Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Sun Security Bulletin #00144

From: aleph1 () DFW NET (Aleph One)
Date: Tue, 24 Jun 1997 15:37:48 -0500

-----BEGIN PGP SIGNED MESSAGE-----



- ------------------------------------------------------------------------------
                   Sun Microsystems, Inc. Security Bulletin

Bulletin Number:        #00144
Date:                   June 24 1997
Cross-Ref:              AUSCERT AA 97.18
Title:                  Vulnerability in chkey

- ------------------------------------------------------------------------------
Permission is granted for the redistribution of this Bulletin, so long as
the Bulletin is not edited and is attributed to Sun Microsystems. Portions
may also be excerpted for re-use in other security advisories so long as
proper attribution is included.

Any other use of this information without the express written consent of
Sun Microsystems is prohibited. Sun Microsystems expressly disclaims all
liability for any misuse of this information by any third party.
- ------------------------------------------------------------------------------

1.  Bulletins Topics

    Sun announces the release of patches for Solaris 2.5.1, 2.5, and 2.4,
    (SunOS 5.5.1, 5.5, and 5.4), that relate to a vulnerability in the
    chkey program.

    Sun estimates that the release of a patch for Solaris 2.3 (SunOS 5.3) that
    relate to the same vulnerability will be available within 16 weeks of the
    date of this bulletin.

    Sun strongly recommends that you install the patches listed in section 4
    immediately on systems running SunOS 5.5.1, 5.5, and 5.4. Sun also strongly
    recommends that you install the workaround listed in section 5 immediately
    on systems running SunOS 5.3. Exploit information for chkey is publicly
    available.

2.  Who is Affected

       Vulnerable:      SunOS versions 5.5.1, 5.5.1_x86, 5.5, 5.5_x86,
                                       5.4, 5.4_x86, and 5.3.

       Not vulnerable:  All other supported versions of SunOS

       The vulnerability is fixed in the upcoming release of Solaris.

3.  Understanding the Vulnerability

    The program chkey is used to change a user's secure RPC Diffie-Hellman
    public key and secret key pair. Due to insufficient bounds checking on
    arguments passed to the chkey program, it is possible to overwrite the
    internal data space of chkey while it is executing. As chkey has setuid
    root permissions, this vulnerability may allow non-privileged users to
    gain root access.

4.  Workaround

    Sun recommends, as a workaround, the installation of a wrapper that was
    developed by AUSCERT (see AUSCERT Advisory AA-97.18). AUSCERT maintains an
    FTP service at ftp://ftp/auscert/org.au/pub and a World Wide Web service
    at http://www.auscert.org.au.

5.  List of Patches

    The vulnerability in chkey is fixed by the following patches:

    OS version           Patch ID
    ----------           --------
    SunOS 5.5.1          104968-01
    SunOS 5.5.1_x86      104969-01
    SunOS 5.5            104971-01
    SunOS 5.5_x86        104972-01
    SunOS 5.4            104973-01
    SunOS 5.4_x86        104974-01
    SunOS 5.3            101318-89      (to be released in 16 weeks)

6.  Checksum Table

    The checksum table below shows the BSD checksums (SunOS 5.x: /usr/ucb/sum),
    SVR4 checksums (SunOS 5.x: /usr/bin/sum), and the MD5 digital signatures
    for the above-mentioned patches that are available from:

        ftp://sunsolve1.sun.com/pub/patches/patches.html

    These checksums may not apply if you obtain patches from your answer
    centers.

File Name         BSD         SVR4         MD5
- ---------------   ---------   ---------    --------------------------------
104968-01.tar.Z   42439 112   58380 224    D468EDAF62453686D9744601BC69B52B
104969-01.tar.Z   29618 112   5311 224     4C6F5D9D18A38BD8B54B76B8137F63BD
104971-01.tar.Z   31970 112   5776 223     34AD0B220C2495B73DBC621D88CF988B
104972-01.tar.Z   49195 112   35168 224    D6CF025F259437335625EF325196F51D
104973-01.tar.Z   64330 115   23425 230    D50F404FC7DB918DB556F38F7DBF8816
104974-01.tar.Z   54484 112   33221 223    42B484654CD4C7F8EB7A9B54BC9061FB

- ------------------------------------------------------------------------------
Sun acknowledges with thanks AUSCERT for their assistance in the preparation
of this bulletin.

Sun and AUSCERT are members of FIRST, the Forum of Incident Response and
Security Teams. For more information about FIRST, visit the FIRST web site at
"http://www.first.org/";.
- ------------------------------------------------------------------------------

APPENDICES

A.  Patches listed in this bulletin are available to all Sun customers via
    World Wide Web at:

        ftp://sunsolve1.sun.com/pub/patches/patches.html

    Customers with Sun support contracts can also obtain patches from local
    Sun answer centers and SunSITEs worldwide.

B.  Sun security bulletins are available via World Wide Web at:

        http://sunsolve1.sun.com/sunsolve/secbulletins

C.  To report or inquire about a security problem with Sun software, contact
    one or more of the following:

        - Your local Sun answer centers
        - Your representative computer security response team, such as CERT
        - Sun Security Coordination Team. Send email to:

                security-alert () sun com

D.  To receive information or subscribe to our CWS (Customer Warning System)
    mailing list, send email to:

                security-alert () sun com

    with a subject line (not body) containing one of the following commands:

        Command         Information Returned/Action Taken
        -------         ---------------------------------

        help            An explanation of how to get information

        key             Sun Security Coordination Team's PGP key

        list            A list of current security topics

        query [topic]   The email is treated as an inquiry and is forwarded to
                        the Security Coordination Team

        report [topic]  The email is treated as a security report and is
                        forwarded to the Security Coordinaton Team. Please
                        encrypt sensitive mail using Sun Security Coordination
                        Team's PGP key

        send topic      A short status summary or bulletin. For example, to
                        retrieve a Security Bulletin #00138, supply the
                        following in the subject line (not body):

                                send #138

        subscribe       Sender is added to our mailing list.  To subscribe,
                        supply the following in the subject line (not body):

                                subscribe cws your-email-address

                        Note that your-email-address should be substituted
                        by your email address.

        unsubscribe     Sender is removed from the CWS mailing list.
- ------------------------------------------------------------------------------





-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBM67/brdzzzOFBFjJAQEU/wP+MVGE3IZGAcnxmR6sQmQTNTD9XxNA4WsF
65F8AkzCrIoFYcFlV++ve5R6v7nUrFqlwG3j4qYLOesNHk0UeA6SVBd7pDcI6m3W
o6thrvSwHzxVlFn5IWfq75ZTgRYJ/FSN0QtLq8iNdOJBgrvWtcIVISSuO0I6AZvf
tV6SvZm/tAA=
=ImCM
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: