[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 276/04 - Two Sun Microsystems Alert Notifications



----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 276/04 dated 08.06.04  Time: 10:45  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
----------------------------------------------------------------------------------

Title
=====
1.  Sun Crypto Accelerator 4000 v.1.0 Software May be Susceptible to OpenSSL
Security Vulnerabilities.

2. Buffer Overflow in sendmail(1M) Ruleset Parsing May Result in Unauthorized
Privileges.   

Detail
======
1. Solaris 8 or Solaris 9 systems equipped with Sun Crypto Accelerator
   4000 v1.0 boards which are configured to use the Apache web server may
   be vulnerable to Denial of Service attacks and service interruptions.

2. There is a potential buffer overflow in sendmail(1M) involving the
   parsing of rulesets which affects sendmail(1M) versions earlier than
   8.12.10. This could result in a local or remote unprivileged user
   gaining unauthorized root privileges.

----------------------------------------------------------------------------------
1.

Sun(sm) Alert Notification

     * Sun Alert ID: 57571
     * Synopsis: Sun Crypto Accelerator 4000 v1.0 Software May be
       Susceptible to OpenSSL Security Vulnerabilities
     * Category: Security
     * Product: Sun Crypto Accelerator 4000
     * BugIDs: 4940538
     * Avoidance: Patch
     * State: Resolved
     * Date Released: 01-Jun-2004
     * Date Closed: 01-Jun-2004
     * Date Modified:
       
1. Impact

   Solaris 8 or Solaris 9 systems equipped with Sun Crypto Accelerator
   4000 v1.0 boards which are configured to use the Apache web server may
   be vulnerable to Denial of Service attacks and service interruptions.
   In some cases a local or remote unprivileged user may be able to
   execute arbitrary code on the system and possibly gain elevated
   privileges due to buffer overflows found in OpenSSL.
   
   This issue is also described in NISCC Vulnerability Advisory #224012
   at: [1]http://www.uniras.gov.uk/vuls/2004/224012/index.htm. Also see
   CVE CAN-2004-0079 at:
   [2]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079, CVE
   CAN-2004-0112 at:
   [3]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112 and CVE
   CAN-2004-0081 at:
   [4]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0081 for
   additional information.
   
2. Contributing Factors

   This issue can occur in the following releases:
   
   SPARC Platform
     * Sun Crypto Accelerator 4000 v1.0 (for Solaris 8 and Solaris 9)
       without patch 114796-04
       
   Note: The Solaris Operating System itself is not vulnerable to this
   issue unless the Sun Crypto Accelerator 4000 and its supporting
   software is installed.
   
3. Symptoms

   There are no reliable symptoms that would indicate the described
   issues have been exploited.
   SOLUTION SUMMARY:
   
4. Relief/Workaround

   There is no workaround. Please see the "Resolution" section below.
   
5. Resolution

   This issue is addressed in the following releases:
   
   SPARC Platform
     * Sun Crypto Accelerator 4000 v1.0 (for Solaris 8 and Solaris 9)
       with patch 114796-04 or later
       
   References

   1. http://www.uniras.gov.uk/vuls/2004/224012/index.htm
   2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079
   3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112
   4. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0081


----------------------------------------------------------------------------- 

2.

   DOCUMENT ID: 57573
   SYNOPSIS: Buffer Overflow in sendmail(1M) Ruleset Parsing May Result
   in Unauthorized Privileges
   DETAIL DESCRIPTION:
   
Sun(sm) Alert Notification

     * Sun Alert ID: 57573
     * Synopsis: Buffer Overflow in sendmail(1M) Ruleset Parsing May
       Result in Unauthorized Privileges
     * Category: Security
     * Product: Solaris
     * BugIDs: 4954379
     * Avoidance: Patch, Workaround
     * State: Resolved
     * Date Released: 04-Jun-2004
     * Date Closed: 04-Jun-2004
     * Date Modified:
       
1. Impact

   There is a potential buffer overflow in sendmail(1M) involving the
   parsing of rulesets which affects sendmail(1M) versions earlier than
   8.12.10. This could result in a local or remote unprivileged user
   gaining unauthorized root privileges.
   
   Note: This issue does not affect the default configuration of
   sendmail(1M).
   
   This issue is referenced in CERT Vulnerability Note VU#108964 which
   can be seen at [1]http://www.kb.cert.org/vuls/id/108964 and
   CAN-2003-0681 at
   [2]http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0681.
   
2. Contributing Factors

   This issue can occur in the following releases:
   
   SPARC Platform
     * Solaris 7 without patch 107684-11
     * Solaris 8 without patch 110615-11
     * Solaris 9 without sendmail(1M) upgrade 8.12.10 (as delivered in
       patch 113575-05)
       
   x86 Platform
     * Solaris 7 without patch 107685-11
     * Solaris 8 without patch 110616-11
     * Solaris 9 without sendmail(1M) upgrade 8.12.10 (as delivered in
       patch 114137-04)
       
   Note: Only systems using the following non-standard rulesets are at
   risk: recipient (2), final (4), or mailer-specific envelope recipients
   rulesets.
   
   To determine which version of sendmail(1M) is running on a system, run
   the following command:
    $ /usr/bin/mconnect
    connecting to host localhost (127.0.0.1), port 25
    connection open
    220 an.example.com ESMTP Sendmail 8.9.3+Sun/8.9.3; Tue, 6 Apr 2004 14:46:17

    +0100 (BST)
    help
    214-This is Sendmail version 8.9.3+Sun
    214-Topics:
    214-    HELO    EHLO    MAIL    RCPT    DATA
    214-    RSET    NOOP    QUIT    HELP    VRFY
    214-    EXPN    VERB    ETRN    DSN
    214-For more info use "HELP <topic>".
    214-To report bugs in the implementation contact Sun Microsystems
    214-Technical Support.
    214-For local information send email to Postmaster at your site.
    214 End of HELP info
    quit
    221 an.example.com closing connection

   To determine whether a system is configured with the vulnerable
   rulesets, view the "/etc/mail/sendmail.cf" file and the "*.mc"
   configuration files. The latter are normally located in
   "/usr/lib/mail/cf/" on Solaris, but this may vary depending on how
   sendmail(1M) has been set up on a system.
   
   The following indicates that sendmail(1M) has been configured with
   these rulesets:
     * Either the "*.mc" file contains:
       
    LOCAL_RULE_2

   or:
     * "/etc/mail/sendmail.cf" contains a line beginning:
       
    Srecipient=2 (version 8.10 or later) or S2 (version 8.9 and earlier)

     * "etc/mail/sendmail.cf" or the *.mc file contain:
       
    $>2 or $>recipient
     * "etc/mail/sendmail.cf" or the *.mc file contain:
       
    $>4 or $>final

3. Symptoms

   There are no reliable symptoms that would indicate the described issue
   has been exploited.
   SOLUTION SUMMARY:
   
4. Relief/Workaround

   If the system has been configured as detailed in "Contributing
   Factors", the affected lines in the "*.mc" configuration file may be
   modified. Comment out the affected lines in this file by inserting
   "dnl" at the beginning of the affected line. For example:
    dnl <rest of line goes here>

   Then generate the new "sendmail.cf" file from this revised "*.mc" file
   and copy this to "/etc/mail/sendmail.cf". Please refer to
   "/usr/lib/mail/README" for additional information on how to use the
   "*.mc" files.
   
   Once the files have been modified, restart sendmail(1M) with the
   following commands:
    # /etc/init.d/sendmail stop
    # /etc/init.d/sendmail start

   For more detailed information please see the sendmail(1M) man pages or
   [3]http://www.sendmail.org/m4/intro.html.
   
5. Resolution

   This issue is addressed in the following releases:
   
   SPARC Platform
     * Solaris 7 with patch 107684-11 or later
     * Solaris 8 with patch 110615-11 or later
     * Solaris 9 with sendmail(1M) upgrade 8.12.10 (as delivered in patch
       113575-05 or later)
       
   x86 Platform
     * Solaris 7 with patch 107685-11 or later
     * Solaris 8 with patch 110616-11 or later
     * Solaris 9 with sendmail(1M) upgrade 8.12.10 (as delivered in patch
       114137-04 or later)
       
   This Sun Alert notification is being provided to you on an "AS IS"
   basis. This Sun Alert notification may contain information provided by
   third parties. The issues described in this Sun Alert notification may
   or may not impact your system(s). Sun makes no representations,
   warranties, or guarantees as to the information contained herein. ANY
   AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
   WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
   NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
   YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
   INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
   OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
   This Sun Alert notification contains Sun proprietary and confidential
   information. It is being provided to you pursuant to the provisions of
   your agreement to purchase services from Sun, or, if you do not have
   such an agreement, the Sun.com Terms of Use. This Sun Alert
   notification may only be used for the purposes contemplated by these
   agreements.
   
   Copyright 2000-2004 Sun Microsystems, Inc., 4150 Network Circle, Santa
   Clara, CA 95054 U.S.A. All rights reserved.
   

	References

   1. http://www.kb.cert.org/vuls/id/108964
   2. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0681
   3. http://www.sendmail.org/m4/intro.html
----------------------------------------------------------------------------------
For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Sun Microsystems for the
Information contained in this Briefing. 
----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
----------------------------------------------------------------------------------
<End of UNIRAS Briefing>