PASS TO SITE/FACILITY/COMMAND INFORMATION SYSTEM SECURITY OFFICER (ISSO), SPECIAL SECURITY OFFICER (SSO), INFORMATION RESOURCE MANAGER (IRM) AND AUTOMATED DATA PROCESSOR (ADP) COORDINATORS SUBJECT: CORRECTION FOR NONSECURE SUNOS FILE DIRECTORY PERMISSIONS (AUTOMATED SYSTEM SECURITY INCIDENT SUPPORT TEAM (ASSIST) BULLETIN 93-04). 1. THE DEFAULT PERMISSIONS ON A NUMBER OF FILES AND DIRECTORIES IN SUNOS 4.1, 4.1.1, 4.1.2, AND 4.1.3 ARE SET INCORRECTLY. THESE PROBLEMS ARE RELEVANT FOR THE SUN3, SUN3X, SUN4, SUN4C, AND SUN4M ARCHITECTURES. THE PROBLEM HAS BEEN CORRECTED IN SUNOS 5.0 (NOTE: SUNOS 5.0 IS THE OPERATING SYSTEM INCLUDED IN THE SOLARIS 2.0 SOFTWARE DISTRIBUTION). AN UPDATED PATCH TO RESET THESE PERMISSIONS IS AVAILABLE FROM SUN. THERE HAVE BEEN NUMEROUS VERIFIED ATTACKS BY INDIVIDUALS EXPLOITING THESE VULNERABILITIES. 2. BACKGROUND: FILE PERMISSIONS ON NUMEROUS FILES WERE SET INCORRECTLY IN THE DISTRIBUTION TAPE OF 4.1.X. A TYPICAL EXAMPLE IS A FILE WHICH SHOULD HAVE BEEN OWNED BY "ROOT" WAS SET TO BE OWNED BY "BIN". AS DISTRIBUTED, THE SUNOS CONFIGURATION EXPECTS MOST SYSTEM FILES TO BE OWNED BY "ROOT". THE FACT THAT SOME ARE NOT CREATES SECURITY PROBLEMS. DEPENDING ON THE SPECIFIC CONFIGURATION OF THE LOCAL SITE, THE DEFAULT PERMISSIONS MAY ALLOW LOCAL USERS TO GAIN "ROOT" ACCESS. THEREFORE, SITES THAT ARE RUNNING THE SUNOS VERSIONS LISTED ABOVE AS DISTRIBUTED MUST INSTALL THE PATCH DESCRIBED BELOW. 3. SUN HAS PROVIDED A SCRIPT TO RESET FILE AND DIRECTORY PERMISSIONS TO THE CORRECT SETTINGS. THE SCRIPT IS AVAILABLE IN SUN'S PATCH #100103 VERSION 11. THIS PATCH CAN BE OBTAINED VIA LOCAL SUN ANSWER CENTERS WORLDWIDE AS WELL AS THROUGH ANONYMOUS FTP FROM THE FTP.UU.NET (137.39.1.9) SYSTEM IN THE /SYSTEMS/SUN/SUN-DIST DIRECTORY. PATCH ID FILENAME CHECKSUM 100103-11 100103-11.TAR.Z 19847 6 PLEASE NOTE THAT SUN MICROSYSTEMS SOMETIMES UPDATES PATCH FILES. IF YOU FIND THAT THE CHECKSUM IS DIFFERENT PLEASE CONTACT SUN MICROSYSTEMS FOR VERIFICATION. 4. SOLUTION: UNCOMPRESS THE FILE, EXTRACT THE CONTENTS OF THE TAR ARCHIVE, AND REVIEW THE README FILE. % UNCOMPRESS 100103-11.TAR.Z % TAR XFV 100103-11.TAR % CAT README THIS PATCH WILL RESET THE GROUP OWNERSHIP OF CERTAIN FILES TO EITHER "STAFF" OR "BIN". MAKE SURE YOU HAVE ENTRIES IN THE "/ETC/GROUP" FILE FOR THESE ACCOUNTS. % GREP '^STAFF:' /ETC/GROUP % GREP '^BIN:' /ETC/GROUP IF YOU DO NOT HAVE BOTH OF THESE YOU WILL NEED TO EITHER ADD THE MISSING ACCOUNT(S) OR MODIFY THE PATCH SCRIPT (4.1SECURE.SH) TO REFLECT GROUP OWNERSHIPS APPROPRIATE FOR YOUR SITE. (NOTE THAT THE SECURITY PROBLEMS ARE FIXED BY THE OWNERSHIPS AND MODE BITS SPECIFIED IN THE PATCH - NOT BY THE GROUP OWNERSHIPS. THEREFORE, CHANGING THE GROUP OWNERSHIPS DOES NOT INVALIDATE THE PATCH.) AS "ROOT", RUN THE PATCH SCRIPT. # SH 4.1SECURE.SH THIS PATCH FIXES SUN BUGID'S 1046817, 1047044, 1048142, 1054480, 1037153, 1039292, AND 1042662. THE PATCH SCRIPT WILL SET "/USR/KVM/CRASH" TO MODE 02700 OWNED BY "ROOT". REMOVE THE SETGID BIT BE REMOVED TO PREVENT ABUSE IF WORLD EXECUTE PERMISSION WERE TO BE ADDED LATER. AS "ROOT", MAKE "/USR/KVM/CRASH" NOT A SET-GROUP-ID PROGRAM. # CHMOD 755 /USR/KVM/CRASH 5. POINT OF CONTACT: ASSIST POINT OF CONTACT FOR THIS MATTER IS PETE HAMMES, COMM (703) 696-1924/05 OR DSN 226-1924/05. ASSIST CAN BE REACHED 24 HOURS PER DAY, COMMERCIAL PAGER (800) SKY-PAGE (800- 759-7243), PIN NUMBER 2133937. WHEN CALLING THE PAGER SERVICE, FOLLOW THE AUTOMATED VOICE INSTRUCTIONS AND ENTER THE CALL BACK NUMBER AFTER THE PROMPT. THE ASSIST DUTY OFFICER WILL CALL YOU BACK WITHIN 30 MINUTES. IF FASTER SERVICE IS REQUIRED, PREFIX YOUR TELEPHONE NUMBER WITH "999", AND THE ASSIST DUTY OFFICER WILL CALL BACK WITHIN 5 MINUTES. ASSIST CAN BE REACHED VIA E-MAIL AT "DOD- CERT(AT-SIGN)DDN-CONUS.DDN.MIL". BT