Note: This is an archival copy of Security Sun Alert 200604 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000466.1.
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System
Date of Workaround Release
Date of Resolved Release
A security vulnerability in the Kerberos administration daemon (kadmind(1M)) may allow a remote authenticated user to be able to execute arbitrary commands on Kerberos Key Distribution Center(KDC) systems with the privilegs of the kadmind(1M) daemon (usually root). This issue may also allow the remote user to compromise the Kerberos key database or cause the kadmind(1M) daemon to crash, which is a form of Denial of Service (DoS).
This issue is referenced in the following documents:
This issue can occur in the following releases:
Note 1: Solaris Enterprise Authentication Mechanism (SEAM) is an unbundled product available for Solaris 8 and 9. For more information on SEAM, please see the SEAM(5) man page.
Note 2: To determine if the SEAM unbundled product is installed on a host, the following command can be used:
$pkginfo SUNWkr5ma system SUNWkr5ma Kerberos V5 Master KDC
Note 3: This issue only occurs if the system is configured as a Key Distribution Center (KDC).
To determine if the system is configured as a Key Distribution Center, the following command can be used:
% ps -ef | grep kadmin root 321 1 0 Dec 10 ? 0:00 /usr/krb5/lib/kadmind
If the above command shows that the daemon kadmind(1M) is running, then the machine is configured as the Key Distribution Center (KDC).
There are no reliable symptoms that would indicate this issue has been exploited to execute arbitrary code with elevated privileges on a system.
To work around the described issue, kadmind(1M) could be disabled, however this would take down all administrative functionality of the Kerberos environment. The Kerberos realm itself would remain usable while kadmind(1M) is down.
To disable kadmind(1M) on Solaris 8 and Solaris 9 systems, the following command can be used:
# pkill kadmind
This issue is addressed in the following release:
This solution has no attachment