
             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                 Sun Basic Security Module (BSM) Vulnerability
                             [Sun Alert ID: 57483]

February 4, 2004 18:00 GMT                                        Number O-070
______________________________________________________________________________
PROBLEM:       Sun's Basic Security Module (BSM) tool provides additional
               security features that are not supplied in standard UNIX
               packages. Under certain configurations, it has been found that
               that the BSM audit_warn(1M) script will not e-mail any errors
               or warning messages generated by the audit daemon.
PLATFORM:      Solaris 8 and 9:  both SPARC and x86 platforms
DAMAGE:        BSM's audit-warn(1M)script may not be sending warning messages
               as expected.
SOLUTION:      Apply the appropriate Sun patch.
______________________________________________________________________________
VULNERABILITY  The risk is LOW. BSM's audit-warn(1M)script may not be sending
ASSESSMENT:    warning messages as expected.
______________________________________________________________________________
LINKS:
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/o-070.shtml
 ORIGINAL BULLETIN:  http://sunsolve.sun.com/search/document.do?assetkey=1-26-57483-1
______________________________________________________________________________
[***** Start Sun Alert ID: 57483 *****]

Sun(sm) Alert Notification 
Sun Alert ID:57483 
Synopsis: Basic Security Module (BSM) Functionality is Impaired on Solaris 
          Systems Which Have Removed The SUNWscpu Package 
Category: Security 
Product: Solaris 
BugIDs: 4503182 
Avoidance: Patch, Upgrade 
State: Resolved 
Date Released: 03-Feb-2004 
Date Closed: 03-Feb-2004 
Date Modified: 

1. Impact 
Solaris systems with Basic Security Module (BSM) enabled which have been 
security hardened may have had the SUNWscpu package removed. If this is 
the case, the BSM audit_warn(1M) script will not e-mail any errors or 
warning messages generated by the audit daemon (auditd(1M)). 

The SUNWCscp cluster provides source compatibility support for Solaris 1.0 
(previously known as SunOS 4.X) and the SUNWscpu package contains the mail(1b)
 command which the BSM audit_warn(1M) relies on. 

2. Contributing Factors 
This issue can occur in the following releases: 

SPARC Platform 

Solaris 7 
Solaris 8 without patch 116610-01 
Solaris 9 without patch 116247-01 
x86 Platform 

Solaris 7 
Solaris 8 without patch 116611-01 
Solaris 9 without patch 116248-01 
This issue only affects BSM enabled systems which do not have the SUNWscpu 
package installed. 

To determine if a system has BSM enabled, the following line will appear in 
the "/etc/system" file: 

    $ grep c2audit /etc/system
    set c2audit:audit_load = 1  
	                                                          
To determine if the SUNWscpu package is installed on a system, the pkginfo(1) 
command will display output similar to the following: 

    $ pkginfo SUNWscpu
    system  SUNWscpu  Source Compatibility, (Usr)
                                                            
3. Symptoms 
There are no reliable symptoms that would show the described issue has 
occurred on a system. 

Solution Summary 

4. Relief/Workaround 
Sites which have removed the SUNWscpu package could edit the audit_warn(1M) 
script by hand to change all occurrences of mail(1b) to mailx(1). 

For example, change all lines which reference /usr/ucb/mail: 

    /usr/ucb/mail -s "$SUBJECT" audit_warn
To:                                                            
    /usr/bin/mailx:
      /usr/bin/mailx -s "$SUBJECT" audit_warn                                                            
5. Resolution 
This issue is addressed in the following releases: 

SPARC Platform 

Solaris 8 with patch 116610-01 or later 
Solaris 9 with patch 116247-01 or later 

x86 Platform 

Solaris 8 with patch 116611-01 or later 
Solaris 9 with patch 116248-01 or later 

Note: Sites using Solaris 7 will need to upgrade to Solaris 8 or Solaris 9 
and apply the relevant patches. 

This Sun Alert notification is being provided to you on an "AS IS" basis. 
This Sun Alert notification may contain information provided by third 
parties. The issues described in this Sun Alert notification may or may not 
impact your system(s). Sun makes no representations, warranties, or guarantees 
as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR 
IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS 
FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY 
ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE 
FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT 
ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. 
This Sun Alert notification contains Sun proprietary and confidential 
information. It is being provided to you pursuant to the provisions of your 
agreement to purchase services from Sun, or, if you do not have such an 
agreement, the Sun.com Terms of Use. This Sun Alert notification may only be 
used for the purposes contemplated by these agreements. 

Copyright 2000-2004 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, 
CA 95054 U.S.A. All rights reserved. 

[***** End Sun Alert ID: 57483 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Sun Microsystems  for the
information contained in this bulletin.
_______________________________________________________________________________

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

O-061: Red Hat Updated tcpdump Packages Fix Various Vulnerabilities
O-062: CERT Advisory Multiple H.323 Message Vulnerabilities
O-063: Red Hat Elevated Privileges Vulnerability
O-064: HP 'rwrite' Utility Vulnerability
O-065: Security Vulnerabilities in ASN.1
O-066: Cisco - Voice Product Vulnerabilities on IBM Servers
O-067: Sun Vulnerability with Loading Arbitrary Kernel Modules
CIACTech04-001: Remote Detection of the MyDoom.A Worm
O-068: Microsoft Internet Explorer Cumulative Patch
O-069: Sun kcms_server Daemon Vulnerability