Sun Solaris login bug patches out

From: James Lick (jlickat_private)
Date: Fri Dec 14 2001 - 13:24:31 PST

Next message: rolphin: "Re: PHPNuke holes"

Previous message: dfeldman: "Trust issues with RH and Debian package managers"
Next in thread: Mookie: "Re: Sun Solaris login bug patches out"
Reply: Mookie: "Re: Sun Solaris login bug patches out"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 14 Dec 2001, James Lick wrote:
> For the login security bug recently announced by CERT, is there any way to
> fix this currently without turning off telnet and rlogin?  Much as I'd
> like to take this opportunity to force everyone to use ssh, I can't.  I
> also don't have support so no t-patches for me.

I got several replies which I'd like to summarize, as not all were cc'd
to the list.

1) The best solution, Sun has released patches today for this bug.  Frank
Pellegrino replied with the most complete list:

  111085-02 SunOS 5.8: /usr/bin/login patch
  111086-02 SunOS 5.8_x86: /usr/bin/login patch
  112300-01 SunOS 5.7:: usr/bin/login Patch
  112301-01 SunOS 5.7_x86:: usr/bin/login Patch
  105665-04 SunOS 5.6: /usr/bin/login patch
  105666-04 SunOS 5.6_x86: /usr/bin/login patch
  106160-02 SunOS 5.5.1: /usr/bin/login patch

(There doesn't appear to be a 5.5.1_x86 patch.)

Patches are available by ftp from ftp://sunsolve1.sun.com/pub/patches/

Several others replied along the same lines, but Frank's reply was most
complete.

2) Reg Quinton has written a wrapper to login which he believes will
block an exploit: http://ist.uwaterloo.ca/~reggers/drafts/login.wrapper

3) Several people replied that I should only use ssh, even though I said
this wasn't an option.  Also ssh versions have had numerous security
patches in the last year, so it's not clear how much better ssh is
overall.  (Mark Addy did include something interesting though, his site
uses a web-based ssh tool: http://tiger.towson.edu/ssh)

4) Ben Tetu-Pappas pointed out that some versions of ssh may still use
login, depending on the way it is compiled or configured, so turning off
telnet and rlogin might not even solve the problem.  So even if you only
run ssh, you should probably install the above patches anyways.

5) Several people suggested using tcp wrappers.  Some seemed to imply that
this alone would solve the problem, which I don't believe is true.  Others
suggested using this to limit exposure by only allowing in certain hosts.
I already use tcp wrappers, but am unable to restrict access to a certain
hosts or addresses.

6) Support <supportat_private> sent me a copy of the badtrans virus 
in reply.  I would have thought people on this list would be smart enough
to at least run anti-virus software on their peecees.

Thanks for all the help!

---- James Lick ---- jlickat_private ---- http://drivel.com/ ----

Next message: rolphin: "Re: PHPNuke holes"
Previous message: dfeldman: "Trust issues with RH and Debian package managers"
Next in thread: Mookie: "Re: Sun Solaris login bug patches out"
Reply: Mookie: "Re: Sun Solaris login bug patches out"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Dec 16 2001 - 21:06:06 PST