=============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : CERT-NL (Don Stikvoort) Index : S-94-12 Distribution : World Page : 1 Classification: External Version: Final Subject : SUN Solaris 2.3 "automountd" vulnerability Date : 11-May-94 =============================================================================== By courtesy of SUN Microsystems CERT-NL received information about a vulnerability in "automountd" on SUN systems running Solaris 2.3 which can lead to unauthorized root access. Below problem and solution are described. If this applies to your situation we advise to install the patch involved. (The text below is a slightly abridged version of Sun's bulletin #00127a of 5 May 1994, which itself is a corrected version of #00127 - not previously sent out by CERT-NL) =============================================================================== BULLETIN TOPICS I. Announcement of patch for Solaris 2.3 "automountd" vulnerability II. Patch Table III. Checksum Table APPENDICES A. How to obtain Sun security patches B. How to report or inquire about Sun security problems C. How to obtain Sun security bulletins ----------- I. Announcement of patches for Solaris 2.3 "automountd" vulnerability Patch 101329-15 fixes a bug in the Solaris 2.3 version of automountd which allows a user with an unprivileged account on a 2.3 system to gain root access. No reports of this vulnerability being exploited have yet come to the attention of this office. We nevertheless recommend that all affected customers close this very serious security hole. The automountd fix is bundled into the Solaris 2.3 jumbo NIS+ patch. The first version of the patch to contain the security fix was 101329-10; but we recommend the installation of the latest version (currently 101329-15). This bug is not found in any other SunOS version, including Solaris x86. The fix has been integrated into the upcoming Solaris 2.4 release. II. Patch Table In the patch table we show the patch number and file name for the compressed tar file containing the NIS+ jumbo patch. Software Patch ID Patch File Name -------- --------- --------------- NIS+ 101329-15 101329-15.tar.Z III. Checksum Table In the checksum table we show the BSD and SVR4 checksums and MD5 digital signatures for the compressed tar archive, which contains the entire patch package. File BSD SVR4 MD5 Name Checksum Checksum Digital Signature --------------- --------- ---------- -------------------------------- 101329-15.tar.Z 55492 843 46189 1685 19AA042484727A5DE9CB21199858071A The checksums shown above are from the BSD-based checksum (on 4.1.x, /bin/sum; on Solaris 2.x, /usr/ucb/sum) and from the SVR4 version on Solaris 2.x (/usr/bin/sum). APPENDICES A. How to obtain Sun security patches 1. If you have a support contract Customers with Sun support contracts can obtain the patches listed here--and all other Sun security patches--from: - Local Sun answer centers, worldwide - SunSolve Online Please refer to the bug ID and patch ID when requesting patches from Sun answer centers. You should also contact your answer center if you have a support contract and: - You need assistance in installing a patch - You need additional patches - You want an existing patch ported to another platform - You believe you have encountered a bug in a Sun patch - You want to know if a patch exists, or when one will be ready 2. If you do not have a support contract Sun also makes its security patches available to customers who do not have a support contract, via anonymous ftp: (ftp.uu.net and ftp.eu.net) FULLY MIRRORED BY CERT-NL ON ftp.nic.surfnet.nl IN DIRECTORY surfnet/net-security/cert-nl/patches/sun-fixes ( FTP archive also gopherable via gopher.nic.surfnet.nl ) 3. About the checksums Patches announced in a Sun security bulletin are uploaded to the ftp sites just before the bulletin is released, and seldom updated. In contrast, the "supported" patch databases are refreshed nightly, and will often contain newer versions of a patch incorporating changes which are not security-related. So that you can quickly verify the integrity of the patch files themselves, we supply checksums for the tar archives in each bulletin. The listed checksums should always match those on the ftp systems. (The rare exceptions are listed in the "checksums" file there.) Normally, the listed checksums will also match the patches on the SunSolve database. However, this will not be true if we have changed (as we sometimes do) the README file in the patch after the bulletin has been released. If would like assistance in verifying the integrity of a patch file please contact this office or your local answer center. B. How to report or inquire about Sun security problems If you discover a security problem with Sun software or wish to inquire about a possible problem, contact one or more of the following: - Your local Sun answer centers - Your representative computer security response team, CERT-NL - This office. Address postal mail to: Sun Security Coordinator MS MPK2-04 2550 Garcia Avenue Mountain View, CA 94043-1100 Phone: 415-688-9081 Fax: 415-688-9101 E-mail: security-alert@Sun.COM We strongly recommend that you report problems to your local Answer Center. In some cases they will accept a report of a security bug even if you do not have a support contract. An additional notification to the security-alert alias is suggested but should not be used as your primary vehicle for reporting a bug. C. How to obtain Sun security bulletins 1. Subscription information Sun Security Bulletins are available free of charge as part of our Customer Warning System. It is not necessary to have a Sun support contract in order to receive them. To subscribe to this bulletin series, send mail to the address "security-alert@Sun.COM" with the subject "subscribe CWS your-mail-address" and a message body containing affiliation and contact information. To request that your name be removed from the mailing list, send mail to the same address with the subject "unsubscribe CWS your-mail-address". Do not include other requests or reports in a subscription message. Due to the volume of subscription requests we receive, we cannot guarantee to acknowledge requests. Please contact this office if you wish to verify that your subscription request was received, or if you would like your bulletin delivered via postal mail or fax. 2. Obtaining old bulletins Sun Security Bulletins are archived on ftp.uu.net (in the same directory as the patches) and on SunSolve. Please try these sources first before contacting this office for old bulletins. MIRRORED BY CERT-NL JUST LIKE THE PATCHES. ------------ ============================================================================== CERT-NL is the Computer Emergency Response Team, located in The Netherlands. CERT-NL is a Full Member of the Forum of Incident Response and Security Teams (FIRST). The constituency of CERT-NL are the SURFnet connected institutions. Past CERT-NL Security Bulletins and other CERT-NL related material can be found on the anonymous FTP server of SURFnet bv: "ftp.nic.surfnet.nl" [192.87.46.3], in the directory "surfnet/net-security/cert-nl/docs/bulletin". This information is also available using email. Send an email saying "help" to "mailserv@nic.surfnet.nl". In case of computer or network security problems please contact CERT-NL or the CERT of your own constituency. Please be aware of the fact that we are one (when DST is in effect two) hour(s) ahead of Universal Time Coordinated (i.e. UTC+0100 (UTC+0200)). Email: cert-nl@surfnet.nl Phone: +31 30 310290 Fax: +31 30 340903 Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST members on request. ==============================================================================