Note: This is an archival copy of Security Sun Alert 201152 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000871.1.
Article ID : 1000871.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2005-11-22
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerabilities in the traceroute(1M) Utility may Allow Elevated Privileges

Category
Security

Release Phase
Resolved

Product
Solaris 10 Operating System

Bug Id
6290623, 6290611

Date of Resolved Release
23-NOV-2005

Impact

Multiple security vulnerabilities in the traceroute(1M) utility may allow an unauthorized local user the ability to execute arbitrary code with elevated privileges. The traceroute(1M) utility in Solaris 10 is privilege aware and thus the only additional privilege available is PRIV_NET_RAWACCESS (see privileges(5)). This limits the impact by only allowing access to the network layer.

These issues are described in the following document:


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 10 without patch 121012-01

x86 Platform

  • Solaris 10 without patch 121013-01

Note: Solaris 8 and Solaris 9 are not affected by this issue.


Symptoms

There are no reliable symptoms that would indicate the described issue has been exploited.


Workaround

To work around the described issue, the "set user ID bit" (suid) may be removed from the traceroute(1M) binary (or the binary may be removed altogether), which will render it unusable to non-root users.

To remove the suid bit, run the following command as root user:

    # chmod u-s /usr/sbin/traceroute

 


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 10 with patch 121012-01 or later

x86 Platform

  • Solaris 10 with patch 121013-01 or later


References

121012-01
121013-01




Attachments
This solution has no attachment