***********************************************************************
DDN Security Bulletin 9009 DCA DDN Defense Communications System
16 Aug 90 Published by: DDN Security Coordination Center
(SCC@NIC.DDN.MIL) (800) 235-3155
The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DCA contract as a means of communicating information on network and host security exposures, fixes, & concerns to security & management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.67.67.20] using login="anonymous" and password="guest". The bulletin pathname is SCC:DDN-SECURITY-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. SCC:DDN-SECURITY-9001).
**********************************************************************
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
! !
! The following important advisory was issued by the Computer !
! Emergency Response Team (CERT) and is being relayed unedited !
! via the Defense Communications Agency's Security Coordination !
! Center distribution system as a means of providing DDN !
! subscribers with useful security information. !
! !
+ - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - +
CA-90:05 CERT Advisory
August 14, 1990
Sun has recently released a patch for a security hole in SunView. This problem affects SunView running on all versions of SunOS (3.5 and before, 4.0, 4.0.1, 4.0.3, and 4.1) and all platforms (Sun3, Sun4, 386i). This vulnerability allows any remote system to read selected files from the workstation running SunView. As noted below in the IMPACT section, the files that can be read are limited.
This vulnerability is in the SunView (aka SunTools) selection_svc facility and can be exploited while SunView is in use; however, as noted below in the IMPACT section, this bug may be exploitable after the user quits using Sunview. This problem cannot be exploited while X11 is in use (unless the user runs X11 after running Sunview; see the IMPACT section). This problem is specific to Sun's SunView software; to our knowledge, this problem does NOT affect other vendor platforms or software.
To obtain the patch, please call your local Sun Answer Center (in the USA, it's 1-800-USA-4SUN), and ask for patch number 100085-01. You can also reference Sun Bug ID 1039576.
The patch is available for SunOS 4.0.1, 4.0.3 and
SunOS 4.1, on Sun3, Sun4, and 386i architectures. Contact Sun
for further details.
On Sun3 and Sun4 systems, a remote system can read any file that is readable to the user running SunView. On the 386i, a remote system can read any file on the workstation running SunView regardless of protections. Note that if root runs Sunview, all files are potentially accessible by a remote system.
If the password file with the encrypted passwords is world readable, an intruder can take the password file and attempt to guess passwords. In the CERT/CC's experience, most systems have at least one password that can be guessed.
Sunview does not kill the selection_svc process when
the user quits >From Sunview. Thus, unless the process is killed,
remote systems can still read files that were readable to the
last user that ran Sunview. Under these circumstances, once a
user has run Sunview, start using another window system (such
as X11), or even logoff, but still have files accessible to remote
systems. However, even though selection_svc is not killed when
Sunview exits, the patch still solves the security problem and
prevents remote access.
For further questions, please contact your Sun answer center or send mail to security-features@sun.com.
Thanks to Peter Shipley for discovering, documenting, and helping resolve this problem.
-----------------------------------------------------------------------------
Telephone: 412-268-7090 24-hour hotline: CERT personnel answer