************************************************************************** Security Bulletin 9543 DISA Defense Communications System October 27, 1995 Published by: DISN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE INFORMATION SYSTEM NETWORK SECURITY BULLETIN The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is scc/disn-security-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/disn-security-9531). ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Automated ! ! Systems Security Incident Support Team (ASSIST) and is being ! ! relayed unedited via the Defense Information Systems Agency's ! ! Security Coordination Center distribution system as a means ! ! of providing DISN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + -----BEGIN PGP SIGNED MESSAGE----- <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Automated Systems Security Incident Support Team _____ ___ ___ _____ ___ _____ | / /\ / \ / \ | / \ | | / Integritas / \ \___ \___ | \___ | | < et /____\ \ \ | \ | | \ Celeritas / \ \___/ \___/ __|__ \___/ | |_____\ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Bulletin 95-41 Release date: 26 October, 1995, 1:20 PM EDT (GMT -4) SUBJECT: Syslog Vulnerability - A Workaround for Sendmail. SUMMARY: This bulletin provides information about a problem with the syslog(3) subroutine. The the problem is present in virtually all versions of the UNIX Operating System except the following: Sony's NEWS-OS 6.X SunOS 5.5 (Solaris 2.5) Linux with libc version 4.7.2, released May 1995 The vulnerability is being exploited with a script that has been written to be used with sendmail. This advisory includes a workaround that for the sendmail problem, but not for other programs that use the syslog(3)subroutine, i.e. telnetd, ftpd, httpd, etc. BACKGROUND: The syslog(3) subroutine uses an internal buffer for building messages that are sent to the syslogd(8) daemon. This subroutine does no range checking on data stored in this buffer. It is possible to overflow the internal buffer and rewrite the subroutine call stack. It is then possible to execute arbitrary programs. The sendmail(8) program uses the syslog(3) subroutine, and a script has been written and is being used to exploit the vulnerability. IMPACT: Local and remote users can execute commands and potentially gain root access. Prior access to the system is not required. RECOMMENDED SOLUTIONS: ASSIST recommends DoD elements take action on all 3 items (A, B, and C) cited in this section. A. Install vendor syslog patches when they become available. - ------------------------------------------------------------ Information we received from vendors as of the date of this is attached as Appendix A. Installing patches will require you to recompile/relink any programs built on your system that have been compiled without shared libraries, that is, compiled statically. Be especially careful of programs that contain their own versions of the syslog(3) subroutine. You may need to do significant extra work to compile those programs to use the vendor-supplied patches. B. Install sendmail version 8.7.1. - ---------------------------------- NOTE: This workaround addresses the syslog(3) vulnerability in sendmail only. The vulnerability still exists in all other programs that use syslog(3). When your vendor(s) provides a patch, we recommend that you rebuild sendmail version 8.7.1 with the patched syslog(3) and place that newly compiled version into service. Sendmail is available by anonymous FTP from ftp://info.cert.org/pub/tools/sendmail/ ftp://ftp.cs.berkeley.edu/ucb/sendmail/ Checksum: MD5 (sendmail.8.7.1.tar.Z) = 4a66d07a059d1d5af5e9ea53ff1b396a Depending upon your currently installed sendmail program, switching to a different sendmail may require significant effort (such as rewriting the sendmail.cf file). See Section C(3) for additional notes on installation. In addition, Sections C(1) and C(2) below contain scripts for building sendmail 8.7.1 for SunOS 4.1.X and Solaris 2.X, respectively. C. Install smrsh. - ----------------- To restrict the sendmail program mailer facility, install and use the sendmail restricted shell program (smrsh). It is recommended that you do this regardless of whether you use the vendor's supplied sendmail or you install sendmail version 8.7.1. Smrsh is now included in the sendmail 8.7.1 distribution in the subdirectory smrsh. See the RELEASE_NOTES file for a description of how to integrate smrsh into your sendmail configuration file. 1. Building this package for SunOS 4.1.X. Here is a script that is given as an illustration of how to build sendmail 8.7.1 for SunOS 4.1.X. Please refer to READ_ME in the src subdirectory for a more complete explanation of other options available during the compilation process. % uname -sr SunOS 4.1.2 % ls sendmail.8.7.1.tar.Z % zcat sendmail.8.7.1.tar.Z | tar xf - % cd sendmail-8.7.1/src % ./makesendmail LIBS='-lresolv' DBMDEF='-DNDBM -DNIS' \ INCDIRS= LIBDIRS= sendmail Configuration: os=SunOS, rel=4.1.2, rbase=4, arch=sun4, sfx= Creating obj.SunOS.4.1.2.sun4 using Makefile.SunOS Making dependencies in obj.SunOS.4.1.2.sun4 Making in obj.SunOS.4.1.2.sun4 ... See Section VI for final installation steps. 2. Building this package for Solaris 2.X. Here is a typescript that is given as an illustration for how to build sendmail 8.7.1 for Solaris 2.X. Note that this procedure assumes that you have the GNU gcc system. The examples below used gcc version 2.6.3. Refer to READ_ME in the src sub-directory for a more complete explanation of other options available during the compilation process. % uname -sr SunOS 5.4 % ls sendmail.8.7.1.tar.Z % zcat sendmail.8.7.1.tar.Z | tar xf - % cd sendmail-8.7.1/src % ./makesendmail LIBS='-lresolv -lsocket -lnsl -lelf' \ INCDIRS= LIBDIRS= sendmail Configuration: os=SunOS, rel=5.4, rbase=5, arch=sun4, sfx= Creating obj.SunOS.5.4.sun4 using Makefile.SunOS.5.4 Making dependencies in obj.SunOS.5.4.sun4 ... Note: If you wish sendmail version 8.7.1 to use the aliases and configuration file directory conventions from SunOS 5.4, use the following command: ./makesendmail LIBS='-lresolv -lsocket -lnsl -lelf' \ ENVDEF='-DSOLARIS=204 -DUSE_VENDOR_CF_PATH' INCDIRS= \ LIBDIRS= sendmail 3. Final Installation Notes. Sendmail can then be installed and configured with new configuration files as needed. We strongly recommend that if you change to sendmail 8.7.1, you also change to the configuration files that are provided with that version. Significant work has been done to make this task easier. It is now possible to build a sendmail configuration file (sendmail.cf) using the configuration files provided with this release. Consult the cf/READ_ME file for a more complete explanation. We recommended that you create your configuration files using this method because it provides a technique for incorporating any future changes to sendmail into your configuration files. In addition, we recommend that you recreate your configuration file (sendmail.cf) using the configuration files provided with 8.7.1. Finally, for Sun users, a paper is available to help you convert your sendmail configuration files from the Sun version of sendmail to one that works with version 8.7.1. The paper is entitled "Converting Standard Sun Config Files to Sendmail Version 8" and was written by Rick McCarty of Texas Instruments Inc. It is included in the distribution and is located in contrib/converting.sun.configs. <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ASSIST would like to thank the CERT Coordination Center for information contained in this bulletin. <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ASSIST is an element of the Defense Information Systems Agency (DISA), Center for Information Systems Security (CISS), that provides service to the entire DoD community. Constituents of the DoD with questions about ASSIST or computer security issues, can contact ASSIST using one of the methods listed below. Non-DoD organizations/ institutions, contact the Forum of Incident Response and Security Teams (FIRST) representative. To obtain a list of FIRST member organizations and their constituencies send an email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts". ASSIST Information Resources: To be included in the distribution list for the ASSIST bulletins, send your Milnet (Internet) e-mail address to assist-request@assist.mil. Back issues of ASSIST bulletins, and other security related information, are available from the ASSIST BBS at 703-607-4710, 327-4710, and through anonymous FTP from assist.mil (IP address 199.211.123.11). Note: assist.mil will only accept anonymous FTP connections from Milnet addresses that are registered with the NIC or DNS. If your system is not registered, you must provide your MILNET IP address to ASSIST before access can be provided. ASSIST Contact Information: PHONE: 800-357-4231, COMM 703-607-4700, DSN 327-4700. ELECTRONIC MAIL: assist@assist.mil. ASSIST BBS: COMM 703-607-4710, DSN 327-4710, leave a message for the "sysop". FAX: COMM 703-607-4735, DSN 607-4735 ASSIST uses Pretty Good Privacy (PGP) 2.6.2 as the digital signature mechanism for bulletins. PGP 2.6.2 incorporates the RSAREF(tm) Cryptographic Toolkit under license from RSA Data Security, Inc. A copy of that license is available via anonymous FTP from net-dist.mit.edu (IP 18.72.0.3) in the file /pub/PGP/rsalicen.txt, and through the world wide web from http://net-dist.mit.edu/pgp.html. In accordance with the terms of that license, PGP 2.6.2 may be used for non-commercial purposes only. Instructions for downloading the PGP 2.6.2 software can also be obtained from net-dist.mit.edu in the pub/PGP/README file. PGP 2.6.2 and RSAREF may be subject to the export control laws of the United States of America as implemented by the United States Department of State Office of Defense Trade Controls. The PGP signature information will be attached to the end of ASSIST bulletins. Reference herein to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by ASSIST. The views and opinions of authors expressed herein shall not be used for advertising or product endorsement purposes. - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6 mQCNAi4uZ40AAAEEAM1uraimCNeh5PtzX7KoGxC2u8uMTdl8V5sujk3MHbWvCuOM W0FqDy5s9iwfQLZWzJ7cbM6L0mNOj8eJGoz7TqGKZDDRFlKAwg0x8joleZLC2gXw FVdF/g6Mdv7ok7heoa+Y//YMeADnsSrmzqLCnhFbKYffww3EbdH6sbnW3Io9AAUR tB9BU1NJU1QgVGVhbSA8YXNzaXN0QGFzc2lzdC5taWw+iQCVAwUQL1xx7tH6sbnW 3Io9AQEBYwP9FvIJbnKjtMLUj8ghd6hophSx8WZnfQsOmZX/BbX8vKz1a5BkBn4q ANvW+uKGdUlE8LLMEm1PD59Cihcb3OoWDOU8zIOIErvry4eqa+LzEXV8nnBdes+A a1MCMGSz+K3OaP78lQ7JCGoY9TXTWIelfAdBVBG4VQcSQRn8tjRdG2e0KEFTU0lT VCBUZWFtIDxhc3Npc3RAYXNzaXN0Lmltcy5kaXNhLm1pbD6JAJUCBRAuLnHoh0Y9 0jC+b6kBAU0TA/4yXSL7K6tcfVm9ACnP4crCoutFM2w10e7YKxD850ajhWrh6rI9 O+sjU5WObqiPJ7sZHdEw/KARzPSijH/5h8HlyYa6ClksWxYuymzCsUYYJctdjcGr uakfXgYQ1TkkyUfNrN5G90NuRK/vTRe7bkmyGNYjN9Njac1Q18WVF59Chg== =d5rP - -----END PGP PUBLIC KEY BLOCK----- Appendix A: Vendor Information Current as of October 19, 1995 Below is information we have received from vendors concerning the vulnerability described in this advisory. If you do not see your vendor's name, please contact the vendor directly for information. In addition to vendor information, note that the freely available Linux withlibc version 4.7.2, released May 1995, is not vulnerable. - -------------------- Eric Allman Sendmail version 8.7.1 is not vulnerable. This version is available by anonymous FTP from ftp://info.cert.org/pub/tools/sendmail/ ftp://ftp.cs.berkeley.edu/ucb/sendmail/ ftp://ftp.auscert.org.au/pub/mirrors/ftp.cs.berkeley.edu/ucb/sendmail/ ftp://ftp.cert.dfn.de/pub/tools/net/sendmail/ Checksum: MD5 (sendmail.8.7.1.tar.Z) = 4a66d07a059d1d5af5e9ea53ff1b396a - -------------------- Berkeley Software Design, Inc. Users of BSD/OS V2.0 and V2.0.1 by Berkeley Software Design, Inc. should install patch U201-001 which works for both versions. The patch is availableto all BSDI customers in: ftp://ftp.bsdi.com/bsdi/patches/ md5 checksum: 88b3fd8c83a5926589d7b87b55bc4e14 - -------------------- Cray Research Information about fixes for the syslog problem can be found in FN #2011, dated October 10, 1995. Customers should receive this information from their Cray Research service representative. For all source installations, your Cray Research service representative can obtain the fix via the getfix tool. Due to the number of executables which use this library routine, it is not possible to provide getfix packages for all binary installations. UNICOS binary update packages 8.0.4.2 and 9.0.1.2 include this mod. FIX AVAILABILITY ---------------- Release Level Fix Package Affected Product Containing Fix Availability ================ ============== =========== UNICOS 8.0 UNICOS 8.0.4.2 * source only UNICOS 8.3 ** source only UNICOS 9.0 UNICOS 9.0.1.2 * source only * This update is not yet available. ** No more updates planned - -------------------- Digital Equipment Corporation At the time of writing this document, patches(binary kits) for Digital's ULTRIX platforms are in final testing and packaging. V4.3 (both VAX and RISC) thru V4.5. Similar patches(binary kits) for OSF/1 versions are in progress and testing is expected to begin the week of October 23, 1995 and then packaged for Customer distribution estimated to available in November. Digital will provide notice of the completion of the kits through AES services (DIA, DSNlink FLASH) and be available from your normal Digital Support channel. Digital's Software Security Response Team 10/18/95 - -------------------- Open Software Foundation OSF cannot reproduce the security hole in OSF/1. However we have reproduced the problem with syslog(3). We have a fix for the syslog(3) problem. Support customers should contact OSF for the fix. The fix will be included in the OSF/1 R1.3.2 update release. - -------------------- Silicon Graphics Inc. SGI has been in coordination with CERT regarding this issue. Specific SGI information was not complete before CERTs submission deadline for this advisory. SGI does have pending information and this information will be available viaanonymous ftp (sgigate.sgi.com) and/or your SGI service provider and potential future CERT advisory addendums. - -------------------- Solbourne (Grumman) Solbourne 2.5 is not vulnerable. - -------------------- Sony Corporation NEWS-OS 6.0.3 and 6.1 are not vulnerable. - -------------------- Sun Microsystems, Inc. SunOS 5.5 is not vulnerable. -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBMI/DLNH6sbnW3Io9AQFm0wQAtkcWb404zZRBtmZV3HYKDMNPKvurnHdr SXzeWdVgAKyeqzQji71abntbEmiMyvkQyBINX+oINUHKRs76IS+RKa5qFBS/ER7A KKRi3fKzPEVTVQdMlRXQ8o4+OqknxyNffg0HGU0Yld1boUZ37mYx4nfCepRKAVpT qFQv49Fp3uY= =t3HH -----END PGP SIGNATURE----- **************************************************************************** * * * The point of contact for NIPRNET security-related incidents is the * * Security Coordination Center (SCC). * * * * E-mail address: SCC@NIC.DDN.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.