Firewall Wizards mailing list archives

Re: Trusted Unices Aren't?

From: Randy Taylor <rtaylor () mail cist saic com>
Date: Fri, 16 Oct 1998 13:21:30 -0400


Small comments inline...

At 03:51 PM 10/16/98 +0400, ark () eltex ru wrote:

-----BEGIN PGP SIGNED MESSAGE-----

nuqneH,

/* 
First, an "offtopic killer": somebody from SCO suggested using TIS fwtk
under SCO CMW+ as very secure firewall solution (fwtk-users () tis com ml)
*/

It seems that nearly nobody noticed that one of latest vendor-initiated 
bulletin for CERT (mscreen) listed SCO CMW+, a-claimed-to-be-close-to-B2
upgrade for SCO Unix, in the list of vulnerable systems. Said to be
possible root compromise.

How can this happen? How can "a serial multiscreen utility", a program
that should have nothing like root privileges on an MLS system, be
vulnerable _that way_?
Does that just mean that at least _some_ "hardened unix" vendors just
allow generic "suid root" programs running in this environment, thus 
completely trashing the whole MLS model?


Dunno, but back when the SCO CMW+ was a SecureWare product, you could
brute-force rlogin attempts all day long on a fully configured CMW+ box
and the OS didn't mind one whit - raised nary an alarm. This was around 
mid-late 1993 to early 1994. 

I heard that SCO bought SecureWare a year or two ago, meaning I wasn't
surprised at all by the CERT announcement.

Does that mean that you need, say, VMS, if you need _real_ multilevel
security?

What about closer look to Trusted Solaris, DG/UX, whatever else exists
on this market?


_shrug_ I've seen a lot of CMW's in the field. Most had the roles and
levels munged so that the box was pretty much at C2 level. Reason? 
Usability. ;) 
                                    _     _  _  _  _      _  _

{::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
(##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
[||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!


Best regards,

Randy Taylor
SAIC
(and speaking only for himself)


-----
One of the most striking differences between a
cat and a lie is that a cat has only nine lives.
                -- Mark Twain

Current thread:

Trusted Unices Aren't? ark (Oct 16)
- Re: Trusted Unices Aren't? Randy Taylor (Oct 16)
- <Possible follow-ups>
- Re: Trusted Unices Aren't? steve . gailey (Oct 19)
- Re: Trusted Unices Aren't? ark (Oct 23)
  - Re: Trusted Unices Aren't? Jeremy Epstein (Oct 23)
    - Re: Trusted Unices Aren't? Rick Smith (Oct 28)
    - Re: Trusted Unices Aren't? Paul D. Robertson (Oct 29)
    - Re: Trusted Unices Aren't? dreamwvr (Oct 29)
    - Re: Trusted Unices Aren't? Gordon Greene (Oct 29)
  - Re: Trusted Unices Aren't? Joseph S. D. Yao (Oct 27)
- Re: Trusted Unices Aren't? Jeremy Epstein (Oct 23)
  - RE: Trusted Unices Aren't? Gregory Perry (Oct 28)

(Thread continues...)