Sun did a pretty awesome thing this weekend. A vulnerability was reported on an OpenSolaris alias, not even the correct place to report a security vulnerability, an engineer who happened to be reading his email on the weekend saw the post, reproduced the bug in house, fixed the code, got code review, tested and integrated a fix into Nevada (aka OpenSolaris) within HOURS. On a weekend. We have folks that are on pager call for handling this type of stuff, but since this was not sent to that alias, we were so lucky that several other engineers were watching an open alias for this & responded & fixed it on their day off.
The next day, Monday, the fix was integrated into the Solaris 10 patch gate, with official T-Patches on their way, yet I'm still seeing articles like this from News.com which make it sound like we're still trying to figure it out. And gets the facts wrong (I believe the Sun rep was misquoted, but I don't know that for a fact). The article mentions that only as of last month did we start shipping with SSH enabled by default. *UGH* We've been shipping with SSH enabled by default since Solaris 9 - for YEARS now. I think what they meant was that as of last month, Solaris 10 Update 3 started shipping with ONLY SSH enabled by default. That is, telnet, rlogin, etc are all disabled by default. It was part of our huge security initiative, Secure By Default.
There are several workarounds to this problem:
- Disable telnet on your S10, S10U1 or S10U2 system
- make root a role
- Disable telnet to root for non CONSOLE logins (default, btw, since the initial release of Solaris)
Solaris 9 and earlier are not affected. This was unintentionally introduced into the Solaris 10 & Nevada code base when a major project integrated into Solaris 10.
I am mystified as to why we didn't immediately release a SunAlert with the workaround, but I know those folks were waiting for the IDRs to be available - and they are now. Official patches will be available Real Soon Now. I'll keep poking a sharp stick at folks to try to convince them to do better OFFICIAL communication, but what we've got going with OpenSolaris on the discussion aliases is very cool.
News.com and The Register kept on reporting this and leaving the reader thinking that Sun was going to sit on a fix for a while. Bah!
ReplyDeleteAlan Hargreaves also of Sun has written a detailed post about this.
WRT the sun alert. Partially mea culpa. I built the IDRs before starting to write the sun alert.
ReplyDeleteAlan.
Welcome to the club :-)
ReplyDeleteAppreciate the speedy fixes (not that we run telnet anyway on 99% of our boxes) but your work around isn't quite as complete as you suggest. Sure, it stops root access but if you can guess other accounts (and working in a University, we have students trying to guess them...) you can still get in. Admittedly, not quite as severe as a root shell but still often a good first step.
ReplyDeleteSecure by Default is long overdue but a great step at last!
Hi Darren -
ReplyDeleteYou're right - other accounts are still at risk if you don't disable the telnet daemon, but doing so is a good thing to do anyways. Now that the official patches are available, those should be applied now.
Keep in mind that the telnet *client* still works even if the daemon is disabled.
Thanks!
valerie