PASS TO SITE/FACILITY/COMMAND INFORMATION SYSTEM SECURITY OFFICER {ISSO}, SPECIAL SECURITY OFFICER {SSO}, INFORMATION RESOURCE MANAGER {IRM} AND AUTOMATED DATA PROCESSOR {ADP} COORDINATORS U-1,321/DS-SIM SUBJ: MULTIPLE SUNOS VULNERABILITIES PATCHED{AUTOMATED SYSTEMS SECURITY INCIDENT SUPPORT TEAM {ASSIST} 92-56} 1. DISCUSSION: ASSIST HAS RECEIVED INFORMATION CONCERNING SEVERAL VULNERABILITIES IN THE SUN MICROSYSTEMS, INC. {SUN} OPERATING SYSTEM {SUNOS}. THESE VULNERABILITIES AFFECT ALL ARCHITECTURES AND SUPPORTED VERSIONS OF SUNOS INCLUDING 4.1, 4.1.1, AND 4.1.2 ON SUN3, SUN3X, SUN4, SUN4C, AND SUN4M. THIS BULLETIN CONTAINS INFORMATION ABOUT ONE NEW PATCH AND UPGRADES TO THREE EXISTING PATCH FILES. SINCE APPLICATION OF THESE PATCHES INVOLVES REBUILDING YOUR SYSTEM KERNEL FILE {/VMUNIX}, IT IS RECOMMENDED THAT YOU APPLY ALL PATCHES SIMULTANEOUSLY. USE THE PROCEDURE DESCRIBED BELOW TO APPLY THE PATCHES AND REBUILD THE KERNEL. THE PATCHES ARE AVAILABLE THROUGH YOUR LOCAL SUN ANSWER CENTERS WORLDWIDE AS WELL AS THROUGH ANONYMOUS FTP FROM THE FTP.UU.NET {137.39.1.9} SYSTEM {IN THE /SYSTEMS/SUN/SUN-DIST DIRECTORY}. FIX PATCH ID FILENAME CHECKSUM LD ENV VARS {NEW} 100633-01 100633-01.TAR.Z 43774 20 NFS JUMBO {UPGRADE} 100173-08 100173-08.TAR.Z 32716 562 INT MUL/DIV {UPGRADE} 100376-04 100376-04.TAR.Z 12884 100 ICMP REDIRECT{UPGRADE}100567-02 100567-02.TAR.Z 23118 13 PLEASE NOTE THAT SUN MICROSYSTEMS SOMETIMES UPDATES PATCH FILES. IF YOU FIND THAT THE CHECKSUM IS DIFFERENT, PLEASE CONTACT SUN MICROSYSTEMS FOR VERIFICATION. 2. LD ENV VARS PATCH 100633-01, SUNOS 4.1.1, 4.1.2 {INTERNATIONAL VERSION}: THIS PATCH ADDRESSES A VULNERABILITY THAT ALLOWS "LD" ENVIRONMENTAL VARIABLES TO EXPLOIT LOGIN AND SU. A DYNAMICALLY- LINKED PROGRAM THAT IS INVOKED BY A SETUID/SETGID PROGRAM HAS ACCESS TO THE CALLER'S ENVIRONMENTAL VARIABLES. A VULNERABILITY EXISTS IF IF THE UIDS GIDS ARE NOT EQUAL TO THOSE OF THE USER THAT INVOKED THE SETUID/SETGID PROGRAM. 3. NFS JUMBO PATCH 100173-08 UPGRADE, SUNOS 4.1, 4.1.1, 4.1.2, ALL ARCHITECTURES: THE UPGRADE TO THE NFS JUMBO PATCH ADDRESSES A VULNERABILITY THAT ALLOWS AN INTRUDER TO BECOME ROOT USING NFS. THIS VULNERABILITY AFFECTS ALL ARCHITECTURES AND SUPPORTED VERSIONS OF SUNOS. A REMOTE USER MAY EXPLOIT THIS VULNERABILITY TO GAIN ROOT ACCESS. 4. INTEGER MUL/DIV PATCH 100376-04 UPGRADE, SUNOS 4.1, 4.1.1, 4.1.2, SPARC ARCHITECTURES: THE INTEGER MUL/DIV PATCH UPGRADE ADDRESSES AN ADDITIONAL PROBLEM WITH THE INTEGER MULTIPLICATION EMULATION CODE ON SPARC ARCHITECTURES THAT ALLOWS AN INTRUDER TO BECOME ROOT. THIS VULNERABILITY AFFECTS SPARC ARCHITECTURES {SUN4, SUN4C, AND SUN4M} FOR ALL SUPPORTED VERSIONS OF SUNOS {4.1, 4.1.1, AND 4.1.2}. A LOCAL USER MAY EXPLOIT A BUG IN THE EMULATION ROUTINES TO GAIN ROOT ACCESS OR CRASH THE SYSTEM. 5. THE ICMP REDIRECTS PATCH 100567-02 UPGRADE SUNOS 4.1, 4.1.1, 4.1.2, ALL ARCHITECTURES: THE ICMP REDIRECTS PATCH UPGRADE ADDRESSES TWO PROBLEMS IN IP{UNDERSCORE}ICMP.O. THE PATCH CORRECTS A PROBLEM CAUSED BY THE FREEING OF THE SAME MBUF A SECOND TIME WHICH CAUSES MFREE TO PANIC AND ALSO MAKES NETWORKED SYSTEMS MORE RESISTANT TO ATTACKS BASED ON THE SPOOFING OF ICMP MESSAGES. 6. SOLUTION: EXTRACT THE NEW FILES TO BE INSTALLED IN THE KERNEL. INSTALL THE PATCH FILES IN /SYS/`ARCH -K`/OBJ AS DESCRIBED IN THE README FILE INCLUDED IN THE PATCH FILE. BE SURE TO MAKE A BACKUP OF EACH OF THE FILES YOU ARE REPLACING BEFORE MOVING THE PATCHED FILE TO THE /SYS/`ARCH -K`/OBJ DIRECTORY. CONFIG, MAKE AND INSTALL THE NEW KERNEL TO INCLUDE ALL PATCHES DESCRIBED IN THIS ADVISORY APPROPRIATE TO YOUR SYSTEM. REBOOT EACH HOST USING THE APPROPRIATE KERNEL TO ACTIVATE THE PATCHES. REFER TO THE SYSTEMS AND NETWORK ADMINISTRATION MANUAL FOR INSTRUCTIONS ON BUILDING AND CONFIGURING A NEW CUSTOM KERNEL. 7. POINT OF CONTACT: ASSIST POINT OF CONTACT FOR THIS MATTER IS MIKE HIGGINS, COMM {202} 373-8852/55 OR DSN 243-8852/55. ASSIST CAN BE REACHED 24 HOURS PER DAY, COMMERCIAL PAGER {800} SKY-PAGE, PIN NUMBER 2133937 {FROM A TOUCH TONE PHONE ENTER THE CALL BACK NUMBER AFTER THE PROMPT} OR AUTOVON DIAL 243-8000 AND ASK TO HAVE THE ASSIST DUTY OFFICER PAGED. ASSIST CAN BE REACHED VIA E-MAIL AT "DOD-CERT{AT-SIGN}DDN-CONUS.DDN.MIL."