Date: Sat, 15 Dec 2001 05:24:31 +0800 (CST)
From: James Lick <[email protected]>
To: [email protected], [email protected]Subject: Sun Solaris login bug patches out
On Fri, 14 Dec 2001, James Lick wrote:
> For the login security bug recently announced by CERT, is there any way to
> fix this currently without turning off telnet and rlogin? Much as I'd
> like to take this opportunity to force everyone to use ssh, I can't. I
> also don't have support so no t-patches for me.
I got several replies which I'd like to summarize, as not all were cc'd
to the list.
1) The best solution, Sun has released patches today for this bug. Frank
Pellegrino replied with the most complete list:
111085-02 SunOS 5.8: /usr/bin/login patch
111086-02 SunOS 5.8_x86: /usr/bin/login patch
112300-01 SunOS 5.7:: usr/bin/login Patch
112301-01 SunOS 5.7_x86:: usr/bin/login Patch
105665-04 SunOS 5.6: /usr/bin/login patch
105666-04 SunOS 5.6_x86: /usr/bin/login patch
106160-02 SunOS 5.5.1: /usr/bin/login patch
(There doesn't appear to be a 5.5.1_x86 patch.)
Patches are available by ftp from ftp://sunsolve1.sun.com/pub/patches/
Several others replied along the same lines, but Frank's reply was most
complete.
2) Reg Quinton has written a wrapper to login which he believes will
block an exploit: http://ist.uwaterloo.ca/~reggers/drafts/login.wrapper
3) Several people replied that I should only use ssh, even though I said
this wasn't an option. Also ssh versions have had numerous security
patches in the last year, so it's not clear how much better ssh is
overall. (Mark Addy did include something interesting though, his site
uses a web-based ssh tool: http://tiger.towson.edu/ssh)
4) Ben Tetu-Pappas pointed out that some versions of ssh may still use
login, depending on the way it is compiled or configured, so turning off
telnet and rlogin might not even solve the problem. So even if you only
run ssh, you should probably install the above patches anyways.
5) Several people suggested using tcp wrappers. Some seemed to imply that
this alone would solve the problem, which I don't believe is true. Others
suggested using this to limit exposure by only allowing in certain hosts.
I already use tcp wrappers, but am unable to restrict access to a certain
hosts or addresses.
6) Support <[email protected]> sent me a copy of the badtrans virus
in reply. I would have thought people on this list would be smart enough
to at least run anti-virus software on their peecees.
Thanks for all the help!
---- James Lick ---- [email protected] ---- http://drivel.com/ ----
