Note: This is an archival copy of Security Sun Alert 200198 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000150.1.
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System
Date of Workaround Release
Date of Resolved Release
A security vulnerability in the implementation of the RPCSEC_GSS API, which impacts applications utilizing this API (rpcsec_gss(3NSL)) such as the kadmind(1M) daemon, may allow execution of arbitrary commands. In the case of Kerberos Key Distribution Centers(KDC) (which run kadmind(1M)) an unprivileged and unauthenticated remote user may be able to execute arbitrary commands on the system with the privileges of the kadmind(1M) daemon (usually 'root').
In addition, on KDC systems this issue may allow the remote user to compromise the Kerberos key database or cause the affected program to crash, which is a form of Denial of Service (DoS).
This issue is referenced in the following documents:
CVE-2007-2442 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2442
This issue can occur in the following releases:
Note: This issue can only occur if a system is configured as a Kerberos Key Distribution Center (KDC).
To determine if a system is configured as a Kerberos Key Distribution Center (KDC) the following command can be run:
% ps -ef | grep kadmin root 321 1 0 Dec 10 0:00 /usr/krb5/lib/kadmind
If (as in the above example) the kadmind(1M) daemon is running, then the machine is configured as a Kerberos Key Distribution Center (KDC) and may be vulnerable to this issue.
Note: The vulnerability described in CVE-2007-2443 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2443) does not affect the Solaris implementation of the RPCSEC_GSS API.
There are no reliable symptoms that would indicate this issue has been exploited to execute arbitrary code with elevated privileges on a system.
There is no workaround for this issue. Please see the Resolution section below.
This issue is addressed in the following releases:
This solution has no attachment