Note: This is an archival copy of Security Sun Alert 201296 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000978.1.
Solaris 10 Operating System
Date of Resolved Release
An unprivileged local user may be able to execute arbitrary commands with elevated privileges on Kerberos systems due to a security vulnerability in the in.rexecd(1M) daemon.
This issue can occur in the following releases:
Note 1: Solaris 8 and Solaris 9 are not affected by this issue.
Note 2: This issue only affects systems with the in.rexecd(1M) service enabled.
To determine if a system has the in.rexecd(1M) service enabled, the svcs(1) command can be run as follows:
$ svcs svc:/network/rexec:default STATE STIME FMRI online Jan_27 svc:/network/rexec:default
By default, the in.rexecd(1M) service is disabled on Solaris systems.
Note 3: This issue only affects systems which are configured to reference pam_krb5(5) in their pam.conf(4) file for the "other" column which is typically done as part of configuring a Kerberos client.
To determine if pam_krb5(5) is configured for the "other" service in the "/etc/pam.conf" file the following command can be run:
$ egrep "^other.*krb5" /etc/pam.conf || echo "Not impacted." other auth sufficient pam_krb5.so.1
There are no reliable symptoms that would indicate the described issue has been exploited to execute arbitrary commands with elevated privilege on a host.
Until patches can be applied, sites may wish to disable the in.rexecd(1M) service using the svcadm(1M) command. For example:
# svcadm disable svc:/network/rexec:default
The service can be re-enabled using svcadm(1M) using the same command syntax as above except with "enable" in place of "disable".
This issue is addressed in the following releases:
This solution has no attachment