From: Subject: Solaris: statd/automountd patches Date: Wed, 14 Nov 2001 08:40:18 +0100 MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_0050_01C16CE7.FD427240"; type="text/html" X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 This is a multi-part message in MIME format. ------=_NextPart_000_0050_01C16CE7.FD427240 Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Content-Location: http://ist.uwaterloo.ca/security/howto/1999-06-23.html Solaris: statd/automountd patches

Solaris: statd/automountd patches

Information Systems and Technology
University of Waterloo=20
24-Jun-1999

 3D[IST]=20

Synopsis

Statd and automountd are Remote Procedure Call (RPC) = services used=20 by Network File System (NFS) clients and servers. Statd maintains = state=20 information for file locks, automountd manages automatic NFS file = mounts. Both=20 services, if they are enabled, run as user root.=20

Sun Microsystems issued Security=20 Bulletin 186 on June 7, 1999 noting a security exposure with statd = on some=20 Solaris versions. CERT Ad= visory=20 CA-99-05 issued June 9, 1999 notes the security exposure with the = statd=20 and automountd services found in some versions of Solaris. Sun and the = CERT=20 urge all affected sites to patch their systems as soon as is practical = to=20 close the exposure.=20

On systems that do not use NFS services we encourage you to = disable the=20 services. On all systems, we encourage you to apply the = patches.=20 At this time the xhier system at UW includes no automatic methods for = handling=20 this security exposure -- each system manager will need to patch their = systems.

Disabling the Services

A quick fix, if you don't require the services, is to shut = them=20 down and not have them started again. That's a prudent strategy = independent of=20 any known bugs -- a good security guideline is to disable all network = services=20 that aren't required. You may be surprised to learn you can use the = NFS=20 without having any of the statd, lockd and automountd services = running.=20

  1. The statd service is only required if your system is an NFS = server or a=20 client. A client system uses NFS to mount file systems across the = network=20 from an NFS server. We are aware of several sites at UW using NFS = (but many=20 are vulnerable who never use NFS). To find and disable the statd = service=20 (don't do this unless you're sure you don't need or supply any NFS=20 services):=20 
    [3:09pm xsv] cd /etc/rc2.d
[3:12pm xsv] grep statd *
S73nfs.client:       if [ -x /usr/lib/nfs/statd -a -x /usr/lib/nfs/lockd =
]
S73nfs.client:               /usr/lib/nfs/statd > /dev/console =
2>&1
S73nfs.client:       killproc statd
[3:13pm xsv] ssuw
Enter PASSCODE:=20
PASSCODE Accepted
[3:13pm xsv]# ./S73nfs.client stop
[3:13pm xsv]# mv S73nfs.client NO.S73nfs.client

    It's not obvious, but we can confirm, an NFS file server must = have the=20 S73nfs.client subsystem -- it's required to manage file locks = for=20 client systems. The startup file is not well named.=20

    Stopping the S73nfs.client subsystem will stop the lockd = and statd=20 daemons (they're two parts of the same system to manage NFS file = locks) and=20 will unmount any nfs or cachefs file systems currently mounted = (cachefs are=20 NFS files with local cacheing).=20

    Renaming the S73nfs.client startup file with a NO = prefix=20 will make sure the subsystem isn't started at next reboot.=20

  2. The automountd service is only required if your system uses NFS = to=20 automatically mount file systems -- that involves using NIS+ to = maintain=20 mount tables. We're not aware of any sites using the automatic file = system.=20 To find and disable the automountd service (don't do this unless = you're sure=20 you don't have any autofs file systems):=20 
    [3:09pm xsv] cd /etc/rc2.d
[3:14pm xsv] grep automountd *
S74autofs:   /usr/lib/autofs/automountd \
[3:13pm xsv]# ./S74autofs stop
[3:13pm xsv]# mv S74autofs NO.S74autofs

    Stopping the S74autofs subsystem will kill the running = automountd=20 daemon and unmount any autofs file systems currently mounted (those = are NFS=20 file mounts managed on an as needed basis).=20

    Renaming the S74autofs startup file with a NO = prefix will=20 make sure the subsystem isn't started at next reboot. =

If your=20 Solaris system requires or provides NFS file services then shutting = down those=20 services is not an option -- you'll need to apply patches as soon as = possible.=20 Until such time as the patches are applied you run a risk that your = system may=20 be compromised.=20

Systems which don't need the services can disable them and apply = the=20 patches at their leisure -- make sure the patches to get applied as = you may=20 require the services at some later time.

Where to find Patches

Vendor patches for the statd vulnerablity in SunOS 5.6 and=20 previous versions (SunOS 5.7 is not vulnerable) are available as = compressed=20 Unix tar files found at:=20

Patch=20 OS Version=20 Size=20 Patch=20 OS Version=20 Size=20
106592-02= =20 SunOS 5.6=20 110Kb=20 106593-02= =20 SunOS 5.6_x86=20 110Kb=20
104166-04= =20 SunOS 5.5.1=20 109Kb=20 104167-04= =20 SunOS 5.5.1_x86=20 107Kb=20
103468-04= =20 SunOS 5.5=20 108Kb=20 103469-05= =20 SunOS 5.5_x86=20 107Kb=20
102769-07= =20 SunOS 5.4=20 97Kb=20 102770-07= =20 SunOS 5.4_x86 96Kb=20
102932-05= =20 SunOS 5.3 94Kb

Vendor patches for the automountd vulnerablity in SunOS 5.5.1 and = previous=20 versions (SunOS 5.6 and 5.7 are not vulnerable) are available as = compressed=20 Unix tar files found at:=20

Patch=20 OS Version=20 Size=20 Patch=20 OS Version=20 Size=20
104654-05= =20 SunOS 5.5.1=20 162Kb=20 104655-05= =20 SunOS 5.5.1_x86=20 155Kb=20
103187-43= =20 SunOS 5.5=20 3237Kb=20 103188-43= =20 SunOS 5.5_x86=20 2927Kb=20
101945-61= =20 SunOS 5.4=20 10940Kb=20 101946-54= =20 SunOS 5.4_x86=20 5557KB=20
101318-92= =20 SunOS 5.3=20 11303Kb

Sun makes all of their patches available for anonymous ftp at ftp://sunsolve.sun.com/pub/p= atches/.=20 The home page for Sun support is at SunSolve -- you'll find security = bulletins, patches and much more.

Applying a Patch

Patching a system with the vendor supplied patches is not = that=20 difficult. You have to get a copy of the patch, unpack it, find the=20 instructions, read and follow them.=20
  1. First, determine your SunOS version using the uname(1) = command.=20 For example:=20 
    [9:15am xsv] uname -a
SunOS xsv 5.6 Generic sun4m sparc SUNW,SPARCstation-4
    The system in the example is SunOS 5.6 and = should=20 have the statd patch 106592-02 applied. Other systems might = need to=20 have the automountd patch applied as well.=20

  2. Verify if the required patches are already installed.=20 
    [2:22pm xsv]# showrev -p | grep 106592-02
    The showrev -p command will show all applied=20 patches, the grep(1) is to filter out a particular patch.=20

    Caution: if patch 106592-01 is applied you still need to apply = 106592-02;=20 if patch 106592-03 is applied (there is none by that number at this = writing)=20 then 106592-02 need not be applied. Patches have "major" and "minor" = numbers.=20

  3. Get the patches that you require from the vendor (you can chase = the=20 URL's in the tables above to retrieve the data) and unpack each = compressed=20 tar file:=20 
    [2:34pm xsv] ls -l 106592-02.tar.Z
 240 -rw-r-----   1 reggers  other     112917 Jun 23 14:20 =
106592-02.tar.Z
[2:35pm xsv] zcat 106592-02.tar.Z | tar xvf -
x 106592-02, 0 bytes, 0 tape blocks
x 106592-02/installpatch, 119436 bytes, 234 tape blocks
x 106592-02/backoutpatch, 54268 bytes, 106 tape blocks
 ...etc
[2:35pm xsv] ls -ld 106* 
   2 drwxr-x--x   3 reggers  other        512 Jun  1 16:22 106592-02/
 240 -rw-r-----   1 reggers  other     112917 Jun 23 14:20 =
106592-02.tar.Z
[2:36pm xsv] rm 106592-02.tar.Z

    You should remove the patch directory after you've applied the = patch.=20 There's no need to save the compressed tar file or the unpacked = patch after=20 you've applied the patch.=20

  4. Browse the patch kit you've retrieved and find the installation=20 instructions:=20 
    [2:36pm xsv] cd 106592-02
[2:38pm xsv] ls -la
total 442
   2 drwxr-x--x   3 reggers  other        512 Jun  1 16:22 ./
   8 drwxr-x--x  57 reggers  none        3584 Jun 23 14:36 ../
   2 -rwxr-x--x   1 reggers  other         80 Jun  1 16:22 .diPatch*
 106 -rwxr-x--x   1 reggers  other      54268 Jun  1 16:22 backoutpatch*
  62 -rwxr-x--x   1 reggers  other      31573 Jun  1 16:22 Install.info*
 256 -rwxr-x--x   1 reggers  other     119436 Jun  1 16:22 installpatch*
   4 -rw-r-----   1 reggers  other       1151 Jun  1 16:22 =
README.106592-02
   2 drwxr-x--x   4 reggers  other        512 Jun  1 16:22 SUNWcsu/
[2:39pm xsv] page Install.info
 ...etc
Instructions for installing a patch using "installpatch"
--------------------------------------------------

    1. Become super-user.

    2. Apply the patch by typing:

       <dir>installpatch <patch-dir>

       where <dir> is the directory containing installpatch, and
       <patch-dir> is the directory containing the patch itself.

    Example:

       # cd /tmp_patchdir/123456-01
       # ./installpatch .
 ...etc

  5. Follow the vendor's instructions to install the patch=20 
    [2:44pm xsv] ssuw
Enter PASSCODE:=20
PASSCODE Accepted
[2:44pm xsv]# ./installpatch .

WARNING: /usr/sbin/patchadd is being used to install this patch.
Installpatch will be removed from Solaris patches in
the next release of Solaris.
 ...etc
    The kit will not attempt to apply the patch unless it = has=20 enough space to do so.

Systems which are using NFS services may require a reboot. They = would=20 certainly require that the affected subsystems be stopped and started. =

Cautions and Observations

24-Jun-1999; Reg Quinton=20
------=_NextPart_000_0050_01C16CE7.FD427240 Content-Type: image/gif Content-Transfer-Encoding: base64 Content-Location: http://ist.uwaterloo.ca/ISTlogo.gif R0lGODlhYABfALMAAP///wAAAJ2dnYAGHPDm6F1dXSwsLNK3vKJJWkZGRv7+/saQmrNreIKCgpIq PeHM0CH5BAEAAAAALAAAAABgAF8AAAT+EMhJq7046827/2AojmRpnmiqrmzrvuZxbAoB3yAzT8ww MJPHAOHY4Y4SI2AxUCQHB6ZzCR0ikUKGDXCASoSL3rQHcAAzhMP2SmIOtorfhFnkaQcLjcMhZ48I CE0TCGcbBGsXe10Pfh0EOhMEPkonj10OD4iNFwd7A4wSCwdTKZKieJsbCAt7DqQuXT6gCpSpAAoO C4SaLWmgAEK/jWu4XpsMDo+8OIF5Eq9sTg5EdVcKrM22EmY+DNDMA8nI32wPZsJHgEXhBOTat3vL KQqBMgju2g9drDfF6O8UOmHDh4LAAoLvEARyoaAQQA7XaqFghfDhhUcM/oWQhMrih2v+PpyZIMDH oUcNgfZU9HBA40kLZm693KQPxQMG3jIcaMCTp4cHDwQIHSpgCwGiSJMOlXgCFx8EGQQEmBrAgKEC BqhqnbpD6tavXwtguKlFhBBaDqJuzaCgAditOw68nRtArIU4Q6BuDBcTg9epVi8oSECXatfCYO1W MCVFxIFV+P5WxVAAMdcklrcqrpAr3EoRAgyINpDgguTCcUUnUJ1V62rSohtgeLTA5QVR8kQQaE21 AFMNbqkGhkHkUwq5WmWPCA4YRycfuU4wn/rZwvThH/SJ3BDl8W8JAlav3iyhcu8S10HgDQdLK/by WsmDSA9ClLncJCS/B2B+qvwP9H3+cAAyxqygn3Xu4QeceyHQYdwGQoTEwYEVnNZAdRQECMIDCnHQ BU7fgcfgYl8ZUFQIGjriQx8aCKTGhCNW0N9WBhRwIgcpdoBbBz1MAqNwF/E2l4345OgCUAoCQKEF u2XWwDJGarMkk9PRZQAvUWpwyAtTXhQeYldWkGUG65g0G5IexmjITqu9pdwEXXJAEgNEbMDHitv5 peYHRwlJXYZ7yllSWijhtEBtPzZHwmBbCQAokCHgVBMLcYJAgGaPKupRpSDMWNoEY27CKYBqhtrI qB5MaaofqHag4ao2VdQqB55mOlkID2D4WJ6cbJUkW1u9CQCsc5hR3T4IKRBsCTP+BqDErIv15cEh tlFAWHzV3nWAnwG8QuwzW76A3FfKKcAabOi6KWagDzXr3zOZJbgupC8xiikAl8Z72byaspGkAs3a pWy8Bmi06iMotERIBwdcW5cE+SKWgADurLqPCXixku0EtAiwgwJKIZUrhEjJqU+BIxSxh5kzwbTi gyMUg0nLNGgn7QgMHEQzWxTgEmJ29+xMwS5BqBCLzjs35AMCvwoYThZCd/EIOytcQ09HNEuyBxMb R4r1zo/lnEwvOxiURyYPDbgGMk2TEMgPN6eCDB9tV4JHLHWrAAcUwfg7Dd1yuyJBOGz7MXUt7Rxx Mb5EN0LLBcgskLfXk18x9Q94lWNACyhaC91D4aV44sxjmePQOQtMAFCn0KEUiI1tq0MchRVUsMLy TBR98UNjSzROhC42aN2DDdeYUbotHwZiw4c4SfB5R9OYwnoH9CjifBNrDwBAH2KsMv20I+M7RB9S 9PUA0t//IUMkB6Gd/vvwxy///PTXz0EEADs= ------=_NextPart_000_0050_01C16CE7.FD427240 Content-Type: image/jpeg Content-Transfer-Encoding: base64 Content-Location: http://ist.uwaterloo.ca/security/howto/images/back.jpg /9j/4AAQSkZJRgABAgEASABIAAD/7QG4UGhvdG9zaG9wIDMuMAA4QklNA+kAAAAAAHgAAwAAAEgA SAAAAAAC2gIo/+H/4gL5AkYDRwUoA/wAAgAAAEgASAAAAAAC2gIoAAEAAABkAAAAAQABAQEAAAAB Jw8AAQABAAAAAAAAAAAAAAAAAAIAGQGQAAAAAABAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAA4 QklNA+0AAAAAABAASAAAAAEAAQBIAAAAAQABOEJJTQPzAAAAAAAIAAAAAAAAAAA4QklNJxAAAAAA AAoAAQAAAAAAAAACOEJJTQP1AAAAAABIAC9mZgABAGxmZgAGAAAAAAABAC9mZgABAKGZmgAGAAAA AAABADIAAAABAFoAAAAGAAAAAAABADUAAAABAC0AAAAGAAAAAAABOEJJTQP4AAAAAABwAAD///// ////////////////////////A+gAAAAA/////////////////////////////wPoAAAAAP////// //////////////////////8D6AAAAAD/////////////////////////////A+gAADhCSU0EBgAA AAAAAgAC/+4ADkFkb2JlAGSAAAAAAf/bAIQADAgICAkIDAkJDBELCgsRFQ8MDA8VGBMTFRMTGBEM DAwMDAwRDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAENCwsNDg0QDg4QFA4ODhQUDg4ODhQR DAwMDAwREQwMDAwMDBEMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwM/8AAEQgAYABgAwEiAAIR AQMRAf/EAT8AAAEFAQEBAQEBAAAAAAAAAAMAAQIEBQYHCAkKCwEAAQUBAQEBAQEAAAAAAAAAAQAC AwQFBgcICQoLEAABBAEDAgQCBQcGCAUDDDMBAAIRAwQhEjEFQVFhEyJxgTIGFJGhsUIjJBVSwWIz NHKC0UMHJZJT8OHxY3M1FqKygyZEk1RkRcKjdDYX0lXiZfKzhMPTdePzRieUpIW0lcTU5PSltcXV 5fVWZnaGlqa2xtbm9jdHV2d3h5ent8fX5/cRAAICAQIEBAMEBQYHBwYFNQEAAhEDITESBEFRYXEi EwUygZEUobFCI8FS0fAzJGLhcoKSQ1MVY3M08SUGFqKygwcmNcLSRJNUoxdkRVU2dGXi8rOEw9N1 4/NGlKSFtJXE1OT0pbXF1eX1VmZ2hpamtsbW5vYnN0dXZ3eHl6e3x//dAAQABv/aAAwDAQACEQMR AD8A9GHtHKbcToFKQmn5BFSwlS8p1TaKQLQElLFgTe3hJz5UNZSUkcdICZo8U0kJCSkpnP7o+aGT rqiF2kKOwclJSzXaqTgCowJTgT3SU//Q9FAcE+3u5Rc4ypAyNSipQMmAE5b4mEwIHCkAOTqUlMDH ASACRBJ0TQQUlMnN00TNHjwn3GIT699ElK3DwTF274JbR3PyShJSgB2GiRmNE4BPJ0UiQElP/9H0 QCU5GibcVMERqipgCZRI8SogDnukZnQJKZEho05UdeSmg904geZSUrhNukqYb4qLi1qSlvhqniOT qnDhGiiG6yUlMtY0US091MEnRo+ag+Qkp//S9GO3gJASkPIJ4J0CKlSBwmk/BLYZklOGg8lJSwPh qnBhMSQYCcDTXRJSxeeygZKmSANAo6JKUAQlOvKm0AhRLDKSmQPYapbZ1KW6BCYvJ0SU/wD/0/Rw AdJUpa1QGvCRb4mEVLPdPCZpSjXRSASUtu8FJuupUHAgqTYiSUlLu93CiWQFOWhR55OiSlhITgHu lpymJKSlyG90vhoEhPhqlEauPySU/wD/1PRwY0ak4QOZKZvkJKltJ5RUj1TsKk4gaBRhJS5IJ4SM p5ACaZSUrb4n5JAeSbvpqpapKXAJ1KTiAmc48BQM90lLh5lORPKiG90jokp//9k= ------=_NextPart_000_0050_01C16CE7.FD427240--