Published:
29 April 1997
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-97.053 -- SUN Security Bulletin #00139
30 April 1997
===========================================================================
Sun Microsystems has released the following security bulletin giving patch
information which addresses a vulnerability in the pluggable authentication
module (PAM). This vulnerability may allow local users to gain root access.
This bulletin addresses the vulnerability previously described in the
AUSCERT Advisory AA-97.09 - Solaris 2.x passwd buffer Overrun Vulnerability.
The following security bulletin is provided as a service to AUSCERT's
members. As AUSCERT did not write this document, AUSCERT has had no
control over its content. As such, the decision to use any or all of this
information is the responsibility of each user or organisation, and should
be done so in accordance with site policies and procedures.
Contact information for Sun Microsystems is included in the Security
Bulletin below. If you have any questions or need further information,
please contact them directly.
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
- --------------------------BEGIN INCLUDED TEXT--------------------
=============================================================================
SUN MICROSYSTEMS SECURITY BULLETIN: #00139, 29 APRIL 1997
=============================================================================
BULLETIN TOPICS
Sun announces the release of patches for Solaris 2.5.1 (SunOS 5.5.1) and
Solaris 2.5 (SunOS 5.5) that relate to vulnerabilities in the pluggable
authentication module (PAM), which can result in root access if exploited.
The nispasswd, yppasswd, and passwd programs use PAM in these OS releases.
Sun estimates that the release of patches for Solaris 2.4 (SunOS 5.4) and
Solaris 2.3 (SunOS 5.3) that relate to the same vulnerability will be
available within 5 weeks and 6 weeks respectively of the date of this bulletin.
In Solaris 2.4 and 2.3, the passwd programs use unix_scheme instead of PAM.
Sun strongly recommends that you install these patches immediately on
every affected system. Exploit information is publicly available.
I. Who is Affected, and What to Do
II. Understanding the Vulnerabilities
III. List of Patches
IV. Checksum Table
APPENDICES
A. How to obtain Sun security patches
B. How to report or inquire about Sun security problems
C. How to obtain Sun security bulletins or short status updates
Sun acknowledges with thanks the CERT Coordination Center (Carnegie
Mellon University) and AUSCERT for their assistance in the preparation of
this bulletin.
Sun, CERT/CC, and AUSCERT are members of FIRST, the Forum of Incident
Response and Security Teams. For more information about FIRST, visit
the FIRST web site at "http://www.first.org/".
Cross-Ref: AUSCERT AA-97.09
-----------
Permission is granted for the redistribution of this Bulletin, so long
as the Bulletin is not edited and is attributed to Sun Microsystems.
Portions may also be excerpted for re-use in other security advisories
so long as proper attribution is included.
Any other use of this information without the express written consent
of Sun Microsystems is prohibited. Sun Microsystems expressly disclaims
all liability for any misuse of this information by any third party.
=============================================================================
SUN MICROSYSTEMS SECURITY BULLETIN: #00139, 29 APRIL 1997
=============================================================================
I. Who is Affected, and What to Do
SunOS versions 5.5.1, 5.5.1_x86, 5.5, 5.5_x86, 5.4, 5.4_x86, and 5.3
are vulnerable.
SunOS versions 4.1.4 and 4.1.3_U1 are not vulnerable.
Install the patches listed in III. for SunOS versions 5.5.1, 5.5.1_x86,
5.5, and 5.5_x86.
Sun estimates that patches for SunOS versions 5.4 and 5.4_x86 will
be released within 5 weeks from the date of this bulletin. Sun also
estimates that patches for SunOS version 5.3 will be released within 6
weeks from the date of this bulletin. In the meantime, Sun recommends, as
a workaround, the installation of a passwd wrapper that was developed by
AUSCERT (see AUSCERT Advisory AA-97.09). AUSCERT maintains an anonymous
FTP service at ftp://ftp.auscert.org.au/pub/ and a World Wide Web service
at http://www.auscert.org.au/.
The same vulnerability has been fixed in the upcoming release of Solaris.
II. Understanding the Vulnerability
Due to insufficient bounds checking on arguments in PAM (5.5.1 and 5.5) and
unix_scheme (5.4 and 5.3), it is possible to overwrite the internal stack space
of the passwd program. If exploited, this vulnerability can be used to gain
root access on attacked systems.
Under SunOS 5.5.1 and 5.5, yppasswd and nispasswd are hard links to the passwd
program and therefore are also vulnerable. Under SunOS 5.4 and 5.3, passwd,
yppasswd, and nispasswd are separate programs but they dynamically link
unix_scheme and are affected.
III. List of Patches
The vulnerabilities relating to passwd in PAM and unix_scheme are fixed by
the following patches:
OS version Patch ID
---------- --------
SunOS 5.5.1 104433-03
SunOS 5.5.1_x86 104434-02
SunOS 5.5 103178-03
SunOS 5.5_x86 103179-03
SunOS 5.4 101945-49 (to be released in 5 weeks)
SunOS 5.4_x86 101946-43 (to be released in 5 weeks)
SunOS 5.3 101318-87 (to be released in 6 weeks)
IV. Checksum Table
In the table below, we show the BSD checksums (SunOS 4.1.x: /bin/sum;
SunOS 5.x: /usr/ucb/sum), SVR4 checksums (SunOS 5.x: /usr/bin/sum), and the
MD5 digital signatures for the compressed tar files.
File BSD SVR4 MD5
Name Checksum Checksum Digital Signature
- --------------- --------- --------- --------------------------------
104433-03.tar.Z 38148 225 11004 449 80C625D86DBFA06C107956EB4BD8126A
104434-02.tar.Z 22283 142 51656 284 4079E48BB8BA929F99EFE4D38877B023
103178-03.tar.Z 11476 212 51066 423 74547F3FDF850FAAF6B02176CF146AA4
103179-03.tar.Z 55629 192 1250 384 CA11D05845116F62FCC8DDCC6EDBCB2B
APPENDICES
A. How to obtain Sun security patches
1. If you have a support contract
Customers with Sun support contracts can obtain any patches listed
in this bulletin (and any other patches--and a list of patches) from:
- SunSolve Online
- Local Sun answer centers, worldwide
- SunSITEs worldwide
The patches are available via World Wide Web at http://sunsolve.sun.com.
You should also contact your answer center if you have a support
contract and:
- You need assistance in installing a patch
- You need additional patches
- You want an existing patch ported to another platform
- You believe you have encountered a bug in a Sun patch
- You want to know if a patch exists, or when one will be ready
2. If you do not have a support contract
Customers without support contracts may now obtain security patches,
"recommended" patches, and patch lists via SunSolve Online.
Sun does not furnish patches to any external distribution sites
other than the ones mentioned here. The ftp.uu.net and ftp.eu.net
sites are no longer supported.
3. About the checksums
So that you can quickly verify the integrity of the patch files
themselves, we supply in each bulletin checksums for the tar archives.
Occasionally, you may find that the listed checksums do not match
the patches on the SunSolve or SunSite database. This does not
necessarily mean that the patch has been tampered with. More likely,
a non-substantive change (such as a revision to the README file)
has altered the checksum of the tar file. The SunSolve patch database
is refreshed nightly, and will sometimes contain versions of a patch
newer than the one on which the checksums were based.
In the future we may provide checksum information for the
individual components of a patch as well as the compressed archive
file. This would allow customers to determine, if need be, which
file(s) have been changed since we issued the bulletin containing
the checksums.
In the meantime, if you would like assistance in verifying the
integrity of a patch file please contact this office or your local
answer center.
B. How to report or inquire about Sun security problems
If you discover a security problem with Sun software or wish to
inquire about a possible problem, contact one or more of the
following:
- Your local Sun answer centers
- Your representative computer security response team, such as CERT
- This office. Address postal mail to:
Sun Security Coordinator
MS MPK17-103
2550 Garcia Avenue
Mountain View, CA 94043-1100
Email: security-alert@sun.com
We strongly recommend that you report problems to your local Answer
Center. In some cases they will accept a report of a security bug
even if you do not have a support contract. An additional notification
to the security-alert alias is suggested but should not be used as your
primary vehicle for reporting a bug.
C. How to obtain Sun security bulletins or short status updates
1. Subscription information
Sun Security Bulletins are available free of charge as part of
our Customer Warning System. It is not necessary to have a Sun
support contract in order to receive them.
To receive information or to subscribe or unsubscribe from our
mailing list, send mail to security-alert@sun.com with a subject
line containing one of the following commands.
Subject Information Returned/Action Taken
------- ---------------------------------
HELP An explanation of how to get information
LIST A list of current security topics
QUERY [topic] The mail containing the question is relayed to
a Security Coordinator for a response.
REPORT [topic] The mail containing the text is treated as a
security bug report and forwarded to a Security
Coordinator for handling. Please note that this
channel of communications does not supersede
the use of Sun Solution Centers for this
purpose. Note also that we do not recommend
that detailed problem descriptions be sent in
plain text.
SEND topic Summary of the status of selected topic. (To
retrieve a Sun Security Bulletin, supply the
number of the bulletin, as in "SEND #103".)
SUBSCRIBE Sender is added to the CWS (Customer
Warning System) list. The subscribe feature
requires that the sender include on the subject
line the word "cws" and the reply email
address. So the subject line might look like
the following:
SUBSCRIBE cws your-email-address
UNSUBSCRIBE Sender is removed from the CWS list.
Should your email not fit into one of the above subjects, a help
message will be returned to you.
Due to the volume of subscription requests we receive, we cannot
guarantee to acknowledge requests. Please contact this office if
you wish to verify that your subscription request was received, or
if you would like your bulletin delivered via postal mail or fax.
2. Obtaining old bulletins
Sun Security Bulletins are available via the security-alert alias
and on SunSolve. Please try these sources first before contacting
this office for old bulletins.
----------
- --------------------------END INCLUDED TEXT--------------------
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBM2cPnCh9+71yA2DNAQFpZQP/eYIOvZoUjtHaLgag1U/qusICLAFqvMMQ
T5wT8+xk6NBOF9lBcT5tlX6yNJq0fMCnCt+seqksgh4ZbcVNioG2CEj+NaSvbY4/
SshGZZ8VDNWOqu1foHWDxmIumIj0f5oFK6NFXf1ZqGIHxYI5zloOoUAfjvvCIBUZ
dBcGXfvsXWE=
=GXfa
-----END PGP SIGNATURE-----