[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Open letter to SUN/Cobalt

Subject: Re: [cobalt-security] Open letter to SUN/Cobalt
From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
Date: Wed, 2 May 2001 14:41:28 +0200
Organization: Forumworld.com
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Open letter to SUN/Cobalt.

Known vulnerabilities of Cobalt RaQ's:
===========================

Since ages Qpopper 2.53 which is commonly used on all RaQs allows local users 
to gain privileges via a formatting string in the From: header, which is 
processed by the euidl command.

For several months now there are a couple of known vulnerabilities of ProFTPD 
1.2.0rc3 which is commonly used on the RaQ's. Among those exploits are those 
which allow it to root a box or to run a DOS-attack (the later vulnerability 
can be fixed with a small entry in the configuration file).

For weeks it is known that all 2.2.X Kernels below 2.2.19 can be rooted by 
local users by exploiting the ptrace() and sysctl() bugs.


As far as I understand it there are no patches available to close *any* of 
the above mentioned vulnerabilities on a RaQ3 or RaQ4 at the present time. 
The RaQ4-All-Kernel-1.0.1-2.216C24III.pkg apparently doesn't fix what it's 
supposed to fix, which members of this list just recently proved.


Question:
=======

Is it safe to assume that none of the above mentioned holes will be closed in 
the forseeable future? 

If otherwise it would be nice to hear which holes you are planning to close 
and it would be nice to get an estimate on when that will be done for which 
plattform.


Personally I wouldn't expect that someone official from Cobalt steps out in 
the open and says: "Sorry guys, it's your fault that bought our stuff and now 
you're on your own". But somehow that seems to be the bottom line of your 
intransparent upgrade and bugfix policy.

Especially the Qpopper and ProFTP vulnerabilities are starting to get an 
issue these days (greetings to China) and if you (SUN/Cobalt) have no plans 
to attend to them then it would be highly impractical if not suicidal if we 
(customers, yours truly) stick to your upgrades instead of doing them 
manually from available sources (and damn the warranty).


Just my 2 cent worth of rant for the moment. Thanks for reading.

-- 

Mit freundlichen Grüßen / Best regards

Michael Stauber

Follow-Ups:
- Re: [cobalt-security] Open letter to SUN/Cobalt
  - From: Jeff Lovell

References:
- [cobalt-security] FTPD DoS
  - From: Gossi The Dog

Prev by Date: RE: [cobalt-security] RaQ4-All-Kernel-1.0.1-2.216C24III.pkg
Next by Date: Re: [cobalt-security] warning
Previous by thread: SV: [cobalt-security] How to locate SUID = root files?
Next by thread: Re: [cobalt-security] Open letter to SUN/Cobalt

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index