Re: automountd and Solaris 2.3

[Mark.Graff () corp sun com ( Mark Graff )]

> Sun just released a Security Bulletin announcing a patch for the
> automountd on Solaris 2.3 systems.
>
> The hole allows a non-root user to gain root, so the Bulletin
> says, implying that this isn't exploitable from a remote machine
> -- but there are no details, of course.  
>
> Anyone have more of an idea as to how much of a threat this
> actually is?
>
> Richard
 
 This bulletin is in error.  Sun is in the process of issuing a corrected
 version.  Stay tuned.  Film at 11.
 
 -- Dan Ehrlich


Well, it wasn't much of an error. I did manage to confuse some people about
the patchid. Here is the revised bulletin.

-mg-

p.s. For some reason I get these bugtraq messages out of order; so I can't
tell if this has been posted here yet.

-----------------------------------------------------------------------------
         SUN MICROSYSTEMS SECURITY BULLETIN: #00127a, 5 May 1994
-----------------------------------------------------------------------------


This revised version of Bulletin #127 corrects and two points
concerning a security patch just announced for Solaris 2.3 systems. See
the "NOTE" in section I for a description of the changes.


BULLETIN TOPICS
    
I.   Announcement of patch for Solaris 2.3 "automountd" vulnerability

II.  Patch Table

III. Checksum Table


APPENDICES

A.   How to obtain Sun security patches

B.   How to report or inquire about Sun security problems

C.   How to obtain Sun security bulletins


          /\         Send Replies or Inquiries To:
         \\ \        
        \ \\ /       Mark Graff
       / \/ / /      Sun Security Coordinator
      / /   \//\     MS MPK2-04
      \//\   / /     2550 Garcia Avenue
       / / /\ /      Mountain View, CA 94043-1100
        / \\ \       Phone: 415-688-9081
         \ \\        Fax:   415-688-9101
          \/         E-mail: security-alert () Sun COM
 
                                -----------

Permission is granted for the redistribution of this Bulletin for
the purpose of alerting Sun customers to problems, as long as the
Bulletin is not edited and is attributed to Sun Microsystems.

Any other use of this information without the express written consent
of Sun Microsystems is prohibited. Sun Microsystems expressly disclaims
all liability for any misuse of this information by any third party.

Contents of this bulletin Copyright (c) 1994 by Sun Microsystems, Inc.

-----------------------------------------------------------------------------
         SUN MICROSYSTEMS SECURITY BULLETIN: #00127a, 5 May 1994
-----------------------------------------------------------------------------

I.  Announcement of patches for Solaris 2.3 "automountd" vulnerability

    Patch 101329-15 fixes a bug in the Solaris 2.3 version of automountd
    which allows a user with an unprivileged account on a 2.3 system to
    gain root access.

    No reports of this vulnerability being exploited have yet come to the
    attention of this office. We nevertheless recommend that all affected
    customers close this very serious security hole.

    The automountd fix is bundled into the Solaris 2.3 jumbo NIS+ patch.
    The first version of the patch to contain the security fix was
    101329-10; but we recommend the installation of the latest version
    (currently 101329-15).

    This bug is not found in any other SunOS version, including Solaris x86.
    The fix has been integrated into the upcoming Solaris 2.4 release.

    NOTE: The original version of this bulletin, issued yesterday,
    referred to version -13 of the patch as the latest. Shortly after
    the bulletin was issued, however, version -15 (skipping -14) was
    released, superseding the earlier version on SunSolve. For that
    reason--and also to correct a last-minute typographical error--we
    are issuing this revised bulletin. We apologize for the error and
    regret any inconvenience.

    To assist those who have already installed version -13 in deciding
    whether to install -15 as well, we provide here a summary of the bugs
    first fixed in the newer version. None specifically relate to security.
    
    1163847 automountd doesn't work with Apollo pathnames which start with //
    1153274 machine panics with recursive mutex_enter while using automounter
    1156518 Cannot mount mvs/nfs mounts using autofs under Solaris 2.2 & 2.3.


II. Patch Table

    In the patch table we show the patch number and file name for 
    the compressed tar file containing the NIS+ jumbo patch.
     
    Software    Patch ID    Patch File Name
    --------    ---------   --------------- 
    NIS+        101329-15   101329-15.tar.Z


III. Checksum Table

    In the checksum table we show the BSD and SVR4 checksums and MD5
    digital signatures for the compressed tar archive, which contains
    the entire patch package.

    File            BSD        SVR4        MD5
    Name            Checksum   Checksum    Digital Signature
    --------------- ---------  ----------  --------------------------------
    101329-15.tar.Z 55492 843  46189 1685  19AA042484727A5DE9CB21199858071A


    The checksums shown above are from the BSD-based checksum
    (on 4.1.x, /bin/sum;  on Solaris 2.x, /usr/ucb/sum) and from
    the SVR4 version on Solaris 2.x (/usr/bin/sum).


APPENDICES

A.  How to obtain Sun security patches

    1. If you have a support contract

    Customers with Sun support contracts can obtain the patches listed
    here--and all other Sun security patches--from:

       - Local Sun answer centers, worldwide
       - SunSolve Online

    Please refer to the bug ID and patch ID when requesting patches
    from Sun answer centers.

    You should also contact your answer center if you have a support
    contract and:

       - You need assistance in installing a patch 
       - You need additional patches
       - You want an existing patch ported to another platform
       - You believe you have encountered a bug in a Sun patch
       - You want to know if a patch exists, or when one will be ready

    2. If you do not have a support contract

    Sun also makes its security patches available to customers who do
    not have a support contract, via anonymous ftp:

       - In the US, from /systems/sun/sun-dist on ftp.uu.net
       - In Europe, from ~ftp/sun/fixes on ftp.eu.net

    Sun does not furnish patches to any external distribution sites
    other than the ones listed here. 


    3. About the checksums

    Patches announced in a Sun security bulletin are uploaded to the
    ftp.*.net sites just before the bulletin is released, and seldom
    updated.  In contrast, the "supported" patch databases are
    refreshed nightly, and will often contain newer versions of a
    patch incorporating changes which are not security-related.

    So that you can quickly verify the integrity of the patch files
    themselves, we supply checksums for the tar archives in each
    bulletin. The listed checksums should always match those on the
    ftp.*.net systems. (The rare exceptions are listed in the
    "checksums" file there.)

    Normally, the listed checksums will also match the patches on the
    SunSolve database. However, this will not be true if we have
    changed (as we sometimes do) the README file in the patch after the
    bulletin has been released.

    If would like assistance in verifying the integrity of a patch file
    please contact this office or your local answer center.


B.  How to report or inquire about Sun security problems

    If you discover a security problem with Sun software or wish to
    inquire about a possible problem, contact one or more of the
    following:

       - Your local Sun answer centers
       - Your representative computer security response team, such as CERT 
       - This office. Address postal mail to:

         Sun Security Coordinator
         MS MPK2-04
         2550 Garcia Avenue Mountain
         View, CA 94043-1100

         Phone: 415-688-9081
         Fax:   415-688-9101
         E-mail: security-alert () Sun COM

     We strongly recommend that you report problems to your local Answer
     Center. In some cases they will accept a report of a security bug
     even if you do not have a support contract. An additional notification
     to the security-alert alias is suggested but should not be used as your
     primary vehicle for reporting a bug.


C.   How to obtain Sun security bulletins

     1. Subscription information

     Sun Security Bulletins are available free of charge as part of
     our Customer Warning System. It is not necessary to have a Sun
     support contract in order to receive them.

     To subscribe to this bulletin series, send mail to the address
     "security-alert () Sun COM" with the subject "subscribe CWS
     your-mail-address" and a message body containing affiliation and
     contact information. To request that your name be removed from the
     mailing list, send mail to the same address with the subject
     "unsubscribe CWS your-mail-address". Do not include other requests
     or reports in a subscription message.

     Due to the volume of subscription requests we receive, we cannot
     guarantee to acknowledge requests. Please contact this office if
     you wish to verify that your subscription request was received, or
     if you would like your bulletin delivered via postal mail or fax.

     2. Obtaining old bulletins

     Sun Security Bulletins are archived on ftp.uu.net (in the same
     directory as the patches) and on SunSolve. Please try these
     sources first before contacting this office for old bulletins.

                                ------------