[nsp] Cisco Security Advisory: Hardening of Solaris OS for MGC

From: Cisco Systems Product Security Incident Response Team (psirt@cisco.com)
Date: Wed Jan 16 2002 - 12:12:09 EST


-----BEGIN PGP SIGNED MESSAGE-----

           Cisco Security Advisory: Hardening of Solaris OS for MGC
                                       
Revision 1.0

  For Public Release 2002 January 16 08:00 (UTC -0800)
  
Summary

   The Media Gateway Controller (MGC) product is installed on top of
   Solaris operating system. In the default installation Solaris has
   several know security vulnerabilites. In order to prevent them from
   being exploited customers must install updated packages CSCOh007 and
   CSCOh013. These packages contain the latest Solaris patches and
   additional hardening of the Solaris OS.
   
   These vulnerabilities have been exploited and PSIRT knows of a few
   cases where customer's systems running SC2200 have been compromised.
   
   We are investigating other products that are based on Solaris.
   
   There is no workaround.
   
   This advisory is available at the
   http://www.cisco.com/warp/public/707/Solaris-for-MGC-pub.shtml
   
Affected Products

   The following products are affected:

+---------------------------------+--------------------------------+
|SC2200 | All systems running Solaris 2.6|
| | (Through release 7.4(x) |
+---------------------------------+--------------------------------+
|VSC3000 | All systems running Solaris 2.6|
| | (Through release 9.1(x) |
+---------------------------------+--------------------------------+
|PGW 2200 | All systems running Solaris 2.6|
| | (Through release 9.1(x) |
+---------------------------------+--------------------------------+
|Billing and Management Server | |
|(BAMS) | All systems running Solaris 2.6|
+---------------------------------+--------------------------------+
|Voice Services Provisioning Tool | |
|(VSPT) | All systems running Solaris 2.6|
+---------------------------------+--------------------------------+
   
   We are investigating other Solaris based products.
   
Details

   The following issues are covered by this advisory:
     * Installing the latest verified patches for the Solaris OS.
     * Securing the default Solaris OS installation.
     * Detecting the signs of a computer compromise.
       
   In order to guarantee the stability of the application Cisco must
   perform regression testing with all new patches installed. We evaluate
   every new Solaris patch and, depending on its severity on the overall
   system, new patches are provided either periodically or as soon as
   testing is finished.
   
   Depending on the Solaris version Cisco provides a different patch
   bundle. Patches for Solaris 2.6 are provided in the package
   CSCOh007.pkg.
   
   The second issue is the security of the default Solaris installation.
   By default, Solaris is installed with many services installed. Some of
   the services are known to have security issues. In order to minimise
   security exposure we strongly advise that you disable these services
   using the CSCOh013.pkg package.
   
   The provided patches and the script will not help you if the computer
   was already compromised. In order to establish if your computer has
   been compromised or not consult the document at
   http://www.cert.org/security-improvement/modules/m09.html. If you
   are in doubt regarding this issue you may open a case with TAC and ask
   for further clarification of your results. The only way to guarantee
   that you computer is not compromised is to reinstall Solaris and the
   application from the scratch.
   
Impact

   Solaris patches
          By not installing the latest Solaris patches the customer is
          exposed to various known vulnerabilities. By exploiting these
          vulnerabilities, customer's computer can be compromised,
          controlled and used for unauthorised purposes.
          
   Disabling unneeded services
          By leaving uneeded services running the customer is exposed to
          various security issues more than necessary. Running unneeded
          services also uses a small amount of CPU unnecessarily.
          
Software Versions and Fixes

   The issues are fixed with the following packages:
   
+-----------------------+-----------------------+--------------------+
|SC2200 |All release up to and |MGCSOL-h007.bin and |
| |including 7.4(x) |MGCSOL-h013.bin |
+-----------------------+-----------------------+--------------------+
| |All releases up to and | |
|VSC3000 |including release |MGCSOL-h007.bin and |
| |9.1(x) |MGCSOL-h013.bin |
+-----------------------+-----------------------+--------------------+
| |All releases up to and | |
|PGW 2200 |including release |MGCSOL-h007.bin and |
| |9.1(x) |MGCSOL-h013.bin |
+-----------------------+-----------------------+--------------------+
|Billing and Management |All systems running | |
|Server (BAMS) |Solaris 2.6 |MGCSOL-h007.bin only|
+-----------------------+-----------------------+--------------------+
|Voice Services | | |
|Provisioning Tool |All systems running |MGCSOL-h007.bin only|
|(VSPT) |Solaris 2.6 | |
+-----------------------+-----------------------+--------------------+
   
   To follow the software links below, you must be a registered user and
   you must be logged in.
   
   Since vulnerabilities are in the underlying Operating System customers
   do not have to change or upgrade their application. The updated
   packages are MGCSOL-h007.bin (CSCOh007.pkg) and MGCSOL-h013.bin
   (CSCOh013.pkg). Their version is 1.0.7.
   
   Customers of the products listed above should check
   http://www.cisco.com/cgi-bin/tablebuild.pl/mgc-sol periodically for
   updates that apply to the Solaris OS used in the listed products.
   Instructions on the application of these Solaris packages are covered
   in the Cisco MGC Software Release (7 or 9) Installation &
   Configuration Guide. See the section entitled "Installing the
   Operating System Software".
   
   To make these Solaris software packages easier to find, the
   information has also been linked to the Voice Software Center under
   each applicable software release of the Media Gateway Controller, BAMS
   and VSPT. This information can be located at
   http://www.cisco.com/kobayashi/sw-center/sw-voice.shtml.
   
   The Release Notes for the Solaris 2.6 packages are at
   http://www.cisco.com/univercd/cc/td/doc/product/access/sc/rel9/reln
   ote/sol26rn.htm
   
Obtaining Fixed Software

   Cisco is offering free updated packages to eliminate this
   vulnerability for all affected customers.
   
   Customers with contracts should obtain upgraded software through their
   regular update channels. For most customers, this means that upgrades
   should be obtained through the Software Center on Cisco's Worldwide
   Web site at http://www.cisco.com.
   
   Customers whose Cisco products are provided or maintained through
   prior or existing agreement with third-party support organizations
   such as Cisco Partners, authorized resellers, or service providers
   should contact that support organization for assistance with the
   upgrade, which should be free of charge.
   
   Customers who purchased directly from Cisco but who do not hold a
   Cisco service contract and customers who purchase through third party
   vendors but are unsuccessful at obtaining fixed software through their
   point of sale should get their upgrades by contacting the Cisco
   Technical Assistance Center (TAC). TAC contacts are as follows:

     * +1 800 553 2447 (toll-free from within North America)
     * +1 408 526 7209 (toll call from anywhere in the world)
     * e-mail: tac@cisco.com
       
   Please have your product serial number available and give the URL
   of this notice as evidence of your entitlement to a free upgrade. Free
   upgrades for non-contract customers must be requested through the TAC.
   
   Please do not contact either "psirt@cisco.com" or
   "security-alert@cisco.com" for software upgrades.
   
Workarounds

   There is no workaround. Although the user may perform all steps that
   are automated in packages CSCOh007.pkg and CSCOh013.pkg Cisco strongly
   discourages that. In order to guarantee the stability of the solution
   Cisco must perform regression testing. By removing a subsystem or
   installing a patch the customer may render the system unstable or
   inoperative.
   
Exploitation and Public Announcements

   By exploiting some of known vulnerabilities in Solaris a few customers
   had their computers compromised. PSIRT has no evidence that these
   computers had been targeted becuase of the role they are playing.
   Intrudes seems to be oblivious of the computer's real purpose.
   
Status of This Notice: INTERIM

   This is an interim security advisory. Cisco anticipates issuing
   updated versions of this notice at irregular intervals as there are
   material changes in the facts, and will continue to update this notice
   as necessary. The reader is warned that this notice may contain
   inaccurate or incomplete information. Although Cisco cannot guarantee
   the accuracy of all statements in this notice, all of the facts have
   been checked to the best of our ability. Cisco anticipates issuing
   monthly updates of this notice until it reaches FINAL status.
   
   A standalone copy or paraphrase of the text of this security advisory
   that omits the distribution URL in the following section is an
   uncontrolled copy, and may lack important information or contain
   factual errors.
   
Distribution

   This notice will be posted on Cisco's Worldwide Web site at
   http://www.cisco.com/warp/public/707/Solaris-for-MGC-pub.shtml. In
   addition to Worldwide Web posting, a text version of this notice is
   clear-signed with the Cisco PSIRT PGP key and is posted to the
   following e-mail and Usenet news recipients:

     * cust-security-announce@cisco.com
     * bugtraq@securityfocus.com
     * first-teams@first.org (includes CERT/CC)
     * cisco@spot.colorado.edu
     * comp.dcom.sys.cisco
     * firewalls@lists.gnac.com
     * Various internal Cisco mailing lists
       
   Future updates of this notice, if any, will be placed on Cisco's
   Worldwide Web server, but may or may not be actively announced on
   mailing lists or newsgroups. Users concerned about this problem are
   encouraged to check the URL given above for any updates.
   
Revision History

   Revision 1.0 2002-Jan-16 08:00 GMT-0800 Initial public release
   
Cisco Security Procedures

   Complete information on reporting security vulnerabilities in Cisco
   products, obtaining assistance with security incidents, and
   registering to receive security information from Cisco, is available
   on Cisco's Worldwide Web site at
   http://www.cisco.com/warp/public/707/sec_incident_response.shtml.
   This includes instructions for press inquiries regarding Cisco
   security notices.
   
   All Cisco Security Advisories are available at
   http://www.cisco.com/go/psirt
     _________________________________________________________________
   
   This notice is Copyright 2002 by Cisco Systems, Inc. This notice may
   be redistributed freely after the release date given at the top of the
   text, provided that redistributed copies are complete and unmodified,
   and include all date and version information.
     _________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.3

iQEVAwUBPEWrfw/VLJ+budTTAQF7Wwf/XeoP7+3LLHqehqCPyeAjcYq+aWaFkWL5
QCeyK3yEYeDI8AU0RS1GFK5+O52rUpcXI0Of1NPJXsVrjWKQ3s77/PRzX+m2xWyo
PPyXLdRgCUiqoiMKQdzhcEF8IdZuM7bf+WHsWIch3XVSM5Zt5v6rrDuiiNRtipoQ
GQprg0bymGMHkApE1DEZIwQH2Erb92rvdNanGrmz8j94xhzmXnXU1XjIoTzhlguu
j5LlR/uR335zONvz87eRsrmk1dni7JfxOORNAXC7ASfD3TUBxYDl47QJn64eL9/m
uHmEhpONERbq+mJ+8T/GsejqLHTgp+uBYB9PhqsvQUOyhvGsosoANw==
=UXsl
-----END PGP SIGNATURE-----



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:59 EDT