************************************************************************** Security Bulletin 9319 DISA Defense Communications System October 22, 1993 Published by: DDN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is scc/ddn-security-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/ddn-security-9302). ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Computer ! ! Emergency Response Team (CERT) and is being relayed unedited ! ! via the Defense Information Systems Agency's Security ! ! Coordination Center distribution system as a means of ! ! providing DDN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ============================================================================= CA-93:15 CERT Advisory October 21, 1993 /usr/lib/sendmail, /bin/tar, and /dev/audio Vulnerabilities ----------------------------------------------------------------------------- The CERT Coordination Center has learned of several vulnerabilities affecting Sun Microsystems, Inc. (Sun) operating systems. Three separate vulnerabilities are described in this advisory. The first and third vulnerabilities affect all versions of SunOS 4.1.x and all versions of Solaris 2.x. The second affects all systems running any version of Solaris 2.x (but does not affect SunOS 4.1.x systems). Patches can be obtained from local Sun Answer Centers worldwide as well as through anonymous FTP from the ftp.uu.net (192.48.96.9) system in the /systems/sun/sun-dist directory. In Europe, these patches are available from ftp.eu.net in the /sun/fixes directory. Information concerning specific patches is outlined below. Please note that Sun sometimes updates patch files. If you find that the checksum is different, please contact Sun. ----------------------------------------------------------------------------- I. /usr/lib/sendmail Vulnerability This vulnerability affects all versions of SunOS 4.1.x including 4.1.1, 4.1.2, 4.1.3, 4.1.3c, and all versions of Solaris 2.x including Solaris 2.1 (SunOS 5.1) and Solaris 2.2 (SunOS 5.2). Sun is preparing a version of this patch for Solaris 2.3 but no patch ID is available at this time. ** This vulnerability is being actively exploited and we strongly recommend that sites take immediate and corrective action. ** A. Description A vulnerability exists in /usr/lib/sendmail such that remote users may gain access to affected systems. B. Impact Unauthorized access to affected systems may occur. C. Solution 1. Obtain and install the appropriate patch following the instructions included with the patch. System Patch ID Filename BSD Solaris Checksum Checksum ------ -------- --------------- --------- ----------- SunOS 4.1.x 100377-07 100377-07.tar.Z 36122 586 11735 1171 Solaris 2.1 100840-03 100840-03.tar.Z 01153 194 39753 388 Solaris 2.2 101077-03 101077-03.tar.Z 49343 177 63311 353 The checksums shown above are from the BSD-based checksum (on 4.1.x, /bin/sum; on Solaris, /usr/ucb/sum) and from the SVR4 version that Sun has released with Solaris (/usr/bin/sum). II. Solaris 2.x /bin/tar Vulnerability This vulnerability exists in all versions of Solaris 2.x including Solaris 2.1 and Solaris 2.2. Information about patches for current versions of Solaris is described below. Sun is preparing a patch for the upcoming Solaris 2.3 release. The patch ID will be 101327-01, and it will be available as soon as Solaris 2.3 is shipped. This vulnerability does not exist in SunOS 4.1.x systems. A. Description A security vulnerability exists in /bin/tar such that tarfiles created using this utility may incorporate portions of the /etc/passwd file. B. Impact Usernames and other information from /etc/passwd and /etc/group may be disclosed. However, since Solaris 2.x uses shadow passwords, encrypted passwords should not appear in /etc/passwd and therefore should not be disclosed by this vulnerability. C. Solution We recommend that all affected sites take the following steps to secure their systems. 1. Obtain and install the appropriate patch following the instructions included with the patch. System Patch ID Filename BSD Solaris Checksum Checksum ------ -------- --------------- --------- ----------- Solaris 2.1 100975-02 100975-02.tar.Z 37034 374 13460 747 Solaris 2.2 101301-01 101301-01.tar.Z 22089 390 4703 779 The checksums shown above are from the BSD-based checksum (on 4.1.x, /bin/sum; on Solaris, /usr/ucb/sum) and from the SVR4 version that Sun has released with Solaris 2.x (/usr/bin/sum). 2. If your site is not using shadow passwords, we recommend that all passwords be changed, especially those for sensitive accounts such as root. 3. Depending upon the sensitivity of the information contained in the /etc/passwd file, sites may wish to replace existing tar files where this is possible. Restoring an existing archive file, and then producing a new tarfile with the patched tar, will result in a clean archive file. III. /dev/audio Vulnerability This vulnerability affects all Sun systems with microphones. This includes all versions of SunOS 4.1.x including 4.1.1, 4.1.2, 4.1.3, 4.1.3c, and all versions of Solaris 2.x including Solaris 2.1 (SunOS 5.1) and Solaris 2.2 (SunOS 5.2). Sun is addressing this problem in Solaris 2.3. A. Description /dev/audio is set to a default mode of 666. There is also no indication to the user of the system that the microphone is on. B. Impact Any user with access to the system can eavesdrop on conversations held in the vicinity of the microphone. C. Solution To prevent unauthorized listening with the microphone, the permissions of the audio data device (/dev/audio) should allow only the user logged in on the console of the machine to read /dev/audio. To prevent unauthorized changes in playback and record settings, the permissions on /dev/audioctl should be similarly changed. *** Any site seriously concerned about the security risks associated with the microphone should either switch off the microphone, or unplug the microphone to prevent unauthorized listening. *** 1. Restricting access on 4.x systems Use fbtab(5) to restrict the access to these devices. See the man page for more information about this procedure. 2. Restricting access on Solaris 2.x systems To restrict access to these devices to a specific users, the permissions on the device files must be manually changed. As root: # chmod 600 /dev/audio # chown . /dev/audio # chmod 600 /dev/audioctl # chown . /dev/audio --------------------------------------------------------------------------- The CERT Coordination Center wishes to thank Paul De Bra, Department of Computing Science, Eindhoven University of Technology; David Slade of Bellcore; and Mabry Tyson of SRI for reporting these vulnerabilities, and Sun Microsystems, Inc. for their response to these problems. --------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in FIRST (Forum of Incident Response and Security Teams). Internet E-mail: cert@cert.org Telephone: 412-268-7090 (24-hour hotline) CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Past advisories, information about FIRST representatives, and other information related to computer security are available for anonymous FTP from cert.org (192.88.209.5). **************************************************************************** * * * The point of contact for MILNET security-related incidents is the * * Security Coordination Center (SCC). * * * * E-mail address: SCC@NIC.DDN.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * ****************************************************************************