On Fri, 14 Dec 2001, James Lick wrote: > For the login security bug recently announced by CERT, is there any way to > fix this currently without turning off telnet and rlogin? Much as I'd > like to take this opportunity to force everyone to use ssh, I can't. I > also don't have support so no t-patches for me. I got several replies which I'd like to summarize, as not all were cc'd to the list. 1) The best solution, Sun has released patches today for this bug. Frank Pellegrino replied with the most complete list: 111085-02 SunOS 5.8: /usr/bin/login patch 111086-02 SunOS 5.8_x86: /usr/bin/login patch 112300-01 SunOS 5.7:: usr/bin/login Patch 112301-01 SunOS 5.7_x86:: usr/bin/login Patch 105665-04 SunOS 5.6: /usr/bin/login patch 105666-04 SunOS 5.6_x86: /usr/bin/login patch 106160-02 SunOS 5.5.1: /usr/bin/login patch (There doesn't appear to be a 5.5.1_x86 patch.) Patches are available by ftp from ftp://sunsolve1.sun.com/pub/patches/ Several others replied along the same lines, but Frank's reply was most complete. 2) Reg Quinton has written a wrapper to login which he believes will block an exploit: http://ist.uwaterloo.ca/~reggers/drafts/login.wrapper 3) Several people replied that I should only use ssh, even though I said this wasn't an option. Also ssh versions have had numerous security patches in the last year, so it's not clear how much better ssh is overall. (Mark Addy did include something interesting though, his site uses a web-based ssh tool: http://tiger.towson.edu/ssh) 4) Ben Tetu-Pappas pointed out that some versions of ssh may still use login, depending on the way it is compiled or configured, so turning off telnet and rlogin might not even solve the problem. So even if you only run ssh, you should probably install the above patches anyways. 5) Several people suggested using tcp wrappers. Some seemed to imply that this alone would solve the problem, which I don't believe is true. Others suggested using this to limit exposure by only allowing in certain hosts. I already use tcp wrappers, but am unable to restrict access to a certain hosts or addresses. 6) Support <support@cyberramp.net> sent me a copy of the badtrans virus in reply. I would have thought people on this list would be smart enough to at least run anti-virus software on their peecees. Thanks for all the help! ---- James Lick ---- jlick@drivel.com ---- http://drivel.com/ ----
