Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-261: Solaris Trusted Extensions Weakness May Let Users Gain Elevated Privileges

October 29, 2009 15:00 GMT
PROBLEM: A vulnerability was reported in Solaris. A remote user with access to the X server may be able to gain elevated privileges on the target system.
PLATFORM: Solaris 10 & OpenSolaris
ABSTRACT: A remote user with access to the target X server can exploit a flaw in the Solaris Trusted Extensions Policy configuration and then leverage an additional vulnerability to gain privileges on the target server.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-261.shtml
  OTHER LINKS: Security Tracker
http://securitytracker.com/alerts/2009/Oct/1023110.html

IMPACT ASSESSMENT: This risk is medium. A remote user with access to the X server may be able to gain elevated privileges on the target system. 
Discussion:
A security weakness in Solaris Trusted Extensions Policy configuration may allow a remote unprivileged user who has authorized or unauthorized access to the X server, to leverage an additional vulnerability which could lead to arbitrary code execution as a local privileged or unprivileged user.

This issue is present in the following releases:

SPARC Platform

    * Solaris 10 without patch 126363-08
    * OpenSolaris based upon builds snv_37 through snv_125

x86 Platform

    * Solaris 10 without patch 126364-08
    * OpenSolaris based upon builds snv_37 through snv_125

Note 1: Solaris 8, Solaris 9 and releases of Solaris 10 prior to Solaris 10 11/06 do not include Solaris Trusted Extensions and so do not have this weakness.

Note 2: This issue only impacts Solaris 10 and OpenSolaris systems which have installed and configured Solaris Trusted Extensions. To determine if a system is configured with Trusted Extensions, the following command can be run in the global zone:

    $ svcs /system/labeld
    STATE          STIME      FMRI
    online  10:02:34   svc:/system/labeld:default

If the state is disabled or if the labeld service is not listed, then the system is not configured to use Trusted Extensions.

Workaround:
To work around the described issue for the Xorg(1) server, the XTEST extension may be disabled by adding the following lines to xorg.conf(4) file:

   Section "Extensions"
   Option "XTEST" "disable"
   EndSection

Solution:
This issue is addressed in the following releases:

SPARC Platform

    * Solaris 10 with patch 126363-08 or later
    * OpenSolaris based upon builds snv_126 or later

x86 Platform

    * Solaris 10 with patch 126364-08 or later
    * OpenSolaris based upon builds snv_126 or later
DOE-CIRC wishes to acknowledge the contributions of Sun Microsystems for the information contained in this bulletin.
DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788