On the last solaris machines that I maintained we ran a firewall, ipf, on the Solaris machines themselves. Might be a possibility for those running Solaris that don't need remote X access to the machine. "Robert A . Klahn" wrote: > > Greetings: > > One thing that I have noticed missing in the media reports about this > exploit is the answer to the question "So, what should I do?" > > For a Linux system, the answer is most likely "nothing". I dont know of > any distribution that uses CDE, at least by default. Mostly, in the Linux > world, we have "moved past" CDE with Gnome and KDE. > > For other U*IXes, the answer is a little bit more complex. Solaris, AIX, > and HP/UX all use CDE, and for all recent versions, by default. > > So, what to do, for these other U*IXes? Consider if you need to run dtspcd > at all. Its purpose is to permit the running of applications on your > server, from a remote client. Useful, perhaps. Risky, clearly. How does > one turn dtspcd off? Easy, comment out this (or a similar looking line) > from /etc/inetd.conf: > > dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd > > Save the file, and restart the inetd process by sending it the SIGHUP > signal. Do a "netstat" to verify that port 6112 is not open. The actual > netstat syntax varies from U*IX to U*IX, so do a man if you are unsure. > > If you really need to be running dtspcd, you should block port 6112 at > your firewall, and if you really need to run dtspcd, you really should > have a firewall. You should also really be running dtspcd under TCP > Wrappers, or something similar, on top of blocking the port at your > firewall. If anyone is in this situation, let me know, and I can go into > more depth. But, as we are now at least two times removed from the topic > of the list (we are now talking about non-Linux systems that knowingly > want to run something so risky), I will not take up any more of your time > on the topic. > > Bob. > > On 2002.01.16 09:43 John Mosier wrote: > > > >> CERT: EXPLOIT CIRCULATING FOR CDE HOLE > >> Posted January 15, 2002 05:32 Pacific Time > >> HACKERS ARE ACTIVELY exploiting a known vulnerability in Sun > >> Microsystems Inc.'s Solaris version of the Unix operating system, > >> security experts said late Monday, urging administrators to check if > >> their system is vulnerable. > > > >> The U.S.-government funded Computer Emergency Response > >> Team/Coordination Center (CERT/CC) at Carnegie Mellon University in > >> Pittsburgh said in an advisory that it had received "credible reports" > >> of an exploit for Solaris systems. An exploit is a software tool that > >> can be used to break into computer systems and that is often used by > >> hackers. > >> The exploit takes advantage of a buffer overflow vulnerability that was > >> first discovered in March 1999. The flaw in a library function used by > >> the CDE (Common Desktop Environment) could allow an attacker to take > >> full control over the system, CERT/CC said. CDE is a graphical user > >> interface that is typically installed by default on Unix systems. > >> CDE is "a fairly widespread product on Unix platforms" and is included > >> in products from Sun Microsystems Inc., IBM Corp., Hewlett-Packard Co. > >> and Compaq Computer Corp., according to Art Manion, an Internet > >> security analyst with CERT/CC. > >> The CDE Subprocess Control Service (dtspcd) is a network daemon that > >> accepts requests from remote clients to execute commands and launch > >> programs remotely. The service does not perform adequate input > >> validation, as a result of which a malicious client could manipulate > >> data sent and cause a buffer overflow, according to CERT/CC. > > > >> CERT/CC advises administrators to check if a system is configured to > >> run dtspcd by looking for the entries "dtspc 6112/tcp" in > >> "/etc/services" and "dtspc stream tcp nowait root /usr/dt/bin/dtspcd > >> /usr/dt/bin/dtspcd" in "/etc/inetd.conf". > >> Many Unix and Linux flavors are vulnerable and many vendors have long > >> issued patches to fix the problem. Any system that does not run dtspcd > >> is not vulnerable to this problem. > >> For the full story: > >> http://www.infoworld.com/articles/hn/xml/02/01/15/020115hncert.xml?0116weam > > > > John Mosier, Excelco, Inc. NEW contact info: Free: 866 225-3605 > > > > Fax: (480) 922-6504 Voice: (480) 922-6500 > > http://www.swinfo.com http://www.excelco.com > > 8233 Via Paseo del Norte, Ste E-300, Scottsdale, AZ 85258 > > > > > > > -- > Robert A. Klahn > rklahn@acm.org > > "Hope has two beautiful daughters: Anger and Courage. Anger at the way > things are, and Courage to struggle to create things as they should be." - > St. Augustine > ________________________________________________ > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail. > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.mybutt.net > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss