************************************************************************** Security Bulletin 9125 DISA Defense Communications System 9 December 1991 Published by: DDN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, & concerns to security & management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is SCC:DDN-SECURITY-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. SCC:DDN-SECURITY-9125). ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Computer ! ! Emergency Response Team (CERT) and is being relayed unedited ! ! via the Defense Information Systems Agency's Security ! ! Coordination Center distribution system as a means of ! ! providing DDN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + =========================================================================== CA-91:21 CERT Advisory December 6, 1991 SunOS NFS Jumbo and fsirand Patches --------------------------------------------------------------------------- The Computer Emergency Response Team/Coordination Center (CERT/CC) has received information concerning several vulnerabilities in Sun Microsystems, Inc. (Sun) Network File System (NFS) and the fsirand program. These vulnerabilities affect SunOS versions 4.1.1, 4.1, and 4.0.3 on all architectures. Sun has provided separate patches for these vulnerabilities for SunOS 4.1.1, and has provided an initial patch for SunOS 4.1. Sun will be providing complete patches for 4.1 and 4.0.3 at a later date. On SunOS 4.1.1 systems, Sun states that patch 100173-07 must be installed before patch 100424-1. The patches are available through your local Sun Answer Centers worldwide as well as through anonymous ftp from the ftp.uu.net (192.48.96.2) system in the /sun-dist directory. Fix PatchID Filename Checksum NFS Jumbo 4.1.1 100173-07 100173-07.tar.Z 07044 209 NFS Jumbo 4.1 100121-08 100121-08.tar.Z 61464 287 fsirand 4.1.1 100424-01 100424-01.tar.Z 63070 50 Please note that Sun will occasionally update patch files. If you find that the checksum is different please contact Sun or the CERT/CC for verification. Sun recommends that sites upgrade to SunOS 4.1.1 to benefit from the security improvements. In addition, they recommend the installation of all security-related patches applicable to the version of SunOS that you are running. A general NFS security note: due to security flaws in the protocol, the CERT/CC recommends filtering SunRPC and NFS IP packets (sockets 111 and 2049) between the local network and the Internet. This will prevent intruders outside your local network from accessing your files. --------------------------------------------------------------------------- NFS Jumbo Patch, SunOS 4.1.1 I. Description This patch fixes several SunOS NFS bugs (not all security-related). The patch file, 100173-08.tar.Z, contains fixes for SunOS version 4.1.1. The BugIDs fixed in this patch are: 1039977 1032959 1029628 1037476 1038302 1034328 1045536 1030884 1045993 1047557 1052330 1053679 1041409 1065361 1066287 1064433 1070654 See the README file provided with the patch for more information. II. Impact These vulnerabilities (and bugs) have multiple impacts, including crashing the system, allowing unauthorized system access, and causing a problem with file group ownership. III. Solution Obtain the patch from Sun or from ftp.uu.net and install, following the provided instructions, with the following exception: line 112 of the README file currently reads: mv /sys/`arch -k`/OBJ/nfs_subr.o /sys/arch -k`/OBJ/nfs_subr.o.FCS ^^^^^^^^ it should read: mv /sys/`arch -k`/OBJ/nfs_subr.o /sys/`arch -k`/OBJ/nfs_subr.o.FCS ^^^^^^^^^ (Note the one-character difference.) --------------------- NFS Jumbo Patch, SunOS 4.1 I. Description This patch fixes several SunOS NFS bugs (not all security-related). The patch file, 100121-08.tar.Z, contains fixes for SunOS version 4.1. The BugIDs fixed in this patch are: 1026933 1034007 1039977 1029628 1037476 1038327 1038302 1034328 1045536 1045993 1047557 1030884 1052330 1053679 See the README file provided with the patch for more information. II. Impact These vulnerabilities (and bugs) have multiple impacts, including crashing the system, allowing unauthorized system access, and causing a problem with file group ownership. III. Solution Obtain the patch from Sun or from ftp.uu.net and install, following the provided instructions. --------------------- fsirand, SunOS 4.1.1 I. Description A security vulnerability exists in SunOS NFS relating to the way in which it allocates file handles. The patch file, 100424-01.tar.Z, contains a fix for SunOS version 4.1.1. The BugID fixed in this patch is 1063470. II. Impact The fsirand program could allow a remote system user to guess NFS file handles, thereby potentially allowing them to mount and access your NFS file systems. III. Solution Obtain the patch from Sun or from ftp.uu.net and install, following the provided instructions. You must install PatchID 100173-07 before installing this patch. --------------------------------------------------------------------------- The CERT/CC wishes to thank Bob Drzyzgula of the Federal Reserve Board, Leendert van Doorn of Vrije University, and Wietse Venema of Eindhoven University for their assistance. --------------------------------------------------------------------------- If you believe that your system has been compromised, contact CERT/CC via telephone or e-mail. Internet E-mail: cert@cert.sei.cmu.edu Telephone: 412-268-7090 24-hour hotline: CERT/CC personnel answer 7:30a.m.-6:00p.m. EST(GMT-5)/EDT(GMT-4), on call for emergencies during other hours. Computer Emergency Response Team/Coordination Center (CERT/CC) Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Past advisories and other information related to computer security are available for anonymous ftp from the cert.sei.cmu.edu (192.88.209.5) system.