Does anyone knows why the README of patch 106787-02 do not refer at all this bug? It correct incorrect 666 mode and unnecessary msg to console... Does 106787-02 really correct this problem??? At 02:47 PM 11/2/98 -0800, someone using X-Force's login wrote: >-----BEGIN PGP SIGNED MESSAGE----- > > >ISS Security Advisory >November 2nd, 1998 > >Hidden community string in SNMP implementation > >Synopsis: > >Internet Security System (ISS) X-Force has discovered a serious vulnerability >in Sun Microsystems Solstice Enterprise Agent and the Solaris operating system. >This vulnerability allows attackers to execute arbitrary commands with root >privileges, manipulate system parameters and kill processes. > >Affected Systems: > >ISS X-Force has discovered that this vulnerability is present on the Solaris >Operating System version 2.6. Earlier versions are vulnerable. Solaris 2.7 >beta is also not vulnerable. > >Fix Information: > >Sun has made the following patch available: > >106787-02: Solaris 5.6 > >Many administrators have no need for host based SNMP agents. Administrators >can disable the SNMP daemons temporarily by executing the following commands: > ># /etc/init.d/init.snmpdx stop ># mv /etc/rc3.d/S76snmpdx /etc/rc3.d/DISABLED_S76snmpdx > >Description: > >The vulnerabilities are present in the SNMP daemons shipping with Solaris 2.6. >Solaris 2.6 is configured by default to support SNMP. A hidden and >undocumented community string is present in the SNMP subagent which may allow >remote attackers change most system parameters. Remote attackers may kill any >process, update routes, potentially sidestep firewalls or disable network >interfaces. Most notably, attackers may indirectly execute arbitrary commands >with superuser privileges. > >This vulnerability is compounded by the fact that these SNMP daemons are >configured and executed by default. Attackers do not need local access to the >target host to exploit this vulnerability. > >Additional Information: > >ISS Internet Scanner and ISS RealSecure real-time intrusion detection software >have the capability to detect these vulnerabilities. > >- ---------- > >Copyright (c) 1998 by Internet Security Systems, Inc. > >Permission is hereby granted for the redistribution of this alert >electronically. It is not to be edited in any way without express consent >of X-Force. If you wish to reprint the whole or any part of this alert in >any other medium excluding electronic medium, please e-mail xforceat_private >for permission. > >Disclaimer >The information within this paper may change without notice. Use of this >information constitutes acceptance for use in an AS IS condition. There are >NO warranties with regard to this information. In no event shall the author >be liable for any damages whatsoever arising out of or in connection with >the use or spread of this information. Any use of this information is at >the user's own risk. > >X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as >well as on MIT's PGP key server and PGP.com's key server. > >X-Force Vulnerability and Threat Database: http://www.iss.net/xforce > >Please send suggestions, updates, and comments to: >X-Force <xforceat_private> of Internet Security Systems, Inc. > > >-----BEGIN PGP SIGNATURE----- >Version: 2.6.3a >Charset: noconv > >iQCVAwUBNj4p8TRfJiV99eG9AQEABAQAoiiMDK/lRoYk9OmVvQjPe3asJ+++foIR >6U41EtCXF4R38po2GtBeIA8C2XCgAEzbs+dfawJJx2emgecuJSIMrg0byhPesgxn >jgAtL/j3k7R2rf+Qp6pIwgJ6pWQiF86H812HwUVbOaE+BBfyUPpxlPWtNrGVFqcb >Rs6dobk2GZg= >=XX5W >-----END PGP SIGNATURE----- - jean -
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:22:09 PDT