PASS TO SITE/FACILITY/COMMAND INFORMATION SYSTEM SECURITY OFFICER {ISSO}, SPECIAL SECURITY OFFICER {SSO}, INFORMATION RESOURCE MANAGER {IRM} AND AUTOMATED DATA PROCESSOR {ADP} COORDINATORS U-1,356/DS-SIM {CSG} SUBJ: SUMMARY OF SUNOS SECURITY PATCHES {AUTOMATED SYSTEMS SECURITY INCIDENT SUPPORT TEAM {ASSIST} 92-57} 1. THIS MESSAGE CONTAINS A LIST OF ALL SECURITY RELATED PATCHES CURRENTLY AVAILABLE FROM SUN MICROSYSTEMS. THE PATCHES HAVE BEEN GROUPED BY SUNOS VERSION AND ARE DETAILED BELOW. ASSIST RECOMMENDS THE INSTALLATION OF ANY APPLICABLE PATCHES THAT EITHER ARE NOT CURRENTLY PRESENT ON YOUR SYSTEM OR ARE PRESENT IN THE FORM OF AN OLDER VERSION OF THE PATCH. THE PATCHES ARE AVAILABLE BOTH THROUGH YOUR LOCAL SUN ANSWER CENTER AND ANONYMOUS FTP. IN THE U.S., FTP TO FTP.UU.NET AND RETRIEVE THE PATCHES FROM THE DIRECTORY {TILDA}FTP/SYSTEMS/SUN/SUN-DIST. IN EUROPE, FTP TO MCSUN.EU.NET AND RETRIEVE THE PATCHES FROM THE {TILDA}FTP/SUN/FIXES DIRECTORY. THE PATCHES ARE CONTAINED IN COMPRESSED TARFILES WITH FILENAMES BASED ON THE ID NUMBER OF THE PATCH {E.G. PATCH 100085-03 IS CONTAINED IN THE FILE 100085-03.TAR.Z}, AND MUST BE RETRIEVED USING FTP'S BINARY TRANSFER MODE. 2. AFTER OBTAINING THE PATCHES, COMPUTE THE CHECKSUM OF EACH COMPRESSED TARFILE AND COMPARE WITH THE VALUES INDICATED BELOW. FOR EXAMPLE, THE COMMAND "SUM 100085-03.TAR.Z" SHOULD PRODUCE THE VALUE 44177 740. PLEASE NOTE THAT SUN MICROSYSTEMS OCCASIONALLY UPDATES PATCH FILES, RESULTING IN A CHANGED CHECKSUM. IF YOU SHOULD FIND A CHECKSUM THAT DIFFERS FROM THOSE LISTED BELOW, PLEASE CONTACT SUN MICROSYSTEMS BEFORE USING THE PATCH. THE PATCHES MUST BE EXTRACTED FROM THE COMPRESSED TARFILES USING THE COMMANDS UNCOMPRESS AND TAR {E.G. TO EXTRACT PATCH 100085-03, EXECUTE THE COMMANDS "UNCOMPRESS 100085-03.TAR.Z" AND "TAR -XVF 100085-03.TAR"}. 3. AS MULTIPLE PATCHES MAY AFFECT THE SAME FILES, IT IS RECOMMENDED THAT PATCHES BE INSTALLED CHRONOLOGICALLY BY REVISION DATE, WITH THE EXCEPTION OF PATCHES FOR WHICH AN EXPLICIT ORDER IS SPECIFIED. TO INSTALL A PATCH ON YOUR SYSTEM, FOLLOW THE INSTRUCTIONS CONTAINED IN THE README FILE WHICH ACCOMPANIES THE PATCH. 4. THE FOLLOWING IS A LIST OF PATCHES CURRENTLY AVAILABLE FROM SUN: SUNOS 4.0.1 AND 4.0.2 PATCH ID LAST REVISED CHECKSUM DESCRIPTION --------- ------------ --------- ------------- 100085-03 5-SEP-90 44177 740 SELECTION{UNDERSCORE}SVC AND RPC CAN BE USED TO VIEW SYSTEM FILES WITHOUT LOGIN PERMISSION SUNOS 4.0.2I PATCH ID LAST REVISED CHECKSUM DESCRIPTION --------- ------------ --------- ------------- 100108-01 22-AUG-90 50309 146 SENDMAIL CAN BE COAXED INTO WRITING A FILE NOT OWNED BY THE SENDER SUNOS 4.0.3 AND 4.0.3C PATCH ID LAST REVISED CHECKSUM DESCRIPTION --------- ------------ --------- ------------- 100224-02 15-JAN-90 39010 223 MAIL AND RMAIL CAN INVOKE ROOT AND UUCP SHELLS {REF. ASSIST BULLETIN 92-13, DTG 242201Z APR 92} 100100-01 30-JUL-90 43821 588 SENDMAIL PERMITS USERS TO RUN PROGRAMS WITH ROOT'S GROUP PRIVILEGES 100101-02 7-AUG-90 42872 34 PTRACE SECURITY HOLE 100085-03 5-SEP-90 44177 740 SELECTION{UNDERSCORE}SVC AND RPC CAN BE USED TO VIEW SYSTEM FILES WITHOUT LOGIN PERMISSION 100184-02 14-DEC-90 06627 33 OPEN WINDOWS 2.0 SV{UNDERSCORE}XV {UNDERSCORE}SEL{UNDERSCORE}SVC AND RPC PERMIT ACCESS TO SYSTEM FILES 100125-05 8-JUL-91 41964 164 TELNET PERMITS PASSWORD CAPTURE {REF. ASSIST BULLETIN 92-45, DTG 222311Z JUN 92} 100383-04 5-FEB-92 42306 113 RDIST CAN BE FORCED TO CREATE SETUID ROOT PROGRAMS {REF. ASSIST BULLETIN 92-11, DTG 242126Z APR 92} SUNOS 4.1 PATCH ID LAST REVISED CHECKSUM DESCRIPTION --------- ------------ --------- ------------- 100224-02 15-JAN-90 39010 223 MAIL AND RMAIL CAN INVOKE ROOT AND UUCP SHELLS {REF. ASSIST BULLETIN 92-13, DTG 242201Z 100101-02 7-AUG-90 42872 34 PTRACE SECURITY HOLE 100085-03 5-SEP-90 44177 740 SELECTION{UNDERSCORE}SVC AND APR 92} RPC CAN BE USED TO VIEW SYSTEM FILES WITHOUT LOGIN PERMISSION 100184-02 14-DEC-90 06627 33 OPEN WINDOWS 2.0 SV{UNDERSCORE}XV {UNDERSCORE}SEL{UNDERSCORE}SVC AND RPC PERMIT ACCESS TO SYSTEM FILES 100187-01 15-DEC-90 27724 139 CONSOLE INPUT AND OUTPUT CAN BE REDIRECTED 100251-01 25-MAR-91 44264 32 EXPRESERVE RACE CONDITION 100121-08 1-APR-91 61464 287 NFS JUMBO PATCH 100201-04 3-JUL-91 24358 169 C2 JUMBO PATCH 100125-05 8-JUL-91 41964 164 TELNET PERMITS PASSWORD CAPTURE {REF. ASSIST BULLETIN 92-45, DTG 222311Z JUN 92} 100103-10 30-SEP-91 26292 7 MANY FILES DISTRIBUTED WITH INCORRECT PERMISSIONS {REF. ASSIST BULLETIN 92-19, DTG 142304Z MAY 92} 100296-02 16-OCT-91 30606 23 RPC.MOUNTD EXPORTS FILE SYSTEMS INCORRECTLY {REF. ASSIST BULLETINS 92-30 DTG 191217 MAY 92 AND 92-37 DTG 182349Z JUN 92} 100383-04 5-FEB-92 42306 113 RDIST CAN BE FORCED TO CREATE SETUID ROOT PROGRAMS {REF. ASSIST BULLETIN 92-11, DTG 242126Z APR 92} 100305-07 3-MAR-92 25894 283 THE LP DAEMON CAN DELETE SYSTEM FILES {REF. ASSIST BULLETIN 92-09, DTG 210029Z APR 92} 100173-08 7-MAY-92 32716 562 NFS JUMBO PATCH {REF. ASSIST BULLETINS 92-30 DTG 191217Z MAY AND 92-56 DTG 281700Z JUL 92} 100377-04 14-MAY-92 14692 311 SENDMAIL SECURITY HOLES {REF. ASSIST BULLETIN 92-36, DTG 190718Z JUN 92} 100630-01 18-MAY-92 36269 39 ENVIRONMENT VARIABLES CAN BE USED TO EXPLOIT LOGIN AND SU {REF. ASSIST BULLETIN 92-36, DTG 190718Z JUN 92} 100482-02 20-MAY-92 53416 284 YPSERV AND YPXFRD WILL SEND NIS MAPS TO ANYONE {REF. ASSIST BULLETIN 92-39, DTG 190238Z JUN 92} 100567-02 13-JUL-92 23118 13 ICMP REDIRECT MESSAGES CAN BE USED TO MAKE A HOST DROP NETWORK CONNECTIONS {REF. ASSIST BULLETIN 92-56, DTG 281700Z JUL 92} 100376-04 16-JUL-92 12884 100 INTEGER DIVISION ON SPARC CAN ALLOW ROOT ACCESS {REF. ASSIST BULLETINS 92-27 DTG 150330Z MAY 92 AND 92-56 DTG 281700 JUL 92} SUNOS 4.1{UNDERSCORE}PSR{UNDERSCORE}A PATCH ID LAST REVISED CHECKSUM DESCRIPTION --------- ------------ --------- ------------- 100224-02 15-JAN-90 39010 223 MAIL AND RMAIL CAN INVOKE ROOT AND UUCP SHELLS {REF. ASSIST BULLETIN 92-13} DTG 242201Z APR 92} 100184-02 14-DEC-90 06627 33 OPEN WINDOWS 2.0 SV{UNDERSCORE}XV {UNDERSCORE}SEL{UNDERSCORE}SVC AND RPC PERMIT ACCESS TO SYSTEM FILES 100187-01 15-DEC-90 27724 139 CONSOLE INPUT AND OUTPUT CAN BE REDIRECTED 100201-04 3-JUL-91 24358 169 C2 JUMBO PATCH 100296-02 16-OCT-91 30606 23 RPC.MOUNTD EXPORTS FILESYSTEMS INCORRECTLY {REF. ASSIST BULLETINS 92-30 DTG 191217 MAY 92 AND 92-37 DTG 182349Z JUN 92} 100383-04 5-FEB-92 42306 113 RDIST CAN BE FORCED TO CREATE SETUID ROOT PROGRAMS {REF. ASSIST BULLETIN 92-11, DTG 242126Z APR 92} 100305-07 3-MAR-92 25894 283 THE LP DAEMON CAN DELETE SYSTEM FILES {REF. ASSIST BULLETIN 92-09, DTG 210029Z APR 92} 100377-04 14-MAY-92 14692 311 SENDMAIL SECURITY HOLES {REF. ASSIST BULLETIN 92-36, DTG 190718Z JUN 92} 100630-01 18-MAY-92 36269 39 ENVIRONMENT VARIABLES CAN BE USED TO EXPLOIT LOGIN AND SU {REF. ASSIST BULLETIN 92-36, DTG 190718Z JUN 92} SUNOS 4.1.1 PATCH ID LAST REVISED CHECKSUM DESCRIPTION --------- ------------ --------- ------------- 100224-02 15-JAN-90 39010 223 MAIL AND RMAIL CAN INVOKE ROOT AND UUCP SHELLS {REF. ASSIST BULLETIN 92-13, DTG 242201Z APR 92} 100085-03 5-SEP-90 44177 740 SELECTION{UNDERSCORE}SVC AND RPC CAN BE USED TO VIEW SYSTEM FILES WITHOUT LOGIN PERMISSION 100184-02 14-DEC-90 06627 33 OPEN WINDOWS 2.0 SV{UNDERSCORE}XV {UNDERSCORE}SEL{UNDERSCORE}SVC AND RPC PERMIT ACCESS TO SYSTEM FILES 100251-01 25-MAR-91 44264 32 EXPRESERVE RACE CONDITION 100201-04 3-JUL-91 24358 169 C2 JUMBO PATCH 100125-05 8-JUL-91 41964 164 TELNET PERMITS PASSWORD CAPTURE {REF. ASSIST BULLETIN 92-45, DTG 222311Z JUN 92} 100296-02 16-OCT-91 30606 23 RPC.MOUNTD EXPORTS FILESYSTEMS INCORRECTLY {REF. ASSIST BULLETINS 92-30 DTG 191217 MAY 92 AND 92-37 DTG 182349Z JUN 100103-10 30-SEP-91 26292 7 MANY FILES DISTRIBUTED WITH INCORRECT PERMISSIONS {REF. ASSIST BULLETIN 92-19, DTG 142304Z MAY 92} 100424-01 12-NOV-91 63070 50 NFS WITH FSIRAND HANDLE GUESSING PROBLEMS NOTE: SHOULD ONLY BE APPLIED WITH PATCH 100173-08. NOTE: INCOMPATIBLE WITH ONLINE: DISKSUITE AND BACKUP: COPILOT {REF. ASSIST BULLETINS 92-30 DTG 191217Z MAY 92, 92-32 DTG 231306Z MAY 92, AND 92-56 DTG 281700Z JUL 92} 100448-01 10-DEC-91 02672 5 OPENWINDOWS 3.0 LOADMODULE SECURITY HOLE {REF. ASSIST BULLETIN 92-32, DTG 231306Z MAY 92} 100387-02 3-FEB-92 07868 4400 C2 BUG FIXES AND ENHANCEMENTS, BASIC SECURITY MODULE. NOTE: INCOMPATIBLE WITH PATCH 100201-04 100383-04 5-FEB-92 42306 113 RDIST CAN BE FORCED TO CREATE SETUID ROOT PROGRAMS {REF. ASSIST BULLETIN 92-11, DTG 242126Z APR 92} 100478-01 14-FEB-92 64588 58 OPENWINDOWS 3.0 XLOCK CAN CRASH LEAVING SYSTEM OPEN 100188-02 28-FEB-92 52332 132 TIOCCONS ANS PTY SECURITY HOLES 100305-07 3-MAR-92 25894 283 THE LP DAEMON CAN DELETE SYSTEM FILES {REF. ASSIST BULLETIN 92-09, DTG 210029Z APR 92} 100173-08 7-MAY-92 32716 562 NFS JUMBO PATCH {REF. ASSIST BULLETINS 92-30 DTG 191217Z MAY AND 92-56 DTG 281700Z JUL 92} 100377-04 14-MAY-92 14692 311 SENDMAIL SECURITY HOLES {REF. ASSIST BULLETIN 92-36, DTG 190718Z JUN 92} 100630-01 18-MAY-92 36269 39 ENVIRONMENT VARIABLES CAN BE USED TO EXPLOIT LOGIN AND SU {REF. ASSIST BULLETIN 92-36, DTG 190718Z JUN 92} 100482-02 20-MAY-92 53416 284 YPSERV AND YPXFRD WILL SEND NIS MAPS TO ANYONE {REF. ASSIST BULLETIN 92-39, DTG 190238Z JUN 92} 100633-01 22-MAY-92 43774 20 ENVIRONMENT VARIABLES CAN BE USED TO EXPLOIT LOGIN AND SU WHEN USING SUN'S ARM PRODUCT {REF. ASSIST BULLETIN 92-56, DTG 281700Z JUL 92} 100567-02 13-JUL-92 23118 13 ICMP REDIRECT MESSAGES CAN BE USED TO MAKE A HOST DROP NETWORK CONNECTIONS {REF. ASSIST BULLETIN 92-56, DTG 281700Z JUL 92} 100376-04 16-JUL-92 12884 100 INTEGER DIVISION ON SPARC CAN ALLOW ROOT ACCESS {REF. ASSIST BULLETINS 92-27 DTG 150330Z MAY 92 AND 92-56 DTG 281700 JUL 92} SUNOS 4.1.2 PATCH ID LAST REVISED CHECKSUM DESCRIPTION --------- ------------ --------- ------------- 100184-02 14-DEC-90 06627 33 OPEN WINDOWS 2.0 SV{UNDERSCORE}XV {UNDERSCORE}SEL{UNDERSCORE}SVC AND RPC PERMIT ACCESS TO SYSTEM FILES 100296-02 16-OCT-91 30606 23 RPC.MOUNTD EXPORTS FILESYSTEMS INCORRECTLY {REF. ASSIST BULLETINS 92-30 DTG 191217 MAY 92 AND 92-37 DTG 182349Z JUN 92} 100448-01 10-DEC-91 02672 5 OPENWINDOWS 3.0 LOADMODULE SECURITY HOLE {REF. ASSIST BULLETIN 92-32, DTG 231306Z MAY 92} 100383-04 5-FEB-92 42306 113 RDIST CAN BE FORCED TO CREATE SETUID ROOT PROGRAMS {REF. ASSIST BULLETIN 92-11, DTG 242126Z APR 92} 100478-01 14-FEB-92 64588 58 OPENWINDOWS 3.0 XLOCK CAN CRASH LEAVING SYSTEM OPEN 100188-02 28-FEB-92 52332 132 TIOCCONS ANS PTY SECURITY HOLES 100564-01 1-APR-92 29774 415 C2 JUMBO PATCH 100305-07 3-MAR-92 25894 283 THE LP DAEMON CAN DELETE SYSTEM FILES {REF. ASSIST BULLETIN 92-09, DTG 210029Z APR 92} 100173-08 7-MAY-92 32716 562 NFS JUMBO PATCH {REF. ASSIST BULLETINS 92-30 DTG 191217Z MAY AND 92-56 DTG 281700Z JUL 92} 100377-04 14-MAY-92 14692 311 SENDMAIL SECURITY HOLES {REF. ASSIST BULLETIN 92-36, DTG 190718Z JUN 92} 100630-01 18-MAY-92 36269 39 ENVIRONMENT VARIABLES CAN BE USED TO EXPLOIT LOGIN AND SU {REF. ASSIST BULLETIN 92-36, DTG 190718Z JUN 92} 100482-02 20-MAY-92 53416 284 YPSERV AND YPXFRD WILL SEND NIS MAPS TO ANYONE {REF. ASSIST BULLETIN 92-39, DTG 190238Z JUN 92} 100633-01 22-MAY-92 43774 20 ENVIRONMENT VARIABLES CAN BE USED TO EXPLOIT LOGIN AND SU WHEN USING SUN'S ARM PRODUCT {REF. ASSIST BULLETIN 92-56, DTG 281700Z JUL 92} 100567-02 13-JUL-92 23118 13 ICMP REDIRECT MESSAGES CAN BE USED TO MAKE A HOST DROP NETWORK CONNECTIONS {REF. ASSIST BULLETIN 92-56, DTG 281700Z JUL 92} 100376-04 16-JUL-92 12884 100 INTEGER DIVISION ON SPARC CAN ALLOW ROOT ACCESS {REF. ASSIST BULLETINS 92-27 DTG 150330Z MAY 92 AND 92-56 DTG 281700 JUL 92} 5. POINT OF CONTACT: ASSIST POINT OF CONTACT FOR THIS MATTER IS MIKE HIGGINS, COMM {202} 373-8852/55 OR DSN 243-8852/55. ASSIST CAN BE REACHED 24 HOURS PER DAY, COMMERCIAL PAGER {800} SKY-PAGE, PIN NUMBER 2133937 {FROM A TOUCH TONE PHONE ENTER THE CALL BACK NUMBER AFTER THE PROMPT} OR AUTOVON DIAL 243-8000 AND ASK TO HAVE THE ASSIST DUTY OFFICER PAGED. ASSIST CAN BE REACHED VIA E-MAIL AT "DOD-CERT{AT-SIGN}DDN-CONUS.DDN.MIL."