[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 587/03 - Two Sun Microsystems Security Advisories



 
-----BEGIN PGP SIGNED MESSAGE-----

 
- -----BEGIN PGP SIGNED MESSAGE-----

- - ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 587/03 dated 27.10.03  Time: 13:10
 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre)
- - ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- - ----------------------------------------------------------------------------------

Title
=====

Two Sun Microsystems Seecurity Advisories:

1. Security Vulnerability Issues With Solstice X.25 snmpx25d daemon

2. Security Vulnerability in Solaris zlib(libz(3)) Compression Library
   Function gzprintf( )

Detail
====== 

1. With Solstice X.25, unprivileged local or remote users may be able to
kill the snmpx25d daemon due to the mishandling of SNMP requests. This
would cause a denial of service for utilities or users attempting to
access this daemon.
   

2. Applications which are linked with "zlib" and utilize the gzprintf()
function may be susceptible to a security vulnerability which could
result in a denial of service, information leakage, or execution of
arbitrary code due to a buffer overflow in the "zlib" gzprintf()function.
   



1.    ESB-2003.0743 -- Sun(sm) Alert Notification - Sun Alert ID: 57404
     Security Vulnerability Issues With Solstice X.25 snmpx25d daemon
                              27 October 2003

Product:                snmpx25d
Publisher:              Sun Microsystems
Operating System:       Solaris 9
                        Solaris 8
                        Solaris 7
                        Solaris 2.6
                        Solaris 2.5.1
                        Solaris 2.5
                        Solaris 2.4
Platform:               SPARC
                        x86
Impact:                 Root Compromise
                        Denial of Service
Access Required:        Remote

Ref:                    AL-2002.02

- - - --------------------------BEGIN INCLUDED TEXT--------------------


   DOCUMENT ID: 57404
   SYNOPSIS: Security Vulnerability Issues With Solstice X.25 snmpx25d
   daemon
   DETAIL DESCRIPTION:
   
Sun(sm) Alert Notification

     * Sun Alert ID: 57404
     * Synopsis: Security Vulnerability Issues With Solstice X.25
       snmpx25d daemon
     * Category: Security
     * Product: Solstice X.25
     * BugIDs: 4563124, 4642557, 4630596
     * Avoidance: Patch
     * State: Resolved
     * Date Released: 22-Oct-2003
     * Date Closed: 22-Oct-2003
     * Date Modified:
       
1. Impact

   With Solstice X.25, unprivileged local or remote users may be able to
   kill the snmpx25d daemon due to the mishandling of SNMP requests. This
   would cause a denial of service for utilities or users attempting to
   access this daemon.
   
   Also, unprivileged local or remote users may be able to gain
   unauthorized root access due to a buffer overflow in the snmpx25d
   daemon.
   
   This issue is described in the CERT Vulnerability VU#854306 at
   [1]http://www.kb.cert.org/vuls/id/854306 which is referenced in
   CA-2002-03 at [2]http://www.cert.org/advisories/CA-2002-03.html.
   
2. Contributing Factors

   This issue can occur in the following releases:
   
   SPARC Platform
     * X.25 9.1 (for Solaris 2.4, 2.5, 2.5.1, 2.6, and 7) without patch
       105084-17
     * X.25 9.2 (for Solaris 7, 8, and 9) without patch 108669-06
       
   x86 Platform
     * X.25 9.1 (for Solaris 2.4, 2.5, 2.5.1, 2.6, and 7) without patch
       105188-17
     * X.25 9.2 (for Solaris 7, 8, and 9) without patch 108670-06
       
   To determine if X25 is installed and which version, run the following
   command:
    % pkginfo -l SUNWx25a | grep VERSION

   If the VERSION string is returned (along with the corresponding
   version), the system has Solstice X.25 installed. If nothing is
   returned, then X25 is not installed.
   
3. Symptoms

   The snmpx25d daemon may exit resulting in the creaton of a file named
   "core" in the root (/) directory (if X.25 is started at system boot),
   or in the directory from which X.25 was manually started.
   SOLUTION SUMMARY:
   
4. Relief/Workaround

   Some relief to the buffer overflow is available by enabling
   non-executable user stacks (although this does not provide 100 percent
   protection against exploitation of this vulnerability, it makes the
   likelihood of a successful exploit much smaller). This workaround is
   only effective on sun4u, sun4m, and sun4d architectures (enter "uname
   -m" to display a systems architecture).
   
   Note: This workaround will not work on x86 platforms.
   
   To enable non-executable program stacks, add the following lines to
   the "/etc/system" file and reboot the system:
    set noexec_user_stack = 1
    set noexec_user_stack_log = 1

   The above tunable parameters are described in the "Solaris Tunable
   Parameters Reference Manual" at [3]http://docs.sun.com.
   
5. Resolution

   This issue is addressed in the following releases:
   
   SPARC Platform
     * X.25 9.1 (for Solaris 2.4, 2.5, 2.5.1, 2.6, and 7) with patch
       105084-17 or later
     * X.25 9.2 (for Solaris 7, 8, and 9) with patch 108669-06 or later
       
   x86 Platform
     * X.25 9.1 (for Solaris 2.4, 2.5, 2.5.1, 2.6, and 7) with patch
       105188-17 or later
     * X.25 9.2 (for Solaris 7, 8, and 9) with patch 108670-06 or later
       
   This Sun Alert notification is being provided to you on an "AS IS"
   basis. This Sun Alert notification may contain information provided by
   third parties. The issues described in this Sun Alert notification may
   or may not impact your system(s). Sun makes no representations,
   warranties, or guarantees as to the information contained herein. ANY
   AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
   WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
   NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
   YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
   INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
   OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
   This Sun Alert notification contains Sun proprietary and confidential
   information. It is being provided to you pursuant to the provisions of
   your agreement to purchase services from Sun, or, if you do not have
   such an agreement, the Sun.com Terms of Use. This Sun Alert
   notification may only be used for the purposes contemplated by these
   agreements.
   
   Copyright 2000-2003 Sun Microsystems, Inc., 4150 Network Circle, Santa
   Clara, CA 95054 U.S.A. All rights reserved.
   

References

   1. http://www.kb.cert.org/vuls/id/854306
   2. http://www.cert.org/advisories/CA-2002-03.html
   3. http://docs.sun.com/




2.     ESB-2003.0744 -- Sun(sm) Alert Notification - Sun Alert ID: 57405
    Security Vulnerability in Solaris zlib(libz(3)) Compression Library
                           Function gzprintf( )
                              27 October 2003

Product:                zlib
Publisher:              Sun Microsystems
Operating System:       Solaris 9
                        Solaris 8
Platform:               SPARC
                        x86
Impact:                 Execute Arbitrary Code/Commands
                        Denial of Service
CVE Names:              CAN-2003-0107

- - - --------------------------BEGIN INCLUDED TEXT--------------------


   DOCUMENT ID: 57405
   SYNOPSIS: Security Vulnerability in Solaris zlib(libz(3)) Compression
   Library Function gzprintf( )
   DETAIL DESCRIPTION:
   
Sun(sm) Alert Notification

     * Sun Alert ID: 57405
     * Synopsis: Security Vulnerability in Solaris zlib(libz(3))
       Compression Library Function gzprintf()
     * Category: Security
     * Product: Solaris
     * BugIDs: 4822658
     * Avoidance: Patch
     * State: Resolved
     * Date Released: 22-Oct-2003
     * Date Closed: 22-Oct-2003
     * Date Modified:
       
1. Impact

   Applications which are linked with "zlib" and utilize the gzprintf()
   function may be susceptible to a security vulnerability which could
   result in a denial of service, information leakage, or execution of
   arbitrary code due to a buffer overflow in the "zlib" gzprintf()
   function.
   
   Sun does not distribute any applications with the Solaris Operating
   Environment which are linked with "zlib" and call gzprintf(). A large
   number of free applications and libraries have been identified as
   using "zlib" at [1]http://www.gzip.org/zlib/apps.html. Some of this
   freeware is distributed on the Solaris Software Companion CDs but none
   is known to be vulnerable to this issue at this time.
   
   This issue is described in CERT Vulnerability VU#142121 (see
   [2]http://www.kb.cert.org/vuls/id/142121).
   
2. Contributing Factors

   This issue can occur in the following releases:
   
   SPARC Platform
     * Solaris 8 without patch 112611-02
     * Solaris 9 without patch 115754-02
       
   x86 Platform
     * Solaris 8 without patch 112612-02
     * Solaris 9 without patch 115755-02
       
   Note 1: libz is not distributed with Solaris 7 or earlier releases.
   
   Note 2: For a short period, patches 115754-01 and 115755-01 were
   available that purported to address this issue. However, this was not
   the case and 115754-02 and 115755-02 are required to address this
   issue as shown above.
   
3. Symptoms

   There are no predictable symptoms that would show the described issue
   has been exploited.
   SOLUTION SUMMARY:
   
4. Relief/Workaround

   There is no workaround. Please see the "Resolution" section below.
   
5. Resolution

   This issue is addressed in the following releases:
   
   SPARC Platform
     * Solaris 8 with patch 112611-02 or later
     * Solaris 9 with patch 115754-02 or later
       
   x86 Platform
     * Solaris 8 with patch 112612-02 or later
     * Solaris 9 with patch 115755-02 or later
       
   This Sun Alert notification is being provided to you on an "AS IS"
   basis. This Sun Alert notification may contain information provided by
   third parties. The issues described in this Sun Alert notification may
   or may not impact your system(s). Sun makes no representations,
   warranties, or guarantees as to the information contained herein. ANY
   AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
   WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
   NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
   YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
   INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
   OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
   This Sun Alert notification contains Sun proprietary and confidential
   information. It is being provided to you pursuant to the provisions of
   your agreement to purchase services from Sun, or, if you do not have
   such an agreement, the Sun.com Terms of Use. This Sun Alert
   notification may only be used for the purposes contemplated by these
   agreements.
   
   Copyright 2000-2003 Sun Microsystems, Inc., 4150 Network Circle, Santa
   Clara, CA 95054 U.S.A. All rights reserved.
   

References

   1. http://www.gzip.org/zlib/apps.html
   2. http://www.kb.cert.org/vuls/id/142121




- - ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via EMail to:
uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- - ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Sun Microsystems for the information
contained in this Briefing. 
- - ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- - ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>
- -----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBP50ZoIpao72zK539AQEjzwQApKVQcWRPXmfnfJMyMvX84l3387azRoJE
iCZTOHDEMhzGSSr1S0z3w9ABrxDRfHbugQ6jBjhie7bq1yblXPhw5WWD9oE8Vj6u
GuhuGOIYgOzp6r3dzdfRD0TwI9ZEoXzX7GEcmOEiT75C/OFT7Qt9p4aGmPBKPzVD
KIuICM8mpZA=
=FAe6
- -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBP50Z8opao72zK539AQHPswP/dyRG8abs1xTA0yHkc1g0LVNuQ4dbFJRY
jxbcVZ1EBHgjksgnP4SG1G/F8NvT5VJt8bP4D96wdhjnrctklHdDgcWqYp+f2+WH
BCCohTWHacsLyKn3G9rtPJEJya92E2ddAZtPoH3F1IF+epgDueBCPsQhpT3oYWsc
dGhk/28W4IU=
=gGPk
-----END PGP SIGNATURE-----