[NEWS] Hardening Solaris for MGC

From: support@securiteam.com
Date: 01/17/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Thu, 17 Jan 2002 23:04:07 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Hardening Solaris for MGC
------------------------------------------------------------------------

SUMMARY

The Media Gateway Controller (MGC) product is installed on top of Solaris
operating system. In the default installation, Solaris has several known
security vulnerabilities. In order to prevent them from being exploited
customers must install updated packages CSCOh007 and CSCOh013. These
packages contain the latest Solaris patches and additional hardening of
the Solaris OS.

These vulnerabilities have been exploited and PSIRT knows of a few cases
where customer's systems running SC2200 have been compromised.

DETAILS

Vulnerable systems:
SC2200 All systems running Solaris 2.6 (Through release 7.4(x))
VSC3000 All systems running Solaris 2.6 (Through release 9.1(x))
PGW 2200 All systems running Solaris 2.6 (Through release 9.1(x))
Billing and Management Server (BAMS) All systems running Solaris 2.6
Voice Services Provisioning Tool (VSPT) All systems running Solaris 2.6

The following issues are covered by this advisory:
 * Installing the latest verified patches for the Solaris OS
 * Securing the default Solaris OS installation
 * Detecting the signs of a computer compromise

Depending on the Solaris version, Cisco provides a different patch bundle.
Patches for Solaris 2.6 are provided in the package CSCOh007.pkg.

The second issue is the security of the default Solaris installation. By
default, Solaris is installed with many services installed. Some of the
services are known to have security issues. In order to minimize security
exposure it is advisable that you disable these services using the
CSCOh013.pkg package.

The provided patches and the script will not help you if the computer was
already compromised. In order to establish if your computer has been
compromised or not consult the document at
<http://www.cert.org/security-improvement/modules/m09.html>
http://www.cert.org/security-improvement/modules/m09.html. If you are in
doubt regarding this issue you may open a case with TAC and ask for
further clarification of your results. The only way to guarantee that you
computer is not compromised is to reinstall Solaris and the application
from the scratch.

Impact:
 * Solaris patches
By not installing the latest Solaris patches, the customer is exposed to
various known vulnerabilities. By exploiting these vulnerabilities,
customer's computer can be compromised, controlled, and used for
unauthorized purposes.

 * Disabling unneeded services
By leaving unneeded services, running the customer is exposed to various
security issues more than necessary. Running unneeded services also uses a
small amount of CPU unnecessarily.

Software versions and fixes
The issues are fixed with the following packages:

SC2200 - All release up to and including 7.4(x) - MGCSOL-h007.bin and
MGCSOL-h013.bin

VSC3000 - All releases up to and including release 9.1(x) -
MGCSOL-h007.bin and MGCSOL-h013.bin

PGW 2200 - All releases up to and including release 9.1(x) -
MGCSOL-h007.bin and MGCSOL-h013.bin

Billing and Management Server (BAMS) - All systems running Solaris 2.6 -
MGCSOL-h007.bin only

Voice Services Provisioning Tool (VSPT) - All systems running Solaris 2.6
- MGCSOL-h007.bin only

To follow the software links below, you must be a registered user and you
must be logged in.

Since vulnerabilities are in the underlying Operating System customers do
not have to change or upgrade their application. The updated packages are
MGCSOL-h007.bin (CSCOh007.pkg) and MGCSOL-h013.bin (CSCOh013.pkg). Their
version is 1.0.7.

Customers of the products listed above should check
<http://www.cisco.com/pcgi-bin/tablebuild.pl/mgc-sol>
http://www.cisco.com/pcgi-bin/tablebuild.pl/mgc-sol periodically for
updates that apply to the Solaris OS used in the listed products.
Instructions on the application of these Solaris packages are covered in
the Cisco MGC Software Release (7 or 9) Installation & Configuration
Guide. See the section entitled "Installing the Operating System
Software."

To make these Solaris software packages easier to find, the information
has also been linked to the Voice Software Center under each applicable
software release of the Media Gateway Controller, BAMS, and VSPT. This
information can be located at
<http://www.cisco.com/public/sw-center/sw-voice.shtml>
http://www.cisco.com/public/sw-center/sw-voice.shtml.

The Release Notes for the Solaris 2.6 packages are at
<http://www.cisco.com/univercd/cc/td/doc/product/access/sc/rel9/relnote/sol26rn.htm> http://www.cisco.com/univercd/cc/td/doc/product/access/sc/rel9/relnote/sol26rn.htm.

Obtaining fixed software:
Cisco is offering free updated packages to eliminate this vulnerability
for all affected customers.

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's Worldwide Web
site at <http://www.cisco.com> http://www.cisco.com.

Customers whose Cisco products are provided or maintained through prior or
existing agreement with third-party support organizations such as Cisco
Partners, authorized resellers, or service providers should contact that
support organization for assistance with the upgrade, which should be free
of charge.

Customers who purchased directly from Cisco but who do not hold a Cisco
service contract, and customers who purchase through third party vendors
but are unsuccessful at obtaining fixed software through their point of
sale, should get their upgrades by contacting the Cisco Technical
Assistance Center (TAC). TAC contacts are as follows:

 * +1 800 553 2447 (toll-free from within North America)
 * +1 408 526 7209 (toll call from anywhere in the world)
 * e-mail: tac@cisco.com

Please have your product serial number available and give the URL of this
notice as evidence of your entitlement to a free upgrade. Free upgrades
for non-contract customers must be requested through the TAC.

Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.

Workarounds:
There is no workaround. Although the user may perform all steps that are
automated in packages CSCOh007.pkg and CSCOh013.pkg Cisco strongly
discourages that. In order to guarantee the stability of the solution
Cisco must perform regression testing. By removing a subsystem or
installing a patch, the customer may render the system unstable or
inoperative.

ADDITIONAL INFORMATION

The information has been provided by <mailto:psirt@cisco.com> Cisco
Systems Product Security Incident Response Team.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages