1999-10-22-13:45:14 dsiebertat_private: > Who is vulnerable? As far as I know, all of the new generation > automounters (the ones that use RPC, support executable maps, and no > longer have the /tmp_mnt directory) are vulnerable. [...] > The vulnerability lets anyone anywhere run anything as root on your > system. Since it uses RPC, you can't use tcpwrappers to block it or > filter an extra port or two on your router. Unless you have an > application level firewall or use the "deny all ; allow these few > things" type of router rules, you can get hit. Even with a firewall, > you are still vulnerable to anyone on the inside (I hope you trust > them!) [...] > What can you do? If you are running that new generation automounter, > unless/until you know for sure you are not vulnerable, I would go back > to the old generation one immediately (the one that uses /tmp_mnt) That > one is not vulnerable. I'd personally recommend a fix related to ``... or use "deny all; allow these few things" tpe of router rules''. Run host packet filtering. That at least narrows the attackers down to people on the same machine, which is in many settings (e.g. personal machines with accounts only for the local user) less of a worry. So use ipchains on Linux or ipfilter on most anything, and set up the host to block all but select, chosen protocols at its interfaces. These days I set up all Unix systems that way. It's easier than trying to strip them of services, and I can do things like run a stock system without worrying about security holes in "local-only" services like the X font server, all the rpc stuff, etc. Just another alternative, somewhat less effective (doesn't help against local users) but perhaps, in some settings, less disruptive than trying to go to a different automounter. -Bennett
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:08:44 PDT