—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Liebe Kolleginnen und Kollegen,
soeben erreichte uns nachfolgendes Sun Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.
6802931 – Schwachstelle im Solaris Kerberos Credential Cache
Management
Eine nicht naeher spezifizierte Schwachstelle im Solaris Kerberos
Credential Cache Management ermoeglicht einem lokalen Angreifer
unberechtigten Zugriff auf NFS Einhaengepunkte die durch Kerberos
geschuetzt werden sollten.
Betroffen sind die folgenden Software Pakete und Plattformen:
Solaris 8
Solaris 9
Solaris 10
OpenSolaris
SPARC Plattform
* Solaris 8 ohne Patch 140841-01
* Solaris 9 ohne Patch 112908-34
* Solaris 10 ohne Patch 140074-05
* OpenSolaris basierend auf build snv_01 bis snv_116
x86 Plattform
* Solaris 8 ohne Patch 140842-01
* Solaris 9 ohne Patch 115168-19
* Solaris 10 ohne Patch 140130-06
* OpenSolaris basierend auf build snv_01 bis snv_116
Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.
Hersteller Advisory:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-252787-1
(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.
Mit freundlichen Gruessen,
Detlev O. Matthies
– —
Detlev O. Matthies, M.Sc. (Incident Response Team)
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
Automatische Warnmeldungen https://www.cert.dfn.de/autowarn
Solution Type Sun Alert
Solution 252787 : A Security Vulnerability in Solaris Kerberos
Credential Management May Lead to Unauthorized Access of Kerberized NFS
Mount Points
Related Categories
* Home>Content>Sun Alert Criteria Categories>Security
* Home>Content>Sun Alert Release Phase>Resolved
Bug ID
6802931
Product
Solaris 8 Operating System
Solaris 9 Operating System
Solaris 10 Operating System
OpenSolaris
Date of Resolved Release
03-Jun-2009
SA Document Body
A Security Vulnerability in Solaris Kerberos Credential Management May Lead to
Unauthorized Access of Kerberized NFS Mount Points
1. Impact
A security vulnerability in the Solaris Kerberos (see kerberos(5))
credential cache management may allow a local unprivileged user to
access Kerberized mount points without authorization.
Sun acknowledges with thanks, Anton Lundin for bringing this issue to
our attention.
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform
* Solaris 8 without patch 140841-01
* Solaris 9 without patch 112908-34
* Solaris 10 without patch 140074-05
* OpenSolaris based upon build snv_01 through snv_116
x86 Platform
* Solaris 8 without patch 140842-01
* Solaris 9 without patch 115168-19
* Solaris 10 without patch 140130-06
* OpenSolaris based upon build snv_01 through snv_116
Notes:
1. Solaris 8 entered EOSL Phase 2 on 1 April 2009. Entitlement to
patches developed on or after 1 April 2009 requires the purchase of the
Solaris 8 Vintage Patch Service. See note in section 5 for more
details.
2. OpenSolaris distributions may include additional bug fixes above and
beyond the build from which it was derived. The base build can be
derived as follows:
$ uname -v
snv_101
3. This issue could affect all systems utilizing Kerberized NFS mount
points as an NFS client. To determine if a system could be exposed to
this issue, the following command can be run:
$ nfsstat -m | grep sec=krb
If any data is returned, the system may be vulnerable to this issue.
3. Symptoms
This issue exists on all systems utilizing Kerberized NFS mount
points. There are no predictable symptoms that would indicate this
issue has been exploited to gain unauthorized access to Kerberized NFS
shares.
4. Workaround
There is no workaround that would prevent unauthorized access to
affected shares. It may be desirable therefore to modify the share and
mount options so that they no longer utilize Kerberos. This can be done
by editing of the dfstab(4) file on the NFS server and removing the
‘sec=’ option.
Alternatively, the unshare(1) command can be used to unshare the
filesystem, and the share(1) command to share the filesystem, not
specifying the ‘sec=’ option. The client systems could then umount(1)
the filesystem and then mount(1) with no ‘sec=’ option. This will
allow UNIX system permissions to safeguard against unauthorized
access.
Note: As this workaround disables Kerberos for the affected NFS shares,
the security of those shares may be impacted in various ways depending
on the configuration. For example, network traffic associated with
those shares may no longer be encrypted during transfer, and the access
permissions will revert to those supported by the standard UNIX
permissions implementation.
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
* Solaris 8 with patch 140841-01 or later
* Solaris 9 with patch 112908-34 or later
* Solaris 10 with patch 140074-05 or later
* OpenSolaris based upon build snv_117 or later
x86 Platform
* Solaris 8 with patch 140842-01 or later
* Solaris 9 with patch 115168-19 or later
* Solaris 10 with patch 140130-06 or later
* OpenSolaris based upon build snv_117 or later
Note: The READMEs of Solaris 8 patches developed on or after 1 April
2009 are available to all customers. However, Solaris 8 entered EOSL
Phase 2 on April 1, 2009 and thus entitlement for these patches,
including those that fix security vulnerabilities, requires the
purchase of the Solaris 8 Vintage Patch Service. More information about
the Solaris 8 Vintage Patch Service is available at:
http://www.sun.com/service/eosl/Solaris8.html
For more information on Security Sun Alerts, see Technical Instruction
ID 213557.
This Sun Alert notification is being provided to you on an “AS IS”
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This
Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.
Attachments
This solution has no attachment
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFKLOfBk0kIxZMiiQ8RAnyXAJ96akpZINA/pfjZqb+Oo/FyHdYl3wCffuwT
3hf+kbyxh8Rdr7L4+h/SbLs=
=vWBs
—–END PGP SIGNATURE—–
