Note: This is an archival copy of Security Sun Alert 201317 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000992.1.
Solaris 10 Operating System
Date of Resolved Release
A security vulnerability exists for Solaris 10 systems with kernel patches 120011-04 or later (SPARC) and 120012-04 or later (x86) which are configured as NFS servers and grant root user access to remote clients. This vulnerability may allow root users on remote clients which are not authorized to access the shared file systems as root to also have root access to files shared by the NFS server.
This issue can occur in the following releases:
NOTE: Solaris 8 and 9 are not impacted by this issue.
A system is only impacted by this issue if both the following are true:
a) The system is acting as a NFS server, is sharing root access to remote clients using the "root=" option and is mounting the file systems either as read-only ("ro=" option) or as read-write ("rw=" option). See share_nfs(1M) for information on file system sharing options. To list all file systems shared by an NFS server, the '/usr/sbin/share' command may be used as in the following example:
$ share /NFSTEST root=hostname ""
b) Either the 'ipnodes' OR the 'hosts' entry (OR both these entries) in /etc/nsswitch.conf have only "files" used to define the source. The following command may be executed to check these entries in /etc/nsswitch.conf:
$ egrep '^ipnodes|^hosts' /etc/nsswitch.conf hosts: files nisplus dns [NOTFOUND=return] files ipnodes: nisplus [NOTFOUND=return] files
There are no predictable symptoms that would indicate the described vulnerability has been exploited.
A) To work around this issue, patch 120011-04 or later (SPARC) or patch 120012-04 or later (x86) may be removed using the patchrm(1M) command.
Note however that these patches cannot be removed on Solaris 10 8/07 systems, as they are part of the initial installation of Solaris 10 8/07.
B) Alternatively, this issue can be avoided by adding another name service for hosts and ipnodes in /etc/nsswitch.conf. For example:
$ egrep '^ipnodes|^hosts' /etc/nsswitch.conf hosts: files nis ipnodes: files nis
C) This issue can also be avoided by disabling the nscd(1M) daemon on the NFS server. Disabling the nscd daemon may slow responses to name service requests on the NFS server. The nscd daemon may be disabled by running the following command (as 'root' user):
# svcadm disable svc:/system/name-service-cache:default
This issue is addressed in the following releases:
This solution has no attachment