NASIRC BULLETIN #93-04 October 21, 1993 SUNOS AND SOLARIS SECURITY VULNERABILITIES (/usr/lib/sendmail, /bin/tar, and /dev/audio) =========================================================================== __ __ __ ___ ___ ____ ____ /_/\ /_/| /_/ / _/\ /_/| / __/ \ / __/\ | |\ \| || / \ \ | /\/ | || | /\ \/ | | \/ | ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | | | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\ |_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/ NASA Automated Systems Incident Response Capability =========================================================================== NASIRC has learned about three security vulnerabilities associated with SunOS versions 4.1.x and 5.x. These three vulnerabilities are in sendmail and microphone under SunOS 4.1.x and 5.x, and tar under SunOS 5.x. 1. SunOS 4.1.x and 5.x Sendmail. This security vulnerability may allow remote users to access system files using sendmail on SunOS 4.1.x and SunOS 5.x (Solaris 2.x). Successful exploitation of this vulnerability could result in unauthorized access to system files. The /usr/lib/sendmail utility under SunOS 4.1.x and SunOS 5.x permits unauthorized access to some system files by remote users. This access may allow compromise of the system. Note that this vulnerability is being actively exploited. NASIRC strongly recommends that sites take immediate corrective action. Sun Microsystems has released patched versions of the sendmail program for all affected versions of SunOS: BSD SVR4 System Patch ID Filename Checksum Checksum ----------- --------- --------------- --------- ---------- SunOS 4.1.x 100377-07 100377-07.tar.Z 36122 586 11735 1171 SunOS 5.1 100840-03 100840-03.tar.Z 01153 194 39753 388 SunOS 5.2 101077-03 101077-03.tar.Z 49343 177 63311 353 The checksums shown above are from the BSD-based checksum (on SunOS 4.1.x, /bin/sum; on SunOS 5.x, /usr/ucb/sum) and from the SVR4 version that Sun has released on SunOS 5.x (/usr/bin/sum). Individuals with support contracts may obtain these patches from their local Sun Answer Center or from SunSolve Online. Security patches are also available without a support contract via anonymous FTP from ftp.uu.net (IP 192.48.96.9) in the directory /systems/sun/sun-dist. ------------------ 2. The security vulnerability in tar under SunOS 5.x pertains to archives created with the tar utility containing extraneous user information. This could result in user and system information unintentionally disclosed. Archive files created with the /bin/tar utility under SunOS 5.x contain extraneous user information from the /etc/passwd and /etc/group files. Note that the extraneous data does not include user passwords; however, system configuration and user information may be unintentionally disclosed should the archive files be distributed. Sun Microsystems has released patched versions of the tar utility for all affected versions of SunOS. The patched tar utility produces archive files in the same format as all other versions; but any extraneous data is set to zero. Restoring an existing archive file to disk, and then creating a new file with the patched tar, will result in a clean archive file with no extraneous data. BSD SVR4 System Patch ID Filename Checksum Checksum --------- --------- --------------- --------- --------- SunOS 5.1 100975-02 100975-02.tar.Z 37034 374 13460 747 SunOS 5.2 101301-01 101301-01.tar.Z 22089 390 4703 779 The checksums shown above are from the BSD-based checksum (on SunOS 4.1.x, /bin/sum; on SunOS 5.x, /usr/ucb/sum) and from the SVR4 version that Sun has released on SunOS 5.x (/usr/bin/sum). Individuals with support contracts may obtain these patches from their local Sun Answer Center or from SunSolve Online. Security patches are also available without a support contract via anonymous FTP from ftp.uu.net (IP 192.48.96.9) in the directory /systems/sun/sun-dist. ------------------ 3. The security vulnerability with Sun microphones pertains to the potential use of these microphones for eavesdropping. Sun Microsystems has released information regarding the potential for microphones attached to Sun workstations to be used to eavesdrop on conversations near the computer. Software solutions to reduce the risk are described below. Note, however, that NASIRC strongly recommends microphones on systems in sensitive areas be either physically switched off or disconnected from the system. The initial permissions for the audio data device, /dev/audio, allow any user with an account on the system to listen with the microphone when it is turned on. Also, the permissions for the audio control device, /dev/audioctl, allow anyone to vary playback and record settings such as volume. Unauthorized use of the system's audio devices may be prevented by changing the permissions and ownership of /dev/audio and /dev/audioctl. On SunOS 4.x systems, the /etc/fbtab file may be used to automatically control access to the audio devices. As root, add the following lines to the end of the file: /dev/console 0600 /dev/audio /dev/console 0600 /dev/audioctl On SunOS 5.x (Solaris 2.x) systems, the file permissions must be manually changed. As root, execute the following commands, specifying the username of the individual that should have access to the microphone: # chmod 600 /dev/audio* # chown /dev/audio* ------------------ NASIRC ACKNOWLEDGES: Sun Microsystems, CIAC, and CERT for their reporting, handling and coordination of the solution to this problem. Security checklists, toolkits and guidance are available from the NASIRC online archives. Contact the NASIRC Helpdesk for more information and assistance with toolkits or security measures. ================================================================== For further assistance, please contact the NASIRC Helpdesk: Phone: 1-800-7-NASIRC Fax: 1-301-306-1010 Internet Email: nasirc@nasa.gov 24 Hour/Emergency Pager: 1-800-759-7243/Pin:5460866 ================================================================== This bulletin may be forwarded without restrictions to sites and system administrators within the NASA community ----------------- PLEASE NOTE: Users outside of the NASA community may receive NASIRC bulletins. If you are not part of the NASA community, please contact your agency's response team to report incidents. Your agency's team will coordinate with NASIRC, who will ensure the proper internal NASA team(s) are notified. NASIRC is a member of the Forum of Incident Response and Security Teams (FIRST), a world-wide organization which provides for coordination between incident response teams in handling computer-security-related issues. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts.