-----Original Message----- From: brvarin@private [mailto:brvarin@private] Sent: Friday, June 07, 2002 8:26 AM To: 'crime@private' Subject: CRIME Counterpane Internet Security Vulnerability Alert: Root Compromise Vulnerabilities found in Solaris SNMP components Counterpane Internet Security Vulnerability Alert Root Compromise Vulnerabilities found in Solaris SNMP components Summary Newly-discovered vulnerabilities in two components of Sun Solaris' SNMP implementation permit local and remote root compromise [1]. Solaris systems running the Sun Solstice Enterprise Master Agent (snmpdx) and the Sun SNMP agent (mibiisa), which are parts of the default OS installation, are vulnerable. Patches are available through http://www.sunsolve.com/securitypatch: Solaris 8, Patch ID 108869-16; Solaris 8_x86, 108870-16; Solaris 7, 107709-19; Solaris 7_x86, 107710_19; Solaris 2.6, 106787-18; Solaris 2.6_x86, 106872-18. Technical Details Sinan Eren, a member of Entercept Security Technology's Ricochet Team, discovered a buffer overflow in the Solaris SNMP agent and a format string vulnerability in the Sun Solstice Enterprise Master Agent [2]. All Solaris install levels include this software by default; the applications run with root privileges. The vulnerabilities may be exploited by local or remote users to execute arbitrary code on unpatched systems. These new vulnerabilities are NOT related to the SNMP vulnerabilities announced by the University of Oulu's PROTOS team and CERT on February 12, 2002 ([3] and references therein). Ricochet has not released proof-of-concept code for the two vulnerabilities to anyone other than Sun. However, since the vulnerability has been made public, it is safest to assume that malicious parties can reproduce the root exploit. Countermeasures: - Disable snmpdx and mibiisa if they are not required for your network monitoring and management. These daemons are both started via the script /etc/rc3.d/S76snmpdx. To stop them and prevent them from starting when the system reboots: # /etc/rc3.d/S76snmpdx stop # mv /etc/rc3.d/S76snmpdx /etc/rc3.d/do_not_start_S76snmpdx Be aware that patching your Solaris system may cause the startup script to revert to its original name, or something similar, and thereby re-activate the non-essential daemons. In that case you'll need to repeat this procedure. Alternatively, you can remove the offending applications from your system altogether using pkgrm(1M). The list of packages related to the Solaris SNMP suite are: SUNWmibii, SUNWsacom, SUNWsadmi, SUNWsadmx, SUNWsasnm, and SUNWsasnx. Another, more conservative option is to rename the binaries and remove all read, write and execute permissions, so they are unavailable to any user or group. The binaries are located in /usr/lib/snmp. - Install the appropriate patches (listed in the Summary section) on Solaris systems required to run snmpdx and mibiisa. References: [1] Sun Security Bulletin #219: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/219&typ e=0&nav=sec.sba [2] SEA SNMP - Buffer Overflow and Format String Vulnerabilities in Sun Solaris: http://www.entercept.com/news/uspr/06-03-02.asp [3] Multiple SNMP Vulnerabilities: http://www.counterpane.com/alert-snmp.html
This archive was generated by hypermail 2b30 : Fri Jun 07 2002 - 09:46:53 PDT