Date: Wed, 16 Jan 2002 17:15:20 GMT
From: Cisco Systems Product Security Incident Response Team <psirt@cisco.com.>
To: bugtraq@securityfocus.com
Subject: Cisco Security Advisory: Hardening of Solaris OS for MGC
Cc: psirt@cisco.com
-----BEGIN PGP SIGNED MESSAGE-----
Cisco Security Advisory: Hardening of Solaris OS for MGC
Revision 1.0
For Public Release 2002 January 16 08:00 (UTC -0800)
Summary
The Media Gateway Controller (MGC) product is installed on top of
Solaris operating system. In the default installation Solaris has
several know security vulnerabilites. In order to prevent them from
being exploited customers must install updated packages CSCOh007 and
CSCOh013. These packages contain the latest Solaris patches and
additional hardening of the Solaris OS.
These vulnerabilities have been exploited and PSIRT knows of a few
cases where customer's systems running SC2200 have been compromised.
We are investigating other products that are based on Solaris.
There is no workaround.
This advisory is available at the
http://www.cisco.com/warp/public/707/Solaris-for-MGC-pub.shtml
Affected Products
The following products are affected:
+---------------------------------+--------------------------------+
|SC2200 | All systems running Solaris 2.6|
| | (Through release 7.4(x) |
+---------------------------------+--------------------------------+
|VSC3000 | All systems running Solaris 2.6|
| | (Through release 9.1(x) |
+---------------------------------+--------------------------------+
|PGW 2200 | All systems running Solaris 2.6|
| | (Through release 9.1(x) |
+---------------------------------+--------------------------------+
|Billing and Management Server | |
|(BAMS) | All systems running Solaris 2.6|
+---------------------------------+--------------------------------+
|Voice Services Provisioning Tool | |
|(VSPT) | All systems running Solaris 2.6|
+---------------------------------+--------------------------------+
We are investigating other Solaris based products.
Details
The following issues are covered by this advisory:
* Installing the latest verified patches for the Solaris OS.
* Securing the default Solaris OS installation.
* Detecting the signs of a computer compromise.
In order to guarantee the stability of the application Cisco must
perform regression testing with all new patches installed. We evaluate
every new Solaris patch and, depending on its severity on the overall
system, new patches are provided either periodically or as soon as
testing is finished.
Depending on the Solaris version Cisco provides a different patch
bundle. Patches for Solaris 2.6 are provided in the package
CSCOh007.pkg.
The second issue is the security of the default Solaris installation.
By default, Solaris is installed with many services installed. Some of
the services are known to have security issues. In order to minimise
security exposure we strongly advise that you disable these services
using the CSCOh013.pkg package.
The provided patches and the script will not help you if the computer
was already compromised. In order to establish if your computer has
been compromised or not consult the document at
http://www.cert.org/security-improvement/modules/m09.html. If you
are in doubt regarding this issue you may open a case with TAC and ask
for further clarification of your results. The only way to guarantee
that you computer is not compromised is to reinstall Solaris and the
application from the scratch.
Impact
Solaris patches
By not installing the latest Solaris patches the customer is
exposed to various known vulnerabilities. By exploiting these
vulnerabilities, customer's computer can be compromised,
controlled and used for unauthorised purposes.
Disabling unneeded services
By leaving uneeded services running the customer is exposed to
various security issues more than necessary. Running unneeded
services also uses a small amount of CPU unnecessarily.
Software Versions and Fixes
The issues are fixed with the following packages:
+-----------------------+-----------------------+--------------------+
|SC2200 |All release up to and |MGCSOL-h007.bin and |
| |including 7.4(x) |MGCSOL-h013.bin |
+-----------------------+-----------------------+--------------------+
| |All releases up to and | |
|VSC3000 |including release |MGCSOL-h007.bin and |
| |9.1(x) |MGCSOL-h013.bin |
+-----------------------+-----------------------+--------------------+
| |All releases up to and | |
|PGW 2200 |including release |MGCSOL-h007.bin and |
| |9.1(x) |MGCSOL-h013.bin |
+-----------------------+-----------------------+--------------------+
|Billing and Management |All systems running | |
|Server (BAMS) |Solaris 2.6 |MGCSOL-h007.bin only|
+-----------------------+-----------------------+--------------------+
|Voice Services | | |
|Provisioning Tool |All systems running |MGCSOL-h007.bin only|
|(VSPT) |Solaris 2.6 | |
+-----------------------+-----------------------+--------------------+
To follow the software links below, you must be a registered user and
you must be logged in.
Since vulnerabilities are in the underlying Operating System customers
do not have to change or upgrade their application. The updated
packages are MGCSOL-h007.bin (CSCOh007.pkg) and MGCSOL-h013.bin
(CSCOh013.pkg). Their version is 1.0.7.
Customers of the products listed above should check
http://www.cisco.com/cgi-bin/tablebuild.pl/mgc-sol periodically for
updates that apply to the Solaris OS used in the listed products.
Instructions on the application of these Solaris packages are covered
in the Cisco MGC Software Release (7 or 9) Installation &
Configuration Guide. See the section entitled "Installing the
Operating System Software".
To make these Solaris software packages easier to find, the
information has also been linked to the Voice Software Center under
each applicable software release of the Media Gateway Controller, BAMS
and VSPT. This information can be located at
http://www.cisco.com/kobayashi/sw-center/sw-voice.shtml.
The Release Notes for the Solaris 2.6 packages are at
http://www.cisco.com/univercd/cc/td/doc/product/access/sc/rel9/reln
ote/sol26rn.htm
Obtaining Fixed Software
Cisco is offering free updated packages to eliminate this
vulnerability for all affected customers.
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's Worldwide
Web site at http://www.cisco.com.
Customers whose Cisco products are provided or maintained through
prior or existing agreement with third-party support organizations
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for assistance with the
upgrade, which should be free of charge.
Customers who purchased directly from Cisco but who do not hold a
Cisco service contract and customers who purchase through third party
vendors but are unsuccessful at obtaining fixed software through their
point of sale should get their upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows:
* +1 800 553 2447 (toll-free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Please have your product serial number available and give the URL
of this notice as evidence of your entitlement to a free upgrade. Free
upgrades for non-contract customers must be requested through the TAC.
Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.
Workarounds
There is no workaround. Although the user may perform all steps that
are automated in packages CSCOh007.pkg and CSCOh013.pkg Cisco strongly
discourages that. In order to guarantee the stability of the solution
Cisco must perform regression testing. By removing a subsystem or
installing a patch the customer may render the system unstable or
inoperative.
Exploitation and Public Announcements
By exploiting some of known vulnerabilities in Solaris a few customers
had their computers compromised. PSIRT has no evidence that these
computers had been targeted becuase of the role they are playing.
Intrudes seems to be oblivious of the computer's real purpose.
Status of This Notice: INTERIM
This is an interim security advisory. Cisco anticipates issuing
updated versions of this notice at irregular intervals as there are
material changes in the facts, and will continue to update this notice
as necessary. The reader is warned that this notice may contain
inaccurate or incomplete information. Although Cisco cannot guarantee
the accuracy of all statements in this notice, all of the facts have
been checked to the best of our ability. Cisco anticipates issuing
monthly updates of this notice until it reaches FINAL status.
A standalone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
This notice will be posted on Cisco's Worldwide Web site at
http://www.cisco.com/warp/public/707/Solaris-for-MGC-pub.shtml. In
addition to Worldwide Web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients:
* cust-security-announce@cisco.com
* bugtraq@securityfocus.com
* first-teams@first.org (includes CERT/CC)
* cisco@spot.colorado.edu
* comp.dcom.sys.cisco
* firewalls@lists.gnac.com
* Various internal Cisco mailing lists
Future updates of this notice, if any, will be placed on Cisco's
Worldwide Web server, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the URL given above for any updates.
Revision History
Revision 1.0 2002-Jan-16 08:00 GMT-0800 Initial public release
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's Worldwide Web site at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml.
This includes instructions for press inquiries regarding Cisco
security notices.
All Cisco Security Advisories are available at
http://www.cisco.com/go/psirt
_________________________________________________________________
This notice is Copyright 2002 by Cisco Systems, Inc. This notice may
be redistributed freely after the release date given at the top of the
text, provided that redistributed copies are complete and unmodified,
and include all date and version information.
_________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.3
iQEVAwUBPEWrfw/VLJ+budTTAQF7Wwf/XeoP7+3LLHqehqCPyeAjcYq+aWaFkWL5
QCeyK3yEYeDI8AU0RS1GFK5+O52rUpcXI0Of1NPJXsVrjWKQ3s77/PRzX+m2xWyo
PPyXLdRgCUiqoiMKQdzhcEF8IdZuM7bf+WHsWIch3XVSM5Zt5v6rrDuiiNRtipoQ
GQprg0bymGMHkApE1DEZIwQH2Erb92rvdNanGrmz8j94xhzmXnXU1XjIoTzhlguu
j5LlR/uR335zONvz87eRsrmk1dni7JfxOORNAXC7ASfD3TUBxYDl47QJn64eL9/m
uHmEhpONERbq+mJ+8T/GsejqLHTgp+uBYB9PhqsvQUOyhvGsosoANw==
=UXsl
-----END PGP SIGNATURE-----
