To: uniras@niscc.gov.uk Subject: UNIRAS Brief - 552/03 - Two CIAC Security Advisories ---------------------------------------------------------------------------------- UNIRAS (UK Govt CERT) Briefing Notice - 552/03 dated 03.10.03 Time: 10:10 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre) ---------------------------------------------------------------------------------- UNIRAS material is also available from its website at www.uniras.gov.uk and Information about NISCC is available from www.niscc.gov.uk ---------------------------------------------------------------------------------- Title ===== Two CIAC Security Advisories: 1. Sun aspppls(1M) does not create the temporary file /tmp/.asppp.fifo safely 2. OpenSSH Buffer Management Error. Detail ====== 1. May be possible to overwrite or create any file on a Solaris 8 system due to a security issue with aspppls(1M). 2. OpenSSH has announced an upgrade that fixes a buffer management error. When a function that expands the size of a buffer detects that the new size will be greater then 10Meg it generates a fatal error. __________________________________________________________ 1. The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Sun aspppls(1M) does not create the temporary file /tmp/.asppp.fifo safely [Sun Alert ID: 46903] October 2, 2003 17:00 GMT Number O-001 ______________________________________________________________________________ PROBLEM: May be possible to overwrite or create any file on a Solaris 8 system due to a security issue with aspppls(1M). PLATFORM: SPARC Solaris 8, INTEL Solaris 8 (Note-Solaris 2.5.1, 2.6, 7, & 9 are not affected by this issue.) DAMAGE: A unprivileged local user may gain unauthorized root privileges. SOLUTION: Apply upgrades or there are workarounds available. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. It is possible for an attacker to gain ASSESSMENT: unauthorized root privileges. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-001.shtml ORIGINAL BULLETIN: http://www.sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F46903&zone_32=category%3Asecurity ______________________________________________________________________________ 2. CIAC Bulletin N-151 has been updated to now include an additional link to the Sun Alert ID: 56861 announcing they have released updated packages for Solaris 9. __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN OpenSSH Buffer Management Error September 17, 2003 17:00 GMT Number N-151 [REVISED 22 Sept 2003] [REVISED 23 Sept 2003] [REVISED 1 Oct 2003] [REVISED 2 Oct 2003] ______________________________________________________________________________ PROBLEM: OpenSSH has announced an upgrade that fixes a buffer management error. When a function that expands the size of a buffer detects that the new size will be greater then 10Meg it generates a fatal error. When the error is generated, the function incorrectly sets the size of the allocated buffer to a value larger than the actual allocation. The fatal error processing routines will then attempt to deallocate more memory than was allocated. PLATFORM: All systems using versions of OpenSSH earlier than 3.7 Hewlett Packard HP-UX B.11.00, B.11.11, B.11.22 only with the T1471AA HP-UX Secure Sheel product installed. Mac OS X versions prior to 10.2.8 IRIX 6.5.22 SPARC Solaris 9 x86 Solaris 9 DAMAGE: Could possibly cause a system to crash. SOLUTION: Upgrade to version 3.7.1 Download and install appropriate files from appropriate vendor. ______________________________________________________________________________ VULNERABILITY The risk is LOW. There are no known exploits. We believe it is ASSESSMENT: unlikely that this problem can be exploited. If it can be exploited, it might be possible to crash a system that does not use protected memory (Windows 95, 98, ME). On systems with protected memory (UNIX, Linux, Windows NT, 2000, XP) you might be able to crash ssh but it is already shutting down because of the fatal error. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-151.shtml ORIGINAL BULLETIN: http://www.openssh.com/txt/buffer.adv ADDITIONAL LINKS: http://www.cert.org/advisories/CA-2003-24.html https://rhn.redhat.com/errata/RHSA-2003-279.html http://www.cisco.com/warp/public/707/cisco-sa-20030917-openssh.shtml Visit HEWLETT PACKARD Subscription Service for: HPSBUX0309-282 (SSRT3629) Apple Security Advisory - Mac OS X 10.2.8 (APPLE-SA-2003-09-22) http://net-security.org/advisory.php?id=2546 http://docs.info.apple.com/article.html?artnum=61798 SGI Security Advisory 20030904-01-P http://www.sgi.com/support/security/advisories.html Sun Alert ID: 56861 http://www.sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56861&zone_32=category%3Asecurity ______________________________________________________________________________ For additional information or assistance, please contact the HELP Desk by telephone or Not Protectively Marked information may be sent via EMail to: uniras@niscc.gov.uk Office Hours: Mon - Fri: 08:30 - 17:00 Hrs Tel: +44 (0) 20 7821 1330 Ext 4511 Fax: +44 (0) 20 7821 1686 Outside of Office Hours: On Call Duty Officer: Tel: +44 (0) 20 7821 1330 and follow the prompts ---------------------------------------------------------------------------------- UNIRAS wishes to acknowledge the contributions of CIAC for the information contained in this Briefing. ---------------------------------------------------------------------------------- This Briefing contains the information released by the original author. Some of the information may have changed since it was released. If the vulnerability affects you, it may be prudent to retrieve the advisory from the canonical site to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. Neither UNIRAS or NISCC shall also accept responsibility for any errors or omissions contained within this briefing notice. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice. UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large. ----------------------------------------------------------------------------------