[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 556/03 - Apple Security Advisory


- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 556/03 dated 06.10.03  Time: 11:20
 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------


Apple Security Advisory:Mac OS X 10.2.8 Revised.


Mac OS X 10.2.8 contains security enhancements for the following:OpenSSL, Open SSH,
Se4ndmail, fb_realpath and arplookup.

                 ESB-2003.0701 -- Apple Security Advisory
                APPLE-SA-2003-10-03 Mac OS X 10.2.8 Revised
                              06 October 2003

Product:                OpenSSL
Publisher:              Apple
Operating System:       Mac OS X
Impact:                 Denial of Service
                        Execute Arbitrary Code/Commands
                        Reduced Security
Access Required:        Remote
CVE Names:              CAN-2003-0543, CAN-2003-0544, CAN-2003-0545,
                        CAN-2003-0693, CAN-2003-0695, CAN-2003-0682,
                        CAN-2003-0466, CAN-2003-0601, CAN-2003-0518,
                        CAN-2003-0694, CAN-2003-0695, CAN-2003-0681,

Ref:                    AL-2003.18

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA1

APPLE-SA-2003-10-03 Mac OS X 10.2.8 Revised

Mac OS X 10.2.8 has been re-posted, and it is updated to address
issues discovered with certain system configurations.  The security
enhancements in Mac OS X 10.2.8 are identical between the first
release and the one now available.


This note describes all security enhancements in Mac OS X 10.2.8,
with the following new information:

* Security enhancements for OpenSSL (details below) have been recently
announced, and we can now disclose the presence of these enhancements
in Mac OS X 10.2.8.

* The latest release of Mac OS X 10.2.8 includes support for PowerMac
G5 systems. The initial 10.2.8 release only applied to PowerMac G4

* A Sendmail workaround for Mac OS X 10.1.x systems is described


Mac OS X 10.2.8 contains security enhancements for the following:

OpenSSL:  Fixes CAN-2003-0543, CAN-2003-0544, CAN-2003-0545 to address
    potential issues in certain ASN.1 structures and in certificate
    verification code. To deliver the update in a rapid and reliable
    manner, only the patches for the CVE IDs listed above were
    applied, and not the entire latest OpenSSL library. Thus, the
    OpenSSL version in Mac OS X 10.2.8, as obtained via the
    "openssl version" command, is:  OpenSSL 0.9.6i Feb 19 2003

OpenSSH:  Mac OS X 10.2.8 contains the patches to address CVE
    CAN-2003-0693, CAN-2003-0695, and CAN-2003-0682. On Mac OS X
    versions prior to 10.2.8, the vulnerability is limited to a denial
    of service from the possibility of causing sshd to crash. Each
    login session has its own sshd, so established connections are
    preserved up to the point where system resources are exhausted by
    an attack.

    To deliver the update in a rapid and reliable manner, only the
    patches for CVE IDs listed above were applied, and not the entire
    set of patches for OpenSSH 3.7.1.  Thus, the OpenSSH version in
    Mac OS X 10.2.8, as obtained via the "ssh -V" command, is:
       OpenSSH_3.4p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL

fb_realpath():  Fixes CAN-2003-0466 which is an off-by-one error in
    the fb_realpath() function that may allow attackers to execute
    arbitrary code.

arplookup():  Fixes CAN-2003-0804.  The arplookup() function caches
    ARP requests for routes on a local link.  On a local subnet only,
    it is possible for an attacker to send a sufficient number of
    spoofed ARP requests which will exhaust kernel memory, leading to
    a denial of service.

Sendmail:  Addresses CVE CAN-2003-0694 and CAN-2003-0681 to fix a
    buffer overflow in address parsing, as well as a potential buffer
    overflow in ruleset parsing.

How to install Sendmail for Mac OS X 10.1.5 systems:

- - - From the UNIX command-line, perform the following steps:

1. Download sendmail version 8.12.10 which contains the fix to the
Zalewski advisory, released on 2003/09/17, by executing the following
curl -O ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.10.tar.gz

2. Verify the integrity of this file by typing:
cksum sendmail.8.12.10.tar.gz
which should indicate "834313764 1892497 sendmail.8.12.10.tar.gz"

3. Unpack the distribution as follows:
tar xvzf sendmail.8.12.10.tar.gz

4. Add the following line to your /etc/master.passwd file:
smmsp:*:25:25::0:0:Sendmail User:/private/etc/mail:/usr/bin/false

5.  Add the following line to your /etc/group file:

6. Now invoke /Applications/Utilities/Netinfo Manager.app and add the
same smmsp user and group entries to your netinfo database.  The
easiest way is to duplicate existing entries and edit them to match
the entries in steps 4 and 5.  For example, in the users pane you
could select and the duplicate (%D) the entry for "www" and then edit
the uid/gid/name/home directory fields in the new "www copy" to match
those in step 4.  Similarly, for groups you could select the entry for
"mail" and duplicate it, editing just the name and gid fields to match
those in step 5.  When you're done, you should see a users/smmsp entry
and a groups/smmsp entry.

7.  Now you're ready to start building the distribution.  cd to the
sendmail-8.12.10 directory and type "make"

8.  The next two steps will install the new sendmail:

sudo mkdir /usr/share/man/cat1 /usr/share/man/cat5 /usr/share/man/cat8
sudo make install

Make sure the permissions on your root directory are 755 (or set
DontBlameSendmail in /etc/mail/sendmail.cf) and reboot.  You should
now be running the patched sendmail.


Mac OS X 10.2.8 may be obtained from:

  * Software Update pane in System Preferences

  * Apple's Software Downloads web site:

    PowerMac G4 systems
    Mac OS X Client (updating from 10.2 - 10.2.5):
    The download file is named: "MacOSXUpdateCombo10.2.8.dmg"
    Its SHA-1 digest is: f823736e3ab87f8152826491f4ac0126d7aacc82

    Mac OS X Client (updating from 10.2.6 - 10.2.7):
    The download file is named: "MacOSXUpdate10.2.8.dmg"
    Its SHA-1 digest is: 2899de4e35c280d15f72b844b44311bfe36ed17c

    Mac OS X Server (updating from 10.2.6):
    The download file is named: "MacOSXServerUpdate10.2.8.dmg"
    Its SHA-1 digest is: 93fe9b2a7b4e9676d641ebb836fb0e38a1f26c36

    Mac OS X Server (updating from 10.2 - 10.2.5):
    The download file is named: "MacOSXSrvrUpdCombo10.2.8.dmg"
    Its SHA-1 digest is: 53a84558cb78591ce1904de96f816445a5b61b67
    PowerMac G5 systems
    Mac OS X Update (G5) v10.2.8(G5)
    The download file is named: "MacOSXUpdate10.2.5.dmg"
    Its SHA-1 digest is: 991bf6984f9d5c57078a5f20b01aed03a631d0ac

    For systems with the initial release (only) of Mac OS X 10.2.8
    Mac OS X Server 10.2.8 Ethernet/Battery (updating from 10.2.8):
    The download file is named: "MacOSXUpd10.2.8.dmg"
    Its SHA-1 digest is: f0278755df440155708ed0f8aef2f9f8eb09810e
Information will also be posted to the Apple Product Security web

This message is signed with Apple's Product Security PGP key, and
details are available at:

Version: PGP 8.0.2


For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via EMail to:

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Apple for the information
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>
Version: PGP 8.0