Click on our Sponsors to help Support SunWorld
Security: Pete's Wicked World by Peter Galvin

Billions and billions of bugs

What security bugs could effect you? And how can you stomp them out?

SunWorld
March  1996
[Next story]
[Table of Contents]
[Search]
Subscribe to SunWorld, it's free!

Abstract
Reports of bugs that affect Solaris systems are coming fast and furious. How can you keep up? Which bugs should you care about? And how can you find the appropriate fixes? This month we survey the current bugs and their solutions. We also take a look at common break-in methods and what can be done to be sure hackers leave your site alone. The basis for our bug-walk is Sun's security cookbook.

Also in Pete's Wicked World this month: a serious bug involving the bind DNS daemon, a jumbo patch for NSKIT V1.2, and a nasty denial-of-service attack to avoid. In the bookstore you'll find a pointer to a nice comparison of network security scanning software. (1,900 words)



Mail this
article to
a friend

Billions and billions of bugs inhabit the earth. Fortunately, most of them stay out of your way. Unfortunately, there are some nasty ones among those that remain. You need to keep an eye on them, and try to stomp them when you get the chance. This is also the case with computer bugs -- they, too, are plentiful, and the nasty ones need to be stomped when encountered. The right pair of boots (in the form of a patch) will help with this task.

Sun has put together a nice collection of security wisdom relating to SunOS and Solaris. Unfortunately, this security cookbook, in the form of a SunSolve Online Security bulletin, is incomplete. We'll review Sun's advice (Solaris only) and fill in the gaps with some lesser-known security hints. In the Bug-of-the-Month club, we continue the discussion with several new, important bugs that currently lack Sun patches.


Advertisements

The security cookbook

If you combine this information with the patches and exposures we've discussed in this and previous columns, your systems will be in a good security state. Combining two secure systems with a firewall will provide you with as safe an environment as possible without overly inconveniencing the users (and causing them to seek workarounds to your security policies).

Bug of the Month Club

bind. Intruders are actively using a hole in bind to inject bogus DNS information. This bug allows the intruder to make DNS return inaccurate information. Consider the security implications of not being able to trust DNS. Do you allow rlogin or rtelnet at your site. Most sites do, and most sites place host names in the /.rhosts or /etc/hosts.equiv files to declare systems as trusted. Even worse, by default, Solaris (and most other flavors of Unix), allow your users to have their own ~/.rhosts files declaring remote hosts as trustable. Consider that NFS and rdist also use hostnames and IP addresses to authenticate clients...

Any trust that's based on the hostname of a system is also based on its IP address. If the translation between these two is incorrect (or sabotaged), you could end up trusting a host other than the one you expect.

The first step to correcting this situation is to upgrade to bind 4.9.3. Sun has not yet released this new version of bind as a security patch. If you can't afford to wait, download the latest version of bind from the public domain at ftp://ftp.vix.com/pub/bind/release/4.9.3/bind-4.9.3-REL.tar.gz. It, however, also requires a patch, find it at ftp://ftp.vix.com/pub/bind/release/4.9.3/Patch1.

Even the latest bind version does not fix all of the security issues of trusting DNS for authentication. My best advice is to be sure you don't allow DNS to do important translations for you. Rather, change the /etc/nsswitch.conf file on Solaris to use the local /etc/hosts file, NIS+, or even NIS before DNS. For more information on the DNS bug and solutions, check out the CERT advisory.

NSKIT. While we're stomping bugs, if you use the NSKIT you'll be interested in Sun patch 103053-01. NSKIT is the NIS server software ported to Solaris. When Solaris was released, NIS+ client and server code was included, but only NIS client code was included. If you used the NIS server, however, you had to continue running SunOS 4.x. Eventually, Sun's OPCOM group started selling a port of the NIS server, but it had some bugs. Finally, Sun has released NSKIT, the server NIS code, ported to Solaris. It's available on the newly-available migration initiative CDROM. It's free -- get one. This code is unsupported, but seems to work fairly well. Be sure to follow the installation directions!

Denial of service. For those who enjoy a good denial-of-service attack now and again (and who doesn't?), consider the results of establishing a connection between a machine's chargen and echo UDP ports. An infinite stream of bytes, signifying nothing. Entertaining, unless it happens to your server, in which case it's using up all your network and system bandwidth. Best solution: disable the services unless you really need them and use a firewall to disallow chargen and echo connections.

To disable echo and chargen, edit your system /etc/inetd.conf and comment out the appropriate lines. Next, send an HUP signal (# kill -HUP process-id) to the process-id of inetd. While you're there, consider disabling other unnecessary services, including uucp, tftpd, rquotad, rusersd, sprayd, fingerd, systat, netstat, and rexd. Especially rexd, because there is no known client that uses it and it does minimal authentication. For more information, see the CERT advisory.

sendmail Bug 1132A-3/2. Guess what? Another sendmail bug. This one involves all versions of sendmailyounger than 8.6.10. It allows local and remote users to execute privileged commands. The solution, as usual, is to upgrade to the newest version (currently 8.7.3). For more information, see the CIAC bulletin G-09.

The Bookstore

For interesting reading about the various network security scanners, what they do, and how they compare, check out the on-line review from the February 4th issue of PC Week.

For more information about packet filtering, especially as it relates to the above denial-of-service attacks, check out the CERT technical tip on the subject.

Corrections

We received a note from Frederick Avolio, from Trusted Information Systems (TIS), concerning our coverage of TIS in January's column. He makes three important points to consider if you're using the TIS toolkit:

Thanks for the info, Frederick.


Click on our Sponsors to help Support SunWorld


Resources


About the author
Peter Galvin is Chief Technologist for Corporate Technologies, Inc., a Systems Integrator and VAR. He is also Adjunct System Planner for the Computer Science Department at Brown University, a member of the Board of Directors of the Sun User Group, and has been Program Chair for the last four SUG/SunWorld conferences. As a consultant and trainer, he has given talks and tutorials world-wide on the topics of system administration and security. He has written articles for Byte and Advanced Systems (SunWorld) magazines, and the Superuser newsletter. Peter is coauthor of the best-selling Operating Systems Concepts textbook. Reach Peter at peter.galvin@sunworld.com.

What did you think of this article?
-Very worth reading
-Worth reading
-Not worth reading
-Too long
-Just right
-Too short
-Too technical
-Just right
-Not technical enough
 
 
 
    

SunWorld
[Table of Contents]
Subscribe to SunWorld, it's free!
[Search]
Feedback
[Next story]
Sun's Site

[(c) Copyright  Web Publishing Inc., and IDG Communication company]

If you have technical problems with this magazine, contact webmaster@sunworld.com

URL: http://www.sunworld.com/swol-03-1996/swol-03-security.html
Last modified: