DO NOT INSTALL THIS PACKAGE IF YOU HAVE NOT DONE SO. It appears to create the possibility of a "Denial of Service" attack.

This package has been removed from the Sun Cobalt's update website.

If you have already installed, or have had installed, this update, you should immediately disable the "Scan Detection" in "Parameters" by selecting "do nothing".

We will keep you advised of any further required or recommended resolutions or actions you should take.

IF YOU HAVE INSTALLED THE SHP PACKAGE YOU SHOULD REMOVE IT.

As sun writes on their site:
This patch removes the SHP package. Customers who installed SHP are advised to install this patch to remove a serious vulnerability issue. For more information please see: http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/49377.

Scope: Description of package, problems to expect, workarounds, and available professional services

Abstract: This white paper describes the new Sun Cobalt "Secure Hardening Project (SHP)", explains the new features, presents some issues and problems to expect during installation, and offers professional services for installation.

Sun Cobalt has announced their new "Security Hardening Project (SHP)" for the Cobalt RaQ4 architecture. Versions for the RaQ2, RaQ3, and Qube3 are expected to follow but have not yet been announced. As always, we recommend you wait until the package is officially announced through the cobalt-announce list, or on the Sun Cobalt Patches page at "www.sunsolve.sun.com/patches/cobalt" before you attempt installation; Sun Cobalt has a history of making software patches available before they're rock-solid.

SHP for the Sun Cobalt RaQ4 includes the following RPMs:

• apache-1.3.20-RaQ4_1C3stackguard.i386.rpm
• apache-admsrv-1.3.20-RaQ4_1C3stackguard.i386.rpm
• apache-devel-1.3.20-RaQ4_1C3stackguard.i386.rpm
• apache-mod_perl-1.3.20-RaQ4_1C3stackguard.i386.rpm
• apache-openssl-1.3.20-RaQ4_1C3stackguard.i386.rpm
• base-scandetection-misc-1.0-25.i386.rpm
• bind-8.2.3-C5stackguard.i386.rpm
• bind-devel-8.2.3-C5stackguard.i386.rpm
• bind-utils-8.2.3-C5stackguard.i386.rpm
• cobalt-locale_en-4.4-RaQ4.i386.rpm
• fwall-kernel-1.8_2.2.16C32_III-4.i386.rpm
• imap-4.7c2-C4stackguard.i386.rpm
• imap-devel-4.7c2-C4stackguard.i386.rpm
• pafmgr-1.2-2.i386.rpm
• proftpd-1.2.4-stackguardC4.i386.rpm
• qpopper-3.0.2-C6stackguard.i386.rpm
• sendmail-8.10.2-C1stackguard.i386.rpm
• sgalertd-1.0-24.i386.rpm
• telnet-0.17-18C2stackguard.i386.rpm
• telnet-server-0.17-18C2stackguard.i386.rpm
• ui-3100raq-9.3-2.noarch.rpm

Additionally, Sun specifies that all prior patches be installed before you attempt this patch.

Here are some of the new features you'll get:

• Buffer Overflow Protection: Vital network services are now compiled with StackGuard to protect against buffer overflows. More information on StackGuard may be found at "www.immunix.org".
• Port Scan Detection: You can set userdefinable parameters for scanning frequency to trigger the port-scan blocking, for the number of ports scanned to trigger the port-scan blocking, and to enable white and blacklists, and email alerts. The lockouts last for five minutes after which the process is repeated.
• Root Privilege Control: Many linux daemons are set by default to run as root, and compromising them can allow the attacker to get root access to your entire computer. The Sun Cobalt SHP uses setUID permissions to "chainroot" vulerable daemons to "sandbox" them, so compromising them won't give the user root access, but only the less privileged access of the owner of daemon owner.
• New GUI: Though probably unnecessary, Sun Cobalt has replaced the entire gui.

Here are some features you should have and may need but will NOT get with the Sun Cobalt SHP:

• SSL encryption for your RaQ, site, and user administration pages: Sun Cobalt did not see fit to force you to secure your RaQ, site, and user administration pages. You should still either purchase a Secure Site Certificate for your RaQ's main site, or create a self-signed Certificate, to ensure that your sensitive admin and root password(s) do not cross the Internet in clear text.
• SSH software suite to replace insecure Telnet: Sun Cobalt did not see fit to remove inherrently insecure Telnet from the suite of applications, and to replace it with Secure Shell software to enable secure shell administration without passing your sensitive passwords, and other sensitive information across the Internet in clear text.
• LCAP to prevent attackers loading rogue Linux Kernel Modules: Linux enables technology to allow you to add kernel support for hardware, during operation, on an as-needed basis, as a kernel- module. Unfortunately hackers can load modules into your kernel that will make their presence virtually invisible; even running known good detection software might not show that your system has been compromised.
• Logwatch: While you've got lots of logs saving lots of information about your system, you really don't know what you need to see or what any of it means. Logwatch will scan your logs for you, and only send you (via email) the log lines it belives indicate cracker-activity.
• File Checking: By checking the checksums of important program files, configuration files and directory structures you can see if any changes have been made by hackers who may have removed, added, or compromised any of them.
• Chkrootkit: Running chkrootkit once or more times per day, and emailing you the output, can give you early warning of a successful system compromise.

Possible problems and issues:

It appears at this time that the RaQ4 packages currently on the "PkgMaster" site (pkgmaster.com/packages/raq/4) are not affected by Sun Cobalt SHP. If you determine otherwise, please let us know so we may upgrade this whitepaper.

There are some incompatibilities with the free packages available at SolarSpeed (www.solarspeed.net):

• Bind-8.3.3 (Security upgrade) RaQ34-Bind-8.3.3.pkg: Sun Cobalt SHP will downgrade Bind to version 8.2.3.
• University of Washington IMAP-2001a (Security fix!) RaQ34-IMAP-2001a.pkg: Sun Cobalt SHP will downgrade Imap to version 4.7c2.
• Eudora/Qualcom Qpopper-4.0.4 (Performance and feature upgrade) RaQ34-Qpopper-4.0.4.pkg: Sun Cobalt SHP will downgrade Qpopper to version 3.0.2 and will most likely break Qpopper due to the different APOP-database.

There's also an incompatibility with the SolarSpeed Spam Filter:

• After the installation of SHP the GUI extensions of the Spam-Filter no longer work. So http://<sitename>/personal will be missing the "Spam-Filter" menu entry and the "Services" tab in the GUI will no longer have the "Parameters" link which leads to the global options of the SPAM-Filter.

In addition, a few problems have been reported by users, one involving a possibly non-working Chilisoft. While only a few people have had this problem, and while one admits it may not be an SHP problem, we recommend you be ready to reinstall the Sun Chilisoft update if Chilisoft stops working after you perform the SHP update.

Here are some resolutions:

You can reinstall Bind-8.3.3 from the SolarSpeed site after you install SHP. Doing so will re-upgrade, but you'll lose the benefit of the StackGuard compile. We don't know if the Sun Cobalt SHP upgrade has fixed the security issues in Bind 8.2.3, so we don't know if there's any advantage to upgrading again.

You can reinstall the IMAP-2001a from the SolarSpeed site after you install SHP. Doing so will re-upgrade, but you'll lose the benefit of the StackGuard compile. We don't know if the Sun Cobalt SHP upgrade has fixed the security issues in IMAP 4.7c2, so we don't know if there's any advantage to upgrading again.

You can reinstall the Qpopper-4.0.4 package, and probably should if you want APOP to work properly. However doing so will lose the benefit of the StackGuard compile.

If you had a SolarSpeed Spam Filter installed on your RaQ4 prior to installing the Sun Cobalt SHP upgrade you should vist the SolarSpeed website and request the free update SolarSpeed is offering to that package.

Installation help:

This is a major upgrade, and we can understand why some RaQ4 administrators may not wish to do it themselves.

If that's you, here's our offer: We'll completely bring your RaQ up-to-date with all the Sun Cobalt official packages, install and/or reinstall any Pkgmaster packages and/or free SolarSpeed packages you want installed, and test your system to assure a complete and problem free upgrade, at a very reasonable price. If you're interested, please contact sales@nobaloney.net or call us at +1 951 643-5345. We charge us$75 for a complete upgrade and install of all the official Sun Cobalt upgrade packages, or us$100 if you also need or want any PkgMaster or SolarSpeed free packages installed. Remember, the upgrade to SolarSpeed's Spam Filter is free in any case.

Get those packages you won't get with the Sun Cobalt SHP update:

Even with the Sun Cobalt SHP update you won't get all the security you should have. So we're happy to offer you the nobaloney.net Cobalt RaQ4 Security Package, with all those packages listed above plus a special "honeypot" installation of PortSentry. Get the nobaloney.net Cobalt RaQ4 Security Package installed on your RaQ4, for only us$170.

Again, if you're interested, please contact sales@nobaloney.net or call us at +1 951 643-5345 for more information.

Acknowledgements and Copyright:

Our thanks to Michael Stauber for helping address and clear up some of the issues and questions in my mind as I prepared this whitepaper. While thanks and appreciation go to him for his much appreciated help, any errors and omissions are entirely mine.

This white paper is Copyright©2002 nobaloney.net. You may copy it for distribution in any media as long as you copy it in it's entirety including the sections "Installation help" and "Acknowledgements and Copyright". Please contact whitepapers@nobaloney.net to notify us of any errors or inconsistencies.

Thanks.

Jeff Lasman
nobaloney.net
08/08/2002