Note: This is an archival copy of Security Sun Alert 201317 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000992.1.
Article ID : 1000992.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2008-01-07
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Solaris 10 Kernel Patches May Allow Privileged Remote Users to Gain Root Access to Files Shared by NFS Servers

Category
Security

Category
Availability

Release Phase
Resolved

Product
Solaris 10 Operating System

Bug Id
6602070

Date of Resolved Release
13-DEC-2007

Impact

A security vulnerability exists for Solaris 10 systems with kernel patches 120011-04 or later (SPARC) and 120012-04 or later (x86) which are configured as NFS servers and grant root user access to remote clients. This vulnerability may allow root users on remote clients which are not authorized to access the shared file systems as root to also have root access to files shared by the NFS server.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform:

  • Solaris 10 with patch 120011-04 or later and without patch 127111-05

x86 Platform:

  • Solaris 10 with patch 120012-04 or later and without patch 127954-03

NOTE: Solaris 8 and 9 are not impacted by this issue.

A system is only impacted by this issue if both the following are true:

a) The system is acting as a NFS server, is sharing root access to remote clients using the "root=" option and is mounting the file systems either as read-only ("ro=" option) or as read-write ("rw=" option). See share_nfs(1M) for information on file system sharing options. To list all file systems shared by an NFS server, the '/usr/sbin/share' command may be used as in the following example:

    $ share
    /NFSTEST   root=hostname   ""

b) Either the 'ipnodes' OR the 'hosts' entry (OR both these entries) in /etc/nsswitch.conf have only "files" used to define the source. The following command may be executed to check these entries in /etc/nsswitch.conf:

    $ egrep '^ipnodes|^hosts' /etc/nsswitch.conf
    hosts:      files nisplus dns [NOTFOUND=return] files
    ipnodes:    nisplus [NOTFOUND=return] files

Symptoms

There are no predictable symptoms that would indicate the described vulnerability has been exploited.


Workaround

A) To work around this issue, patch 120011-04 or later (SPARC) or patch 120012-04 or later (x86) may be removed using the patchrm(1M) command.

Note however that these patches cannot be removed on Solaris 10 8/07 systems, as they are part of the initial installation of Solaris 10 8/07.

B) Alternatively, this issue can be avoided by adding another name service for hosts and ipnodes in /etc/nsswitch.conf. For example:

    $ egrep '^ipnodes|^hosts' /etc/nsswitch.conf
    hosts:      files nis
    ipnodes:    files nis

C) This issue can also be avoided by disabling the nscd(1M) daemon on the NFS server. Disabling the nscd daemon may slow responses to name service requests on the NFS server. The nscd daemon may be disabled by running the following command (as 'root' user):

    # svcadm disable svc:/system/name-service-cache:default

Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 10 with patch 127111-05 or later

x86 Platform

  • Solaris 10 with patch 127954-03 or later


Modification History
Date: 14-DEC-2007
  • Updated Contributing Factors section

Date: 21-DEC-2007
  • Updated Impact and Contributing Factors sections for clarification

Date: 08-JAN-2008
  • Updated Impact section


References

127954-03
127111-05




Attachments
This solution has no attachment