Note: This is an archival copy of Security Sun Alert 200988 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000744.1.
Solaris 9 Operating System
Solaris 8 Operating System
Date of Resolved Release
The Solaris Management Console (smc(1M)) Server may allow a remote unprivileged user to learn about a system's directory structure and the presence/location of files therein. However, it does not allow one to see the contents of the files.
Sun acknowledges, with thanks, Jon Hart for identifying and reporting this issue.
This issue can occur in the following releases:
Note 1: Solaris 7 is not affected by this issue.
Note 2: The described issue only occurs if the Solaris Management Console (smc(1M)) Server is running on the system. This can be determined by running the following command as the "root" user:
# /etc/init.d/init.wbem status Solaris Management Console server not running on port 898
# /etc/init.d/init.wbem status Solaris Management Console server version 2.1.0 running on port 898
There are no user visible symptoms to determine whether the vulnerability is being exploited.
To workaround this issue until patches can be applied, sites may disable the Solaris Management Console (smc(1M)) Server by running the following commands as the root user:
To stop the running of the smc(1M) server:
# /etc/init.d/init.wbem stop
To prevent the smc(1M) server from starting upon successive reboots:
# mv /etc/rc2.d/S90wbem /etc/rc2.d/disabled-S90wbem
This issue is addressed in the following releases:
This solution has no attachment