—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Liebe Kolleginnen und Kollegen,
soeben erreichte uns nachfolgendes Sun Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.
Sun Bug ID 6880209 – Schwachstelle in der Sun Virtual Infrastructure
Eine nicht naeher beschriebene Schwachstelle im
Authentifizierungsmechanismus der Sun Virtual Infrastructure (VDI) 3.0
erlaubt es entfernten Angreifern, Zugang zum Web-Interface von
VirtualBox zu erlangen. Dies kann weitere Angriffe ermoeglichen.
Betroffen sind die folgenden Software Pakete und Plattformen:
Sun Virtual Desktop Infrastructure (VDI) Software 3.0
SPARC Plattform
* Sun VDI Software 3.0 (fuer Solaris 10) ohne Patch 141481-03 und
mit VirtualBox 2.0.8 oder 2.0.10
x86 Plattform
* Sun VDI Software 3.0 (fuer Solaris 10) ohne Patch 141482-03 und
mit VirtualBox 2.0.8 oder 2.0.10
Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.
Hersteller Advisory:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-268328-1
(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.
Mit freundlichen Gruessen,
Detlev O. Matthies
– —
Detlev O. Matthies, M.Sc. (Incident Response Team)
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
Automatische Warnmeldungen https://www.cert.dfn.de/autowarn
Alert URL: http://sunsolve.sun.com/search/document.do?assetkey=1-66-268328-1
Sun Security Alert: 268328
A Security Vulnerability in Sun Virtual Desktop Infrastructure (VDI)
Software 3.0 may Lead to Unauthorized Access to the VirtualBox Web
Service
__________________________________________________________________
Category : Security
Release Phase : Resolved
Bug Id : 6880209
Product : Sun Virtual Desktop Infrastructure (VDI) Software 3.0
Date of Resolved Release : 03-Nov-2009
A security vulnerability in the Sun Virtual Infrastructure (VDI) 3.0 … see be
low
1. Impact
A security vulnerability in the Sun Virtual Infrastructure (VDI) 3.0
authentication mechanism may
allow remote unprivileged users to gain unauthorized access to the
VirtualBox web service.
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform
* Sun VDI Software 3.0 (for Solaris 10) without patch 141481-03 and
using VirtualBox 2.0.8 or 2.0.10
x86 Platform
* Sun VDI Software 3.0 (for Solaris 10) without patch 141482-03 and
using VirtualBox 2.0.8 or 2.0.10
Note 1: Sun VDI 2.0 does not provide integration with VirtualBox and
therefore is not impacted by this issue.
To determine the version of Sun VDI Software on a system, the following
command can be run:
$ pkgparam SUNWvda-service VERSION
3.0_71,REV=2009.03.11.11.27
Note 2: This issue is only present in Sun VDI 3.0 configurations using
VirtualBox desktop providers.
To determine the type of desktop providers configured for Sun VDI 3.0,
the following command can be run:
# /opt/SUNWvda/sbin/vda provider-list | grep -i VirtualBox
Hz) 13% (2.2 GB) 0% (16.1 GB)
Note 3: This issue is only present for VirtualBox version 2.0.8 and
2.0.10 for Sun VDI.
To determine the version of VirtualBox on a system, the following
command can be run:
$ pkgparam SUNWvbox VERSION
2.0.10,REV=r50334.2009.07.21.16.12
3. Symptoms
There are no predictable symptoms that would indicate the described
issue has been exploited.
Access from hosts/IPs other than Sun VDI 3.0 core servers in the
Apache2 access log
(/var/apache2/logs/access_log) may indicate an unauthorized user.
4. Workaround
To work around the described issue, firewall rules may be configured on
the VirtualBox hosts to allow
connections only from the VDI core servers. See the firewall product
documentation for more information
on how to configure firewall rules.
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
* Sun VDI Software 3.0 (for Solaris 10) with patch 141481-03 or later
and with VirtualBox 2.0.12 or later
x86 Platform
* Sun VDI Software 3.0 (for Solaris 10) with patch 141482-03 or later
and with VirtualBox 2.0.12 or later.
Note: VirtualBox 2.0.12 is required to address the issue described, and
may be
downloaded from the following URL:
http://www.sun.com/software/vdi/get.jsp
Click on the “Download” button in the “Download Sun VDI Software 3”
section.
VirtualBox 2.0.12 should be installed after applying the Sun VDI 3.0
patch (141481-03 or 141482-03).
For more information on Security Sun Alerts, see Technical Instruction
ID 213557
http://sunsolve.sun.com/search/document.do?assetkey=1-61-213557-1
This Sun Alert notification is being provided to you on an “AS IS”
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This
Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.
Attachments
This solution has no attachment
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFK8uljk0kIxZMiiQ8RAmJiAJ0QJBubo7DeVS/rqC+QII8A2/tHUACfbAmN
iSXO0HdFkjoHNQrqAvp42ZI=
=cK8D
—–END PGP SIGNATURE—–
