Note: This is an archival copy of Security Sun Alert 201294 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000976.1.
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System
Date of Workaround Release
Date of Resolved Release
Third-party Applications Using GSS-API May Be Vulnerable to Compromise
Third-party applications which utilize GSS-API and thus link to the Generic Security Services library libgss(3LIB), may allow an unauthenticated user (local or remote depending on the application) the ability to execute arbitrary code with the privileges of the application.
Note: Exploitation of this vulnerability is believed to be difficult. No exploit code is known to exist at this time.
This issue is referenced in the following documents:
MITKRB5-SA-2006-003 - MIT krb5 Security Advisory 2006-003 at:
2. Contributing Factors
This issue can occur in the following releases:
To determine if an application is linked against libgss(3LIB) the following command can be run:
$ ldd application | grep libgss || echo "application not affected"
If output similar to the following is seen:
libgss.so.1 => /usr/lib/libgss.so.1
then the application links to libgss(3LIB) and may be affected by this issue.A comprehensive test to check if an application links with a library such as libgss(3LIB) requires the use of pldd(1) against the running application since ldd(1) does not list any shared objects explicitly attached using dlopen(3C). For example:
$ pldd <procces ID of application> | grep libgss
There are no reliable symptoms that would indicate this issue has been exploited to execute arbitrary code with elevated privileges on a system.
There is no workaround for this issue. Please see the Resolution section below.
This issue is addressed in the following releases:
For more information on
Security Sun Alerts, see 1009886.1.
10-Jan-2007: Updated Impact statement and URL
14-May-2009: Updated Contributing Factors and Resolution sections
20-May-2009: Updated Contributing Factors and Resolution sections
05-Jun-2009: Updated Contributing Factors and Resolution sections; Resolved
This solution has no attachment