************************************************************************** Security Bulletin 9323 DISA Defense Communications System December 16, 1993 Published by: DDN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is scc/ddn-security-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/ddn-security-9302). ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Computer ! ! Emergency Response Team (CERT) and is being relayed unedited ! ! via the Defense Information Systems Agency's Security ! ! Coordination Center distribution system as a means of ! ! providing DDN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ============================================================================= CA-93:19 CERT Advisory December 16, 1993 Solaris System Startup Vulnerability ----------------------------------------------------------------------------- The CERT Coordination Center has received information concerning a vulnerability in the system startup scripts on Solaris 2.x and Solaris x86 systems. The changes described below will be integrated into the upcoming Solaris release. ----------------------------------------------------------------------------- I. Description If fsck(8) fails during system boot, a privileged shell is run on the system console. This behavior can represent a security vulnerability if users, who would normally not have root access, have physical access to the console at boot time. An attacker can force the failure to occur. II. Impact This vulnerability allows anyone with physical access to the system console to gain root access. III. Solution A simple change to each of two system scripts can be used to close this potential security hole. The new behavior will cause the system to run the privileged shell only if the user at the console enters the correct root password. If you wish to make the change on your own systems, edit both /sbin/rcS and /sbin/mountall, changing every occurrence of: /sbin/sh < /dev/console to: /sbin/sulogin < /dev/console As distributed by Sun, /sbin/rcS contains one occurrence of this string, at line 152; and /sbin/mountall contains two, one at line 66 and one at line 250. Once these changes are made, sulogin will request the root password in the event fsck(8) fails, before starting a privileged shell. The success or failure of sulogin will be logged in /var/adm/sulog. --------------------------------------------------------------------------- The CERT Coordination Center wishes to thank Sun Microsystems, Inc. for their support in responding to this problem. --------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in Forum of Incident Response and Security Teams (FIRST). Internet E-mail: cert@cert.org Telephone: 412-268-7090 (24-hour hotline) CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Past advisories, information about FIRST representatives, and other information related to computer security are available for anonymous FTP from info.cert.org. **************************************************************************** * * * The point of contact for MILNET security-related incidents is the * * Security Coordination Center (SCC). * * * * E-mail address: SCC@NIC.DDN.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * ****************************************************************************