From: Pete Hammes (10/22/93)
To: assist-bulletin@assist.ims.disa, 

Mail*Link¨ SMTP               ASSIST 93-28
-----BEGIN PRIVACY-ENHANCED MESSAGE-----
Proc-Type: 4,MIC-CLEAR
Content-Domain: RFC822
Originator-Certificate: MIICozCCAgwCAQ8wDQYJKoZIhvcNAQECBQAwgYYxC
 zAJBgNVBAYTAlVTMSswKQYDVQQKEyJEZWZlbnNlIEluZm9ybWF0aW9uIFN5c3Rlb
 XMgQWdlbmN5MTAwLgYDVQQLEydDZW50ZXIgZm9yIEluZm9ybWF0aW9uIFN5c3Rlb
 XMgU2VjdXJpdHkxGDAWBgNVBAsTD0NvdW50ZXJtZWFzdXJlczAeFw05MzA5MDExN
 DU3NDFaFw05MzEyMTAxNDU3NDFaMIGxMQswCQYDVQQGEwJVUzErMCkGA1UEChMiR
 GVmZW5zZSBJbmZvcm1hdGlvbiBTeXN0ZW1zIEFnZW5jeTEwMC4GA1UECxMnQ2Vud
 GVyIGZvciBJbmZvcm1hdGlvbiBTeXN0ZW1zIFNlY3VyaXR5MRgwFgYDVQQLEw9Db
 3VudGVybWVhc3VyZXMxEzARBgNVBAsTCk9wZXJhdGlvbnMxFDASBgNVBAMTC1Bld
 GUgSGFtbWVzMIGaMAoGBFUIAQECAgQAA4GLADCBhwKBgQDCgMkKVE04zogQU+Y/u
 9XDNBempvY7gQDGwnFQp8Htv1pdn/GpVQmMshXVARhspGNsBy2+oOJoxgIIZeDtF
 /MhUeyZDAoVIvi+2uagxto5eb+T/jteVqplHen6BiwPnchvKuGCyPuT0+Q7bBsJG
 prQwqTSJoZvozE7CNk1XV0J7wIBAzANBgkqhkiG9w0BAQIFAAOBgQCZ0AezFPQMJ
 NssuHMKiuq63lu9vWs5jvJ1a201z+oeUX7FkFwIRSy/RDKaLILn+v501BeoWacae
 GA3LS/13Y6zdP91J3RDDkj4fy9dlDOf0C1h9g6T3QVX1xZvAdJ/V6Ck9DYGvAWvf
 sOT8lzEQ8OfaGFgge4olbhYpCTMgId5cA==
Issuer-Certificate: MIICNTCCAZ4CAQwwDQYJKoZIhvcNAQECBQAwRDELMAkGA
 1UEBhMCVVMxCzAJBgNVBAgTAk1EMSgwJgYDVQQKEx9UcnVzdGVkIEluZm9ybWF0a
 W9uIFN5c3RlbXMgUENBMB4XDTkzMDYwODE1MDQyMFoXDTkzMDkxNjE1MDQyMFowg
 YYxCzAJBgNVBAYTAlVTMSswKQYDVQQKEyJEZWZlbnNlIEluZm9ybWF0aW9uIFN5c
 3RlbXMgQWdlbmN5MTAwLgYDVQQLEydDZW50ZXIgZm9yIEluZm9ybWF0aW9uIFN5c
 3RlbXMgU2VjdXJpdHkxGDAWBgNVBAsTD0NvdW50ZXJtZWFzdXJlczCBmjAKBgRVC
 AEBAgIEAAOBiwAwgYcCgYEA19l6BN7iTGYEU61qJETIjBh3iAeHzoL8sZ5KwFRZD
 S/a1KnYlD1zJHR/KeQCOBWW2HzX43TFLCNGU7UD9i6m8AymLe5IJf/bGh0Rne7Jd
 Q1GAOLw7/J4hE57IMbGETZpzeU1D9IYxiERRNio/oa422lUlS9JZHLA5jaPNcUrX
 P8CAQMwDQYJKoZIhvcNAQECBQADgYEAyVsZykgjUfAv4FnMwuz4b+s16PHAHUwMg
 2lxLTMwm1TmyLSXL0g1iVRVSelXYYzBPjUx2rlG3ofYu7+xsWxs2HdBArV1dg7uF
 vkAZnAkVNU86aMcE0tq3vflzwDq8/a9mAFRpE8HJU4//+qTFgojAMOJGo83jtMuZ
 E7kwd2rjRk=
Issuer-Certificate: MIIB8jCCAVsCAQEwDQYJKoZIhvcNAQECBQAwRDELMAkGA
 1UEBhMCVVMxCzAJBgNVBAgTAk1EMSgwJgYDVQQKEx9UcnVzdGVkIEluZm9ybWF0a
 W9uIFN5c3RlbXMgUENBMB4XDTkzMDUyODE3MTEyN1oXDTk1MDUyODE3MTEyN1owR
 DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1EMSgwJgYDVQQKEx9UcnVzdGVkIEluZ
 m9ybWF0aW9uIFN5c3RlbXMgUENBMIGaMAoGBFUIAQECAgQAA4GLADCBhwKBgQDbL
 xaRlS3u54yyRgVDI5dcE9nlasL8fJqOGlyo7xH2FZnr3kUfsFj7OGiYsr6UbvqwK
 nyfMIRUrXDUa64leGmft3SK27psDUHOynRSCc40d/HrDf810U5tnTamBKUIMqivK
 4GoL0tMRA1eX6hALAvLLgK1HbnwZAo6GqQGW8CIJQIBAzANBgkqhkiG9w0BAQIFA
 AOBgQDBp5aC6oV6IuFi8JCctq57bew604HHNllgjjp7zdXafq6jctRg2g91k/yFW
 h19bJC/tNrb0WVwuZOs5L/FToPMNIIHzaW/YSROBmyhTDYaKHZGj0P1+iNjMbHt9
 dm1QEHGIfKgBwFidItnOa74DfkXdijlPRnr/+E2Ib6PM+hEfQ==
MIC-Info: RSA-MD5,RSA,a4S2bDgdZFnhg2aCRNEul1VGL9Tq5B//6Db90TAKezj
 1LJ5roK8orfYMQwvlWMHh1dY0CJeTHMeb09AuD67HzelUhjP8ZUKjrnJJjp89+s0
 glz3QqWVhVua0LuWOgfSeLotgqkgp95JOhYyy18l5SnkNUbdrDUXcCg7abyq1Aso
 =

BEGIN ASSIST BULLETIN-----

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
       Automated Systems Security Incident Support Team
                                              _____
           ___   ___  _____   ___  _____     |     /
    /\    /   \ /   \   |    /   \   |       |    / Integritas
   /  \   \___  \___    |    \___    |       |   <      et
  /____\      \     \   |        \   |       |    \ Celeritas
 /      \ \___/ \___/ __|__  \___/   |       |_____
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
                        Bulletin  93-28
 
        Release date: 22 October, 1993, 10:00 EDT

Subject: Security problems with SunOS "tar" and "sendmail", and system
microphone.

PROBLEM AND AFFECTED SYSTEMS:  This bulletin addresses problems with
the tar and sendmail utilities in the versions of SunOS listed below,
possible misuse of the system microphone, and recommendations for
corrections.  ASSIST strongly recommends that all DoD elements using 
any of these system(s) obtain and install all patches, and take
action to correct the microphone problem immediately.

Versions of SunOS affected by the "tar" vulnerability and
corresponding patch numbers.
   - SunOS 5.1/Solaris 2.1: patch 100975-02 
   - SunOS 5.2/Solaris 2.2: patch 101301-01
     
Versions of SunOS affected by the "sendmail" vulnerability and
corresponding patch numbers:
   - SunOS 4.1.1, 4.1.2, and 4.1.3: patch 100377-07
   - SunOS 5.1/Solaris 2.1: patch 100840-03
   - SunOS 5.2/Solaris 2.2: patch 101077-03

tar AND sendmail PROBLEM DESCRIPTIONS AND PATCH INFORMATION:
A. "tar" causes archive files produced by the Solaris 2.x tar to
contain extraneous information. The extraneous data, which can include
user id's (but not passwords), is ignored when the archive files are
restored to disk.

The patched tar produces archive files in the same format as all other
versions; but any extraneous data is set to zero. Restoring an
existing archive file to disk, and then producing a new file with the
patched tar, will result in a clean archive file with no extra
non-zero data.

A version of this patch has been prepared for the upcoming release of
Solaris 2.3, and will be available as soon as 2.3 is released. The
patch ID at that time will be 101327-01. Currently available patches
are summarized in the table below (Bug ID 1145463).

System       Patch ID    Filename         BSD         SVR4
                                         Checksum    Checksum
- ------       --------   ---------------  ---------   -----------

Solaris 2.2  101301-01  101301-01.tar.Z  22089 390    4703 779

The checksums shown above are from the BSD-based checksum
(on 4.1.x, /bin/sum;  on Solaris 2.x, /usr/ucb/sum) and from the
SVR4 version that Sun has released on Solaris 2.x (/usr/bin/sum).

B. "sendmail" creates a security hole which allows remote
users access to some files on the affected system.

A version of this patch is being prepared for the upcoming 
Solaris 2.3 release, but no patch ID is available at this time.
Currently available patches are summarized in the table below 
(1144946).


System       Patch ID    Filename         BSD         SVR4
                                         Checksum    Checksum
- ------       --------   ---------------  ---------   -----------
SunOS 4.1.x  100377-07  100377-07.tar.Z  36122 586   11735 1171
Solaris 2.1  100840-03  100840-03.tar.Z  01153 194   39753  388 
Solaris 2.2  101077-03  101077-03.tar.Z  49343 177   63311  353

The checksums shown above are from the BSD-based checksum
(on 4.1.x, /bin/sum;  on Solaris 2.x, /usr/ucb/sum) and from the
SVR4 version that Sun has released on Solaris 2.x (/usr/bin/sum).

POTENTIAL MISUSE OF /DEV/AUDIO DEVICES:  The initial permissions 
for the audio data device, /dev/audio, allow anyone to listen with
the microphone when it is turned on.  Also, the permissions for the
audio contol device, /dev/audioctl, allow anyone to vary playback
and record settings such as volume.  "Anyone", in this case, may
include include users on a remote workstation (depending, for
example, on the settings in the user's .rhosts file).  The
following information about this problem applies to both 4.1.x and 
5.x systems.

NOTE: ASSIST recommends that system microphones located in areas where
sensitive information is discussed remain off or unplugged at all
times to prevent unauthorized listening.

One way to prevent unauthorized use of the system's audio devices is
become root and change the permissions and owner of /dev/audio and
/dev/audioctl.  The owner should be the user that will use the
machine's console.  For example, to allow only the user "graff" read
and write access to the audio device and audio control device,
execute commands such as:
        
   # chmod 600 /dev/audio*
   # chown graff /dev/audio*

then check to see that the permissions resemble:

   # ls -lL /dev/audio*
   crw-------   1 graff  sys       28,  0 Jul 12 14:20 /dev/audio
   crw-------   1 graff  sys       28,128 Jul 12 14:20 /dev/audioctl

The owner and permissions for /dev/audio and /dev/audioctl will stay
the same until manually changed, so if you want a different user to
have access to the microphone you will need to use chown to change
the owner of /dev/audio and /dev/audioctl to the new user.

On SunOS 4.1.x systems, the /etc/fbtab file can be used to
automatically have the audio data device and audio control device
accessible to only the console user.  This capability does not exist
in Solaris 2.1 and 2.2; but similar functionality (see
/etc/logindevperm) has been added to the upcoming 2.3 release.

To restrict access to the audio devices using the SunOS 4.1.x
/etc/fbtab file, become root and edit /etc/fbtab, adding these lines
to the end of the file:
        
   /dev/console 0600 /dev/audio
   /dev/console 0600 /dev/audioctl

Then logout and login.  Check the permissions with ls; they should
look like this if the console user is root:
        
   # ls -lg /dev/audio*
   crw-------  1 root     daemon    69,   0 Jul 12 15:26 /dev/audio
   crw-------  1 root     daemon    69,   1 Jul 12 15:26 /dev/audioctl

If a non-root user is logged into the console the owner will be that
user and the group will be the user's default group.  When no one is
logged into the console the /etc/fbtab entry above will cause
/dev/audio and /dev/audioctl to have these permissions:

   # ls -lg /dev/audio*
   crw-------  1 root     wheel     69,   0 Jul 12 15:26 /dev/audio
   crw-------  1 root     wheel     69,   1 Jul 12 15:26 /dev/audioctl

D. How to obtain Sun security patches

Customers with Sun support contracts can obtain the patches listed
here, and all Sun security patches, from:

   - Your local Sun answer centers, worldwide
   - SunSolve Online

Please refer to the Bug ID and Patch ID when requesting patches from
Sun answer centers.

Security patches are also available without a support contract via
anonymous ftp:
   - In the US, from /systems/sun/sun-dist on ftp.uu.net
   - In Europe, from ~ftp/sun/fixes on ftp.eu.net

ASSIST is an element of the Defense Information Systems Agency
(DISA), Center for Information Systems Security (CISS), that provides
service to the entire DoD community.  If you have any questions
about ASSIST or computer security issues, contact ASSIST using one of
the methods listed below.  If you would like to be included in the
distribution list for these bulletins, send your Milnet (Internet)
e-mail address to assist-request@assist.ims.disa.mil.  Back issues
and through anonymous ftp from assist.ims.disa.mil.

ASSIST contact information: 
PHONE: 703-756-7974, DSN 289, duty hours are 06:30 to 17:00 Monday
  through Friday.  During off duty hours, weekends, and holidays,
  ASSIST can be reached via pager at 800-SKY-PAGE (800-759-7243) PIN
  2133937.  Your page will be answered within 30 minutes, however if
  a quicker response is required, prefix your phone number with "999"
  and ASSIST will return your call within 5 minutes.
ELECTRONIC MAIL: assist@assist.ims.disa.mil.
ASSIST BBS: 703-756-7993/4, DSN 289, leave a message for the "sysop".

Privacy Enhanced Mail (PEM): ASSIST uses PEM, a public key
  encryption tool, to digitally sign all bulletins that are
  distributed through e-mail.  The section of seemingly random
  characters between the "BEGIN PRIVACY-ENHANCED MESSAGE" and "BEGIN
  ASSIST BULLETIN" contains machine-readable digital signature
  information generated by PEM, not corrupted data.  Recipients of
  ASSIST bulletins who use PEM will be able to verify with a very high
  level of assurance that the information originated from ASSIST.  PEM
  is compatible with all e-mail implementations available on the
  Milnet, and sites not using PEM will still be able to read bulletins
  that have PEM digital signatures.  Information about PEM can be
  obtained via anonymous ftp from nic.ddn.mil (IP 192.112.36.5) in the
  /rfc directory files rfc1421.txt, rfc1422.txt, rfc1423.txt, and
  rfc1424.txt.  These files can also be downloaded from the ASSIST
  bbs.  PEM software for UNIX systems is available from Trusted
  Information Systems (TIS) at no cost, and can be obtained via
  anonymous FTP from ftp.tis.com (IP 192.94.214.100).  Note: The TIS
  software is just one of several implementations of PEM currently
  available and additional versions are likely to be offered from
  other sources in the near future.


-----END PRIVACY-ENHANCED MESSAGE-----

------------------ RFC822 Header Follows ------------------
Received: by engmail.llnl.gov with SMTP;22 Oct 1993 09:33:52 U
Return-path: pch@assist.ims.disa.MIL
Received: from icdc.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id
 <01H4EPMLTFTCAW6QFZ@icdc.llnl.gov>; Fri, 22 Oct 1993 09:30:56 PDT
Received: from pierce.llnl.gov by icdc.llnl.gov (PMDF #3384 ) id
 <01H4EPM1CI40AW6QFY@icdc.llnl.gov>; Fri, 22 Oct 1993 09:30:29 PDT
Received: by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA17927; Fri,
 22 Oct 93 09:31:26 PDT
Received: from  (cheetah.llnl.gov) by pierce.llnl.gov
 (4.1/LLNL-1.18/llnl.gov-05.92) id AA17871; Fri, 22 Oct 93 09:31:17 PDT
Received: from pierce.llnl.gov by  (4.1/SMI-4.1) id AA01600; Fri,
 22 Oct 93 09:30:06 PDT
Received: by pierce.llnl.gov (4.1/LLNL-1.18/llnl.gov-05.92) id AA17849; Fri,
 22 Oct 93 09:31:10 PDT
Received: from assist.ims.disa.mil by pierce.llnl.gov
 (4.1/LLNL-1.18/llnl.gov-05.92) id AA17776; Fri, 22 Oct 93 09:30:57 PDT
Received: from shilo.ims.disa.mil by assist.ims.disa.mil (4.1/2.4) id AA04531;
 Fri, 22 Oct 93 12:29:11 EDT
Received: by shilo.ims.disa.mil (4.1/2.4) id AA16644; Fri,
 22 Oct 93 12:28:54 EDT
Date: 22 Oct 1993 12:28:39 -0400
From: Pete Hammes <pch@assist.ims.disa.MIL>
Subject: ASSIST 93-28
Resent-to: BILL_ORVIS@QUICKMAIL.llnl.GOV
To: assist-bulletin@assist.ims.disa.MIL
Resent-message-id: <01H4EPMLYSPUAW6QFZ@icdc.llnl.gov>
Message-id: <9310221628.AA16644@shilo.ims.disa.mil>
X-Envelope-to: BILL_ORVIS@QUICKMAIL.llnl.gov
X-VMS-To: IN%"assist-bulletin@assist.ims.disa.MIL"
Content-transfer-encoding: 7BIT


======================================================================