TECHNICAL BULLETIN
TECHNICAL BULLETIN
| PROBLEM: | Solaris Kerberos is prone to a security-bypass vulnerability that affects the Kerberos credential cache management. |
| PLATFORM: | Sun Solaris 9_x86 Sun Solaris 9 Sun Solaris 8_x86 Sun Solaris 8 Sun Solaris 10_x86 Sun Solaris 10 Sun OpenSolaris build snv_116 Sun OpenSolaris build snv_114 Sun OpenSolaris build snv_113 Sun OpenSolaris build snv_112 Sun OpenSolaris build snv_111a Sun OpenSolaris build snv_111 Sun OpenSolaris build snv_110 Sun OpenSolaris build snv_109 Sun OpenSolaris build snv_108 Sun OpenSolaris build snv_107 Sun OpenSolaris build snv_106 Sun OpenSolaris build snv_105 Sun OpenSolaris build snv_104 Sun OpenSolaris build snv_103 Sun OpenSolaris build snv_102 Sun OpenSolaris build snv_101a Sun OpenSolaris build snv_101 Sun OpenSolaris build snv_100 |
| ABSTRACT: | This vulnerability has been identified in Sun Solaris, which could be exploited by local attackers to bypass security restrictions. This issue is caused by an unspecified error in the Kerberos (see kerberos(5)) credential cache management, which may allow a local unprivileged user to access Kerberized mount points without authorization. |
| LINKS: | |
| DOE-CIRC BULLETIN: | http://www.doecirc.energy.gov/bulletins/t-154.shtml |
| OTHER LINKS: | Security Focus http://www.securityfocus.com/bid/35205 Sun Microsystems http://sunsolve.sun.com/search/document.do?assetkey=1-66-252787-1 |
| IMPACT ASSESSMENT: | This risk is low. An attacker can exploit this issue to perform unauthorized actions, which may lead to unauthorized access of Kerberized NFS Mount Points. |
Workaround:
There is no workaround that would prevent unauthorized access to affected shares. It may be desirable therefore to modify
the share and mount options so that they no longer utilize Kerberos. This can be done by editing of the dfstab(4) file on
the NFS server and removing the 'sec=' option.
Alternatively, the unshare(1) command can be used to unshare the filesystem, and the share(1) command to share the
filesystem, not specifying the 'sec=' option. The client systems could then umount(1) the filesystem and then mount(1) with
no 'sec=' option. This will allow UNIX system permissions to safeguard against unauthorized access.
Note: As this workaround disables Kerberos for the affected NFS shares, the security of those shares may be impacted in
various ways depending on the configuration. For example, network traffic associated with those shares may no longer be
encrypted during transfer, and the access permissions will revert to those supported by the standard UNIX permissions implementation.
Solution:
Sun Solaris 9
* Sun Solaris 9 patch 112908-34
http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21 -112908-34-1
Sun Solaris 9_x86
* Sun Solaris 9 patch 115168-19
http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21 -115168-19-1
Sun Solaris 10_x86
* Sun Solaris 10 patch 140130-06
http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21 -140130-06-1
Sun Solaris 8_x86
* Sun Solaris 8 patch 140842-01
http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21 -140842-01-1
Sun Solaris 8
* Sun Solaris 8 patch 140841-01
http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21 -140841-01-1
Sun Solaris 10
* Sun Solaris 10 patch 140074-05
http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21 -140074-05-1
Voice: 866-941-2472
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov