[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 50/04 - Sun - Basic Security Module (BSM) Functionality is Impaired on Solaris Systems Which Have Removed The SUNWscpu Package



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 50/04 dated 05.02.04  Time: 11:36
 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====
Sun Alert ID:57483
Basic Security Module (BSM) Functionality is Impaired on Solaris Systems
Which Have Removed The SUNWscpu Package

Detail
====== 
- -----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

     ESB-2004.0093 -- Sun(sm) Alert Notification - Sun Alert ID:57483
 Basic Security Module (BSM) Functionality is Impaired on Solaris Systems
                  Which Have Removed The SUNWscpu Package
                             05 February 2004

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                Basic Security Module (BSM)
Publisher:              Sun Microsystems
Operating System:       Solaris 9
                        Solaris 8
                        Solaris 7
Platform:               IA-32
                        SPARC
Impact:                 Provide Misleading Information
Access Required:        Existing Account

Comment: Original Bulletin:

         http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57483

- - --------------------------BEGIN INCLUDED TEXT--------------------

   DOCUMENT ID: 57483
   SYNOPSIS: Basic Security Module (BSM) Functionality is Impaired on
   Solaris Systems Which Have Removed The SUNWscpu Package
   DETAIL DESCRIPTION:
   
Sun(sm) Alert Notification

     * Sun Alert ID:57483
     * Synopsis: Basic Security Module (BSM) Functionality is Impaired on
       Solaris Systems Which Have Removed The SUNWscpu Package
     * Category: Security
     * Product: Solaris
     * BugIDs: 4503182
     * Avoidance: Patch, Upgrade
     * State: Resolved
     * Date Released: 03-Feb-2004
     * Date Closed: 03-Feb-2004
     * Date Modified:
       
1. Impact

   Solaris systems with Basic Security Module (BSM) enabled which have
   been security hardened may have had the SUNWscpu package removed. If
   this is the case, the BSM audit_warn(1M) script will not e-mail any
   errors or warning messages generated by the audit daemon (auditd(1M)).
   
   The SUNWCscp cluster provides source compatibility support for Solaris
   1.0 (previously known as SunOS 4.X) and the SUNWscpu package contains
   the mail(1b) command which the BSM audit_warn(1M) relies on.
   
2. Contributing Factors

   This issue can occur in the following releases:
   
   SPARC Platform
     * Solaris 7
     * Solaris 8 without patch 116610-01
     * Solaris 9 without patch 116247-01
       
   x86 Platform
     * Solaris 7
     * Solaris 8 without patch 116611-01
     * Solaris 9 without patch 116248-01
       
   This issue only affects BSM enabled systems which do not have the
   SUNWscpu package installed.
   
   To determine if a system has BSM enabled, the following line will
   appear in the "/etc/system" file:
    $ grep c2audit /etc/system
    set c2audit:audit_load = 1                                                 
           

   To determine if the SUNWscpu package is installed on a system, the
   pkginfo(1) command will display output similar to the following:
    $ pkginfo SUNWscpu
    system  SUNWscpu  Source Compatibility, (Usr)
                                                            

3. Symptoms

   There are no reliable symptoms that would show the described issue has
   occurred on a system.
   SOLUTION SUMMARY:
   
4. Relief/Workaround

   Sites which have removed the SUNWscpu package could edit the
   audit_warn(1M) script by hand to change all occurrences of mail(1b) to
   mailx(1).
   
   For example, change all lines which reference /usr/ucb/mail:
    /usr/ucb/mail -s "$SUBJECT" audit_warn
To:                                                            
    /usr/bin/mailx:
      /usr/bin/mailx -s "$SUBJECT" audit_warn                                  
                          

5. Resolution

   This issue is addressed in the following releases:
   
   SPARC Platform
     * Solaris 8 with patch 116610-01 or later
     * Solaris 9 with patch 116247-01 or later
       
   x86 Platform
     * Solaris 8 with patch 116611-01 or later
     * Solaris 9 with patch 116248-01 or later
       
   Note: Sites using Solaris 7 will need to upgrade to Solaris 8 or
   Solaris 9 and apply the relevant patches.
   
   This Sun Alert notification is being provided to you on an "AS IS"
   basis. This Sun Alert notification may contain information provided by
   third parties. The issues described in this Sun Alert notification may
   or may not impact your system(s). Sun makes no representations,
   warranties, or guarantees as to the information contained herein. ANY
   AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
   WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
   NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
   YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
   INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
   OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
   This Sun Alert notification contains Sun proprietary and confidential
   information. It is being provided to you pursuant to the provisions of
   your agreement to purchase services from Sun, or, if you do not have
   such an agreement, the Sun.com Terms of Use. This Sun Alert
   notification may only be used for the purposes contemplated by these
   agreements.
   
   Copyright 2000-2004 Sun Microsystems, Inc., 4150 Network Circle, Santa
   Clara, CA 95054 U.S.A. All rights reserved.

- - --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@xxxxxxxxxxxxxx
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

Internet Email: auscert@xxxxxxxxxxxxxx
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.
- -----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQCHF5Ch9+71yA2DNAQHKVwP/XgP6eeUVUQ3Z2t/ZTIT2z/EoGsCT7o+o
qXxvFPXWdanl3TrS0HFbPMm8myU2G05rFSABWFzJHAHtg1cJWKL1vxg7afY9CU4U
54NaDAw1o1GldYd98YYQV8N5GihV/nhuMnhk8G+JZZv+DRoOGTEUYQaIOaGESyBu
HW4kTzvaYcA=
=h2jm
- -----END PGP SIGNATURE-----


- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via EMail to:
uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of  Sun Microsystems Inc. and 
AusCERT for the information contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQCIrG4pao72zK539AQEBSAP/bJ8gOraT7NCj9sdfWXsWSah0h5GxubU0
Z7L1vLZ8Sh3NSJjn8yVZbNSKoQpgwCbSokF1NNWoZthlOsfnMwmViLl9cinSaADE
LDnRoD/rOShizVhthD2vur0Cw6Vr82MOFWA7qWHMzbnW5uzM6ndg+6b5HpRQ3Gmv
l/fqADd37ck=
=k5q6
-----END PGP SIGNATURE-----