Billions and billions of bugs
What security bugs could effect you? And how can you stomp them out?
Reports of bugs that affect Solaris systems are coming fast and furious. How can you keep up? Which bugs should you care about? And how can you find the appropriate fixes? This month we survey the current bugs and their solutions. We also take a look at common break-in methods and what can be done to be sure hackers leave your site alone. The basis for our bug-walk is Sun's security cookbook.
Also in Pete's Wicked World this month: a serious bug involving the
bindDNS daemon, a jumbo patch for NSKIT V1.2, and a nasty denial-of-service attack to avoid. In the bookstore you'll find a pointer to a nice comparison of network security scanning software. (1,900 words)
Billions and billions of bugs inhabit the earth. Fortunately, most of them stay out of your way. Unfortunately, there are some nasty ones among those that remain. You need to keep an eye on them, and try to stomp them when you get the chance. This is also the case with computer bugs -- they, too, are plentiful, and the nasty ones need to be stomped when encountered. The right pair of boots (in the form of a patch) will help with this task.
Sun has put together a nice collection of security wisdom relating to SunOS and Solaris. Unfortunately, this security cookbook, in the form of a SunSolve Online Security bulletin, is incomplete. We'll review Sun's advice (Solaris only) and fill in the gaps with some lesser-known security hints. In the Bug-of-the-Month club, we continue the discussion with several new, important bugs that currently lack Sun patches.
The security cookbook
CONSOLE=/dev/consoleis in /etc/default/login. Also, disable root ftp by putting "root" into /etc/ftpusers. (This should actually be called ftplusers because it lists users that can't ftp into the system.)
tcp_wrapperor other protection software to log connection activity and limit possible access.
ypinit -c. Additionally, the NIS password table should be built from a non-/etc directory that has a passwd file with the system directory accounts removed (so they aren't provided to clients by NIS).
sendmailbugs, and consider running Berkeley
sendmailto allow you to keep up with the patches.
tftpd, run it with the option:
-s /tftpbootto limit the files it can transfer.
/bin/falseas the login shell).
# eeprom secure=commandto allow only "b" and "c" EEPROM commands without a password.
If you combine this information with the patches and exposures we've discussed in this and previous columns, your systems will be in a good security state. Combining two secure systems with a firewall will provide you with as safe an environment as possible without overly inconveniencing the users (and causing them to seek workarounds to your security policies).
Bug of the Month Club
Intruders are actively using a hole in
bind to inject
bogus DNS information. This bug allows the intruder to make DNS return
inaccurate information. Consider the security implications of not
being able to trust DNS. Do you allow
rtelnet at your site. Most sites do, and most sites place
host names in the /.rhosts or
files to declare systems as trusted. Even worse, by default, Solaris
(and most other flavors of Unix), allow your users to have their own
~/.rhosts files declaring remote hosts as trustable. Consider
that NFS and
rdist also use hostnames and IP addresses to
Any trust that's based on the hostname of a system is also based on its IP address. If the translation between these two is incorrect (or sabotaged), you could end up trusting a host other than the one you expect.
The first step to correcting this situation is to upgrade to
bind 4.9.3. Sun has not yet released this
new version of
bind as a security patch. If you can't
afford to wait, download the latest version of
from the public domain at
It, however, also requires a patch, find it at
Even the latest
bind version does not fix all of the
security issues of trusting DNS for authentication. My best advice is
to be sure you don't allow DNS to do important translations for you.
Rather, change the /etc/nsswitch.conf file on Solaris to
use the local /etc/hosts file, NIS+, or even NIS before
DNS. For more information on the DNS bug and solutions, check out the
NSKIT. While we're stomping bugs, if you use the NSKIT you'll be interested in Sun patch 103053-01. NSKIT is the NIS server software ported to Solaris. When Solaris was released, NIS+ client and server code was included, but only NIS client code was included. If you used the NIS server, however, you had to continue running SunOS 4.x. Eventually, Sun's OPCOM group started selling a port of the NIS server, but it had some bugs. Finally, Sun has released NSKIT, the server NIS code, ported to Solaris. It's available on the newly-available migration initiative CDROM. It's free -- get one. This code is unsupported, but seems to work fairly well. Be sure to follow the installation directions!
Denial of service.
For those who enjoy a good denial-of-service attack now and again (and
who doesn't?), consider the results of establishing a connection
between a machine's
ports. An infinite stream of bytes, signifying nothing. Entertaining,
unless it happens to your server, in which case it's using up all your
network and system bandwidth. Best solution: disable the services
unless you really need them and use a firewall to disallow
chargen, edit your
system /etc/inetd.conf and comment out the appropriate lines.
Next, send an HUP signal (
# kill -HUP process-id)
to the process-id of
inetd. While you're there, consider
disabling other unnecessary services, including
rquotad, rusersd, sprayd, fingerd, systat, netstat, and
rexd, because there is no
known client that uses it and it does minimal authentication.
For more information, see the
sendmail Bug 1132A-3/2.
Guess what? Another
sendmail bug. This one involves all
sendmailyounger than 8.6.10. It allows local
and remote users to execute privileged commands. The solution, as
usual, is to upgrade to the newest version (currently 8.7.3). For more
information, see the
CIAC bulletin G-09.
For interesting reading about the various network security scanners, what they do, and how they compare, check out the on-line review from the February 4th issue of PC Week.
For more information about packet filtering, especially as it relates to the above denial-of-service attacks, check out the CERT technical tip on the subject.
We received a note from Frederick Avolio, from Trusted Information Systems (TIS), concerning our coverage of TIS in January's column. He makes three important points to consider if you're using the TIS toolkit:
makeat the Unix prompt.
Thanks for the info, Frederick.
inetdCERT advisory ftp://info.cert.org/pub/cert_advisories/CA-96.01.README
sendmailCIAC bulletin G-09 http://ciac.llnl.gov/ciac/bulletins/g-09b.shtml
About the author
Peter Galvin is Chief Technologist for Corporate Technologies, Inc., a Systems Integrator and VAR. He is also Adjunct System Planner for the Computer Science Department at Brown University, a member of the Board of Directors of the Sun User Group, and has been Program Chair for the last four SUG/SunWorld conferences. As a consultant and trainer, he has given talks and tutorials world-wide on the topics of system administration and security. He has written articles for Byte and Advanced Systems (SunWorld) magazines, and the Superuser newsletter. Peter is coauthor of the best-selling Operating Systems Concepts textbook. Reach Peter at firstname.lastname@example.org.
If you have technical problems with this magazine, contact email@example.com