Note: This is an archival copy of Security Sun Alert 200793 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000608.1.
Solaris 9 Operating System
Solaris 8 Operating System
Date of Workaround Release
Date of Resolved Release
On Solaris 8 and Solaris 9 systems with the LDAP name service enabled, an unprivileged local user may be able to gain unauthorized root access due to a buffer overflow in the "nss_ldap.so.1" library.
This issue can occur in the following releases:
Note: Solaris 2.6 and Solaris 7 are not affected.
Solaris 2.5.1 will not be evaluated regarding the potential impact of the issue described in this Sun Alert document.
Only Solaris 8 and Solaris 9 systems with the LDAP name service enabled in the "/etc/nsswitch.conf" file for any of the following databases are affected by this issue:
The LDAP name service is enabled for a database if the "ldap" keyword is present in the "/etc/nsswitch.conf" as shown for the "hosts", "networks", and "netgroup" databases in the following example:
$ grep ldap /etc/nsswitch.conf hosts: ldap dns [NOTFOUND=return] files networks: ldap [NOTFOUND=return] files netgroup: ldap
There are no predictable symptoms that would show the described issue has been exploited to gain root privileges.
To work around the described issue, edit the "/etc/nsswitch.conf" file to not use LDAP with the following databases (i.e. remove the "ldap" keyword for these database entries):
For example, edit the following line in "/etc/nsswitch.conf" from:
hosts: ldap dns [NOTFOUND=return] files
hosts: dns [NOTFOUND=return] files
Editing the "/etc/nsswitch.conf" file requires root access rights.
This issue is addressed in the following releases:
This solution has no attachment