-----BEGIN PGP SIGNED MESSAGE----- =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Nico de Koo Index : S-96-65 Distribution : World Page : 1 Classification: External Version: 1 Subject : libc and libnsl vuln. in SUN Solaris Date : 21-Nov-96 =============================================================================== By courtesy of SUN we received information on a vulnerability in the libc and libnsl libraries in Solaris 2.5 and 2.5.1. This information is made publicly available by SUN Security Bulletin #00137, dated 20 Nov 1996. CERT-NL recommends installation of the below mentioned patches. ============================================================================= SUN MICROSYSTEMS SECURITY BULLETIN: #00137, 20 Nov 1996 ============================================================================= BULLETIN TOPICS In this bulletin Sun announces the release of security-related patches for Solaris 2.5 (SunOS 5.5) and Solaris 2.5.1 (SunOS 5.5.1). The patches relate to a single problem involving vulnerabilities in both the libc and libnsl libraries. Sun strongly recommends that you install these patches immmediately on every affected system. An exploitation script was publicly released earlier this week for this vulnerability and the script is now widely distributed. Many 2.5 and 2.5.1 systems are therefore currently vulnerable to attack. Earlier versions of SunOS, including 4.1.x, do not have the bug and are not vulnerable. Since the current version (v1.0) of SISS, the Solaris Internet Server Supplement, is based largely on 2.5.1 code, it too is vulnerable. The vulnerability will be fixed in the next version of SISS. Sun acknowledges with thanks the CERT Coordination Center (Carnegie Mellon University), AUSCERT, and Marko Laakso (University of Oulu) for their assistance in the preparation of this bulletin. I. Who is Affected, and What to Do Sun has verified that this vulnerability affects all supported Solaris 2.5 (SunOS 5.5) and Solaris 2.5.1 (SunOS 5.5.1) systems. Earlier versions of SunOS, including 4.1.x, do not have the bug and are not vulnerable. Installing and running the software provided in these patches completely closes the vulnerability. For information about how to obtain these and other Sun patches, see Appendix A. To see which version of SunOS your system is running, use a command such as: % uname -a If your system is running SunOS 5.5 or 5.5.1, it is vulnerable. II. Understanding the Vulnerability If exploited, this vulnerability can be used to gain root access on attacked systems. The attack could be initiated from a remote system. Even penetration through a firewall may be possible, depending upon which services and applications (such as rlogin) are allowed to pass through the firewall. Because this vulnerability is located in two key system libraries, many setuid/setgid system utilities are affected and possibly exploitable. There has been a buffer over-run vulnerability discovered in both the libc and the libnsl libraries under Solaris 2.5/2.5.1. Many setuid and setgid programs, as well as network programs running with root privileges, are dynamically linked against these libraries. This vulnerability has the potential for any program using these libraries, running with root privileges, to be exploited, giving root privileges. III. List of Patches The patches required to close this vulnerability are listed below. A. Solaris 2.x (SunOS 5.x) patches Patches which replace the affected libraries and executables are available for every supported version of SunOS 5.x. OS version Patch ID ---------- --------- SunOS 5.5 103187-09 SunOS 5.5_X86 103188-09 SunOS 5.1.1 103612-06 SunOS 5.5.1_x86 103613-06 SunOS 5.1.1_ppc 103614-06 B. Solaris 1.x (SunOS 4.1.x) patches No patches are needed for SunOS 4.1.x, which is not vulnerable. IV. Checksum Table In the checksum table we show the BSD and SVR4 checksums and MD5 digital signatures for the compressed tar archives. File BSD SVR4 MD5 Name Checksum Checksum Digital Signature - --------------- ----------- --------- -------------------------------- 103187-09.tar.Z 55543 2779 1318 5557 2AF86E9126BB8B0505743D0283C175A6 103188-09.tar.Z 21952 2523 13621 5046 E0455AAC6DF587E9F9EC88082B9613B2 103612-06.tar.Z 29415 2752 38423 5503 56DF3214D8C5CC58C9AC223C9C7ACEBC 103613-06.tar.Z 30698 2501 29921 5002 7E27DF259B595231188D2725E2B6AE59 103614-06.tar.Z 05172 2766 46856 5532 193E63B9C5E2B829D59B1FCBE2E2981F The checksums shown above are from the BSD-based checksum (on 4.1.x, /bin/sum; on SunOS 5.x, /usr/ucb/sum) and from the SVR4 version on on SunOS 5.x (/usr/bin/sum). APPENDICES A. How to obtain Sun security patches 1. If you have a support contract Customers with Sun support contracts can obtain any patches listed in this bulletin (and any other patches--and a list of patches) from: - SunSolve Online - Local Sun answer centers, worldwide - SunSITEs worldwide The patches are available via World Wide Web at http://sunsolve1.sun.com. You should also contact your answer center if you have a support contract and: - You need assistance in installing a patch - You need additional patches - You want an existing patch ported to another platform - You believe you have encountered a bug in a Sun patch - You want to know if a patch exists, or when one will be ready 2. If you do not have a support contract Customers without support contracts may now obtain security patches, "recommended" patches, and patch lists via SunSolve Online. Sun does not furnish patches to any external distribution sites other than the ones mentioned here. The ftp.uu.net and ftp.eu.net sites are no longer supported. 3. About the checksums So that you can quickly verify the integrity of the patch files themselves, we supply in each bulletin checksums for the tar archives. Occasionally, you may find that the listed checksums do not match the patches on the SunSolve or SunSite database. This does not necessarily mean that the patch has been tampered with. More likely, a non-substantive change (such as a revision to the README file) has altered the checksum of the tar file. The SunSolve patch database is refreshed nightly, and will sometimes contain versions of a patch newer than the one on which the checksums were based. In the future we may provide checksum information for the individual components of a patch as well as the compressed archive file. This would allow customers to determine, if need be, which file(s) have been changed since we issued the bulletin containing the checksums. In the meantime, if you would like assistance in verifying the integrity of a patch file please contact this office or your local answer center. ============================================================================== CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://www.surfnet.nl/surfnet/security/cert-nl.html ftp://ftp.surfnet.nl/surfnet/net-security In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl Phone: +31 302 305 305 Fax: +31 302 305 329 Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST members on request. ============================================================================== Keywords: gethostbyname, root, libc, libnsl Patchlist: 103187-09, 103188-09, 103612-06, 103613-06, 103614-06 Cross-Ref: ----------- ============================================================================= SUN MICROSYSTEMS SECURITY BULLETIN: #00137, 20 Nov 1996 ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: cp850 iQCVAwUBMpRiimL2fnkJN/jpAQETvQQAy3Yur0WHJmtJ8qdlPWm+7HXnc+wWV7B7 UNzXF3Lh//vv4OCKZm+09lDlxYxDye1TFQXS7bKN8MuerFAmybJtjd72A9a1kj9D ba05Y7UomAOfU3gyWsxKn25FHu1FBXjqFd8RXh8rYjE7qiEM2HIIni7kDNzWvcn6 OEhHtkLGt1g= =hPK3 -----END PGP SIGNATURE-----