CERT® Advisory CA-1993-15 /usr/lib/sendmail, /bin/tar, and /dev/audio VulnerabilitiesOriginal issue date: October 21, 1993
Last revised: September 19, 1997
Attached copyright statement
A complete revision history is at the end of this file.
The CERT Coordination Center has learned of several vulnerabilities affecting Sun Microsystems, Inc. (Sun) operating systems. Three separate vulnerabilities are described in this advisory. The first and third vulnerabilities affect all versions of SunOS 4.1.x and all versions of Solaris 2.x. The second affects all systems running any version of Solaris 2.x (but does not affect SunOS 4.1.x systems).
Patches can be obtained from local Sun Answer Centers worldwide as well as through anonymous FTP from the ftp.uu.net (220.127.116.11) system in the /systems/sun/sun-dist directory. In Europe, these patches are available from ftp.eu.net in the /sun/fixes directory.
Information concerning specific patches is outlined below. Please note that Sun sometimes updates patch files. If you find that the checksum is different, please contact Sun.
I. /usr/lib/sendmail Vulnerability
This vulnerability affects all versions of SunOS 4.1.x including 4.1.1, 4.1.2, 4.1.3, 4.1.3c, and all versions of Solaris 2.x including Solaris 2.1 (SunOS 5.1) and Solaris 2.2 (SunOS 5.2). Sun is preparing a version of this patch for Solaris 2.3 but no patch ID is available at this time.
This vulnerability is being actively exploited and we strongly recommend that sites take immediate and corrective action.
A vulnerability exists in /usr/lib/sendmail such that remote users may gain access to affected systems.
Unauthorized access to affected systems may occur.
II. Solaris 2.x /bin/tar Vulnerability
This vulnerability exists in all versions of Solaris 2.x including Solaris 2.1 and Solaris 2.2. Information about patches for current versions of Solaris is described below. Sun is preparing a patch for the upcoming Solaris 2.3 release. The patch ID will be 101327-01, and it will be available as soon as Solaris 2.3 is shipped.
This vulnerability does not exist in SunOS 4.1.x systems.
A security vulnerability exists in /bin/tar such that tarfiles created using this utility may incorporate portions of the /etc/passwd file.
Usernames and other information from /etc/passwd and /etc/group may be disclosed. However, since Solaris 2.x uses shadow passwords, encrypted passwords should not appear in /etc/passwd and therefore should not be disclosed by this vulnerability.
We recommend that all affected sites take the following steps to secure their systems.
III. /dev/audio Vulnerability
This vulnerability affects all Sun systems with microphones. This includes all versions of SunOS 4.1.x including 4.1.1, 4.1.2, 4.1.3, 4.1.3c, and all versions of Solaris 2.x including Solaris 2.1 (SunOS 5.1) and Solaris 2.2 (SunOS 5.2). Sun is addressing this problem in Solaris 2.3.
/dev/audio is set to a default mode of 666. There is also no indication to the user of the system that the microphone is on.
Any user with access to the system can eavesdrop on conversations held in the vicinity of the microphone.
To prevent unauthorized listening with the microphone, the permissions of the audio data device (/dev/audio) should allow only the user logged in on the console of the machine to read /dev/audio. To prevent unauthorized changes in playback and record settings, the permissions on /dev/audioctl should be similarly changed.
Any site seriously concerned about the security risks associated with the microphone should either switch off the microphone, or unplug the microphone to prevent unauthorized listening.
The CERT Coordination Center wishes to thank Paul De Bra, Department of Computing Science, Eindhoven University of Technology; David Slade of Bellcore; and Mabry Tyson of SRI for reporting these vulnerabilities, and Sun Microsystems, Inc. for their response to these problems.
This document is available from: http://www.cert.org/advisories/CA-1993-15.html
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Conditions for use, disclaimers, and sponsorship information
Copyright 1993 Carnegie Mellon University.
September 19,1997 Attached Copyright Statement