeUX7FkFwIRSy/RDKaLILn+v501BeoWacae GA3LS/13Y6zdP91J3RDDkj4fy9dlDOf0C1h9g6T3QVX1xZvAdJ/V6Ck9DYGvAWvf sOT8lzEQ8OfaGFgge4olbhYpCTMgId5cA== Issuer-Certificate: MIICNTCCAZ4CAQwwDQYJKoZIhvcNAQECBQAwRDELMAkGA 1UEBhMCVVMxCzAJBgNVBAgTAk1EMSgwJgYDVQQKEx9UcnVzdGVkIEluZm9ybWF0a W9uIFN5c3RlbXMgUENBMB4XDTkzMDYwODE1MDQyMFoXDTkzMDkxNjE1MDQyMFowg YYxCzAJBgNVBAYTAlVTMSswKQYDVQQKEyJEZWZlbnNlIEluZm9ybWF0aW9uIFN5c 3RlbXMgQWdlbmN5MTAwLgYDVQQLEydDZW50ZXIgZm9yIEluZm9ybWF0aW9uIFN5c 3RlbXMgU2VjdXJpdHkxGDAWBgNVBAsTD0NvdW50ZXJtZWFzdXJlczCBmjAKBgRVC AEBAgIEAAOBiwAwgYcCgYEA19l6BN7iTGYEU61qJETIjBh3iAeHzoL8sZ5KwFRZD S/a1KnYlD1zJHR/KeQCOBWW2HzX43TFLCNGU7UD9i6m8AymLe5IJf/bGh0Rne7Jd Q1GAOLw7/J4hE57IMbGETZpzeU1D9IYxiERRNio/oa422lUlS9JZHLA5jaPNcUrX P8CAQMwDQYJKoZIhvcNAQECBQADgYEAyVsZykgjUfAv4FnMwuz4b+s16PHAHUwMg 2lxLTMwm1TmyLSXL0g1iVRVSelXYYzBPjUx2rlG3ofYu7+xsWxs2HdBArV1dg7uF vkAZnAkVNU86aMcE0tq3vflzwDq8/a9mAFRpE8HJU4//+qTFgojAMOJGo83jtMuZ E7kwd2rjRk= Issuer-Certificate: MIIB8jCCAVsCAQEwDQYJKoZIhvcNAQECBQAwRDELMAkGA 1UEBhMCVVMxCzAJBgNVBAgTAk1EMSgwJgYDVQQKEx9UcnVzdGVkIEluZm9ybWF0a W9uIFN5c3RlbXMgUENBMB4XDTkzMDUyODE3MTEyN1oXDTk1MDUyODE3MTEyN1owR DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1EMSgwJgYDVQQKEx9UcnVzdGVkIEluZ m9ybWF0aW9uIFN5c3RlbXMgUENBMIGaMAoGBFUIAQECAgQAA4GLADCBhwKBgQDbL xaRlS3u54yyRgVDI5dcE9nlasL8fJqOGlyo7xH2FZnr3kUfsFj7OGiYsr6UbvqwK nyfMIRUrXDUa64leGmft3SK27psDUHOynRSCc40d/HrDf810U5tnTamBKUIMqivK 4GoL0tMRA1eX6hALAvLLgK1HbnwZAo6GqQGW8CIJQIBAzANBgkqhkiG9w0BAQIFA AOBgQDBp5aC6oV6IuFi8JCctq57bew604HHNllgjjp7zdXafq6jctRg2g91k/yFW h19bJC/tNrb0WVwuZOs5L/FToPMNIIHzaW/YSROBmyhTDYaKHZGj0P1+iNjMbHt9 dm1QEHGIfKgBwFidItnOa74DfkXdijlPRnr/+E2Ib6PM+hEfQ== MIC-Info: RSA-MD5,RSA,a4S2bDgdZFnhg2aCRNEul1VGL9Tq5B//6Db90TAKezj 1LJ5roK8orfYMQwvlWMHh1dY0CJeTHMeb09AuD67HzelUhjP8ZUKjrnJJjp89+s0 glz3QqWVhVua0LuWOgfSeLotgqkgp95JOhYyy18l5SnkNUbdrDUXcCg7abyq1Aso = BEGIN ASSIST BULLETIN----- <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Automated Systems Security Incident Support Team _____ ___ ___ _____ ___ _____ | / /\ / \ / \ | / \ | | / Integritas / \ \___ \___ | \___ | | < et /____\ \ \ | \ | | \ Celeritas / \ \___/ \___/ __|__ \___/ | |_____ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Bulletin 93-28 Release date: 22 October, 1993, 10:00 EDT Subject: Security problems with SunOS "tar" and "sendmail", and system microphone. PROBLEM AND AFFECTED SYSTEMS: This bulletin addresses problems with the tar and sendmail utilities in the versions of SunOS listed below, possible misuse of the system microphone, and recommendations for corrections. ASSIST strongly recommends that all DoD elements using any of these system(s) obtain and install all patches, and take action to correct the microphone problem immediately. Versions of SunOS affected by the "tar" vulnerability and corresponding patch numbers. - SunOS 5.1/Solaris 2.1: patch 100975-02 - SunOS 5.2/Solaris 2.2: patch 101301-01 Versions of SunOS affected by the "sendmail" vulnerability and corresponding patch numbers: - SunOS 4.1.1, 4.1.2, and 4.1.3: patch 100377-07 - SunOS 5.1/Solaris 2.1: patch 100840-03 - SunOS 5.2/Solaris 2.2: patch 101077-03 tar AND sendmail PROBLEM DESCRIPTIONS AND PATCH INFORMATION: A. "tar" causes archive files produced by the Solaris 2.x tar to contain extraneous information. The extraneous data, which can include user id's (but not passwords), is ignored when the archive files are restored to disk. The patched tar produces archive files in the same format as all other versions; but any extraneous data is set to zero. Restoring an existing archive file to disk, and then producing a new file with the patched tar, will result in a clean archive file with no extra non-zero data. A version of this patch has been prepared for the upcoming release of Solaris 2.3, and will be available as soon as 2.3 is released. The patch ID at that time will be 101327-01. Currently available patches are summarized in the table below (Bug ID 1145463). System Patch ID Filename BSD SVR4 Checksum Checksum - ------ -------- --------------- --------- ----------- Solaris 2.2 101301-01 101301-01.tar.Z 22089 390 4703 779 The checksums shown above are from the BSD-based checksum (on 4.1.x, /bin/sum; on Solaris 2.x, /usr/ucb/sum) and from the SVR4 version that Sun has released on Solaris 2.x (/usr/bin/sum). B. "sendmail" creates a security hole which allows remote users access to some files on the affected system. A version of this patch is being prepared for the upcoming Solaris 2.3 release, but no patch ID is available at this time. Currently available patches are summarized in the table below (1144946). System Patch ID Filename BSD SVR4 Checksum Checksum - ------ -------- --------------- --------- ----------- SunOS 4.1.x 100377-07 100377-07.tar.Z 36122 586 11735 1171 Solaris 2.1 100840-03 100840-03.tar.Z 01153 194 39753 388 Solaris 2.2 101077-03 101077-03.tar.Z 49343 177 63311 353 The checksums shown above are from the BSD-based checksum (on 4.1.x, /bin/sum; on Solaris 2.x, /usr/ucb/sum) and from the SVR4 version that Sun has released on Solaris 2.x (/usr/bin/sum). POTENTIAL MISUSE OF /DEV/AUDIO DEVICES: The initial permissions for the audio data device, /dev/audio, allow anyone to listen with the microphone when it is turned on. Also, the permissions for the audio contol device, /dev/audioctl, allow anyone to vary playback and record settings such as volume. "Anyone", in this case, may include include users on a remote workstation (depending, for example, on the settings in the user's .rhosts file). The following information about this problem applies to both 4.1.x and 5.x systems. NOTE: ASSIST recommends that system microphones located in areas where sensitive information is discussed remain off or unplugged at all times to prevent unauthorized listening. One way to prevent unauthorized use of the system's audio devices is become root and change the permissions and owner of /dev/audio and /dev/audioctl. The owner should be the user that will use the machine's console. For example, to allow only the user "graff" read and write access to the audio device and audio control device, execute commands such as: # chmod 600 /dev/audio* # chown graff /dev/audio* then check to see that the permissions resemble: # ls -lL /dev/audio* crw------- 1 graff sys 28, 0 Jul 12 14:20 /dev/audio crw------- 1 graff sys 28,128 Jul 12 14:20 /dev/audioctl The owner and permissions for /dev/audio and /dev/audioctl will stay the same until manually changed, so if you want a different user to have access to the microphone you will need to use chown to change the owner of /dev/audio and /dev/audioctl to the new user. On SunOS 4.1.x systems, the /etc/fbtab file can be used to automatically have the audio data device and audio control device accessible to only the console user. This capability does not exist in Solaris 2.1 and 2.2; but similar functionality (see /etc/logindevperm) has been added to the upcoming 2.3 release. To restrict access to the audio devices using the SunOS 4.1.x /etc/fbtab file, become root and edit /etc/fbtab, adding these lines to the end of the file: /dev/console 0600 /dev/audio /dev/console 0600 /dev/audioctl Then logout and login. Check the permissions with ls; they should look like this if the console user is root: # ls -lg /dev/audio* crw------- 1 root daemon 69, 0 Jul 12 15:26 /dev/audio crw------- 1 root daemon 69, 1 Jul 12 15:26 /dev/audioctl If a non-root user is logged into the console the owner will be that user and the group will be the user's default group. When no one is logged into the console the /etc/fbtab entry above will cause /dev/audio and /dev/audioctl to have these permissions: # ls -lg /dev/audio* crw------- 1 root wheel 69, 0 Jul 12 15:26 /dev/audio crw------- 1 root wheel 69, 1 Jul 12 15:26 /dev/audioctl D. How to obtain Sun security patches Customers with Sun support contracts can obtain the patches listed here, and all Sun security patches, from: - Your local Sun answer centers, worldwide - SunSolve Online Please refer to the Bug ID and Patch ID when requesting patches from Sun answer centers. Security patches are also available without a support contract via anonymous ftp: - In the US, from /systems/sun/sun-dist on ftp.uu.net - In Europe, from ~ftp/sun/fixes on ftp.eu.net ASSIST is an element of the Defense Information Systems Agency (DISA), Center for Information Systems Security (CISS), that provides service to the entire DoD community. If you have any questions about ASSIST or computer security issues, contact ASSIST using one of the methods listed below. If you would like to be included in the distribution list for these bulletins, send your Milnet (Internet) e-mail address to assist-request@assist.ims.disa.mil. Back issues and through anonymous ftp from assist.ims.disa.mil. ASSIST contact information: PHONE: 703-756-7974, DSN 289, duty hours are 06:30 to 17:00 Monday through Friday. During off duty hours, weekends, and holidays, ASSIST can be reached via pager at 800-SKY-PAGE (800-759-7243) PIN 2133937. Your page will be answered within 30 minutes, however if a quicker response is required, prefix your phone number with "999" and ASSIST will return your call within 5 minutes. ELECTRONIC MAIL: assist@assist.ims.disa.mil. ASSIST BBS: 703-756-7993/4, DSN 289, leave a message for the "sysop". Privacy Enhanced Mail (PEM): ASSIST uses PEM, a public key encryption tool, to digitally sign all bulletins that are distributed through e-mail. The section of seemingly random characters between the "BEGIN PRIVACY-ENHANCED MESSAGE" and "BEGIN ASSIST BULLETIN" contains machine-readable digital signature information generated by PEM, not corrupted data. Recipients of ASSIST bulletins who use PEM will be able to verify with a very high level of assurance that the information originated from ASSIST. PEM is compatible with all e-mail implementations available on the Milnet, and sites not using PEM will still be able to read bulletins that have PEM digital signatures. Information about PEM can be obtained via anonymous ftp from nic.ddn.mil (IP 192.112.36.5) in the /rfc directory files rfc1421.txt, rfc1422.txt, rfc1423.txt, and rfc1424.txt. These files can also be downloaded from the ASSIST bbs. PEM software for UNIX systems is available from Trusted Information Systems (TIS) at no cost, and can be obtained via anonymous FTP from ftp.tis.com (IP 192.94.214.100). Note: The TIS software is just one of several implementations of PEM currently available and additional versions are likely to be offered from other sources in the near future. -----END PRIVACY-ENHANCED MESSAGE----- ------------------ RFC822 Header Follows ------------------ Received: by engmail.llnl.gov with SMTP;22 Oct 1993 09:33:52 U Return-path: pch@assist.ims.disa.MIL Received: from icdc.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01H4EPMLTFTCAW6QFZ@icdc.llnl.gov>; Fri, 22 Oct 1993 09:30:56 PDT Received: from pierce.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id <01H4EPM1CI40AW6QFY@icdc.llnl.gov>; Fri, 22 Oct 1993 09:30:29 PDT Received: by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA17927; Fri, 22 Oct 93 09:31:26 PDT Received: from (cheetah.llnl.gov) by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA17871; Fri, 22 Oct 93 09:31:17 PDT Received: from pierce.llnl.gov by (4.1/SMI-4.1) id AA01600; Fri, 22 Oct 93 09:30:06 PDT Received: by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA17849; Fri, 22 Oct 93 09:31:10 PDT Received: from assist.ims.disa.mil by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA17776; Fri, 22 Oct 93 09:30:57 PDT Received: from shilo.ims.disa.mil by assist.ims.disa.mil (4.1/2.4) id AA04531; Fri, 22 Oct 93 12:29:11 EDT Received: by shilo.ims.disa.mil (4.1/2.4) id AA16644; Fri, 22 Oct 93 12:28:54 EDT Date: 22 Oct 1993 12:28:39 -0400 From: Pete Hammes Subject: ASSIST 93-28 Resent-to: BILL_ORVIS@QUICKMAIL.llnl.GOV To: assist-bulletin@assist.ims.disa.MIL Resent-message-id: <01H4EPMLYSPUAW6QFZ@icdc.llnl.gov> Message-id: <9310221628.AA16644@shilo.ims.disa.mil> X-Envelope-to: BILL_ORVIS@QUICKMAIL.llnl.gov X-VMS-To: IN%"assist-bulletin@assist.ims.disa.MIL" Content-transfer-encoding: 7BIT ======================================================================