The CERT for France Industry, Services and Tertiary sector

Members area [version française]

HOME PRESENTATION RESOURCES CONTACTS FAQ SEARCH

Solaris 10 and 11 worm

Public Advisories/Alerts Cert-IST publications Useful links News - Events Printable version		Accueil | Resources | Public Advisories/Alerts | Alerts Reference: CERT-IST/AL-2007.003 Version: 1.2 Version date: 07 March 2007 Vulnerability Classification Risk: very-high Impact: Take control Confidence: Vendor-acknowledged Attack expertise: Beginner Attack requirements: Remote (no account) over a standard service System Information Affected Platform(s): Solaris systems versions 10 and 11 Impacted products Description Publication context: This alert follows the confirmation by Sun that a worm exploiting the "telnetd" daemon flaw has been detected on Internet (See the  CERT-IST/AL-2007.003  alert and the  CERT-IST/AV-2007.061  advisory). Sun provides a script to cleanup an infected system (See the "Solution" section). Problem description: A worm that spreads exploiting the vulnerability in the "telnetd" daemon on Solaris systems versions 10 and 11 has been detected on Internet. Once installed, the worm attempts to open a backdoor on the infected system. Note : Cert-IST has noticed this worm in France. Technical context: Solaris 11 is the name of the Solaris version currently under development. It can be downloaded by the subscribers of the "Solaris Express" program. Diagnostic: To check if a Solaris 10 or 11 system is infected : 1 - Execute the following command : $ ls -la /var/adm/wtmpx if the permissions are :  -rw-r--rw-  1 adm adm 1116 Feb 28 12:03 wtmpx the system may be infected. 2 - Execute the following command : $ ls -la /var/adm/sa if a directory named  .adm  is present, the system is probably infected. 3 - If the following files are present on the system, the infection is even more problable.  /var/adm/.profile /var/spool/lp/.profile  Solution 01 - Apply the Sun patches regarding the "telnetd" daemon vulnerability Sparc Intel Solaris 10 120068-02 120069-02 Sun patches http://sunsolve.sun.com/securitypatch 02 - Temporary workarounds for the vulnerability in the "telnetd" daemon The following workarounds are available to reduce exposure to the attacks : Disable the "telnetd" daemon : svcadm disable telnet Filter the port 23 on network devices close to the vulnerable Solaris servers, or on the Internet/LAN connectivity Harden the authentication of the "telnetd" daemon : inetadm -m svc:/network/telnet:default exec="/usr/sbin/in.telnetd -a user" 03 - Sun script to cleanup an infected Solaris 10 or 11 system Sun script http://blogs.sun.com/security/resource/inoculate.local Standard vulnerability IDs CVE: CVE-2007-0882 Additional Resources ARBOR Networks security advisory dated February 27, 2007 http://asert.arbornetworks.com/2007/02/solaris-telnet-scanning-possible-worm Cert-IST alert CERT-IST/AL-2007.002 dated February 12, 2007 https://wws.cert-ist.com/fast-cgi/AL/Alerte.cgi?lang=eng&Format=HTML&Alias=cert-ist_al-2007_002 Cert-IST security advisory CERT-IST/AV-2007.061 dated February 13, 2007 https://wws.cert-ist.com/fast-cgi/AV/Avis.cgi?lang=eng&ref=CERT-IST/AV-2007.061 F-Secure documents regarding the "Wanuk" worm and the "Wanukdoor" Trojan http://www.f-secure.com/v-descs/worm_solaris_wanuk_a.shtml http://www.f-secure.com/v-descs/backdoor_solaris_wanukdoor_a.shtml NAI documents regarding the "Wanuk" worm and the "Wanukdoor" Trojan http://vil.nai.com/vil/content/v_141605.htm http://vil.nai.com/vil/content/v_141604.htm Sophos documents regarding the "Froot" http://www.sophos.com/security/analyses/unixfroota.html Sun information dated February 28, 2007 http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen Sun security advisory 102802 dated February 12, 2007 http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1 Symantec documents regarding the "Wanuk" worm and the "Wanukdoor" Trojan http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-022810-3637-99 http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-022810-0202-99 Trend Micro document regarding the "Wanuk" worm http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=ELF%5FWANUK%2EA History Version Comment Date 1.0 Alert creation 28 February 2007 1.1 Antivirus editors documents (NAI, Symantec, Sophos) and US-CERT security advisory 01 March 2007 1.2 F-Secure and Trend Micro documents 07 March 2007

Copyright © 1999-2008 Cert-IST | Legal Notice | Sitemap