Note: This is an archival copy of Security Sun Alert 201495 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001117.1.
Solaris 9 Operating System
Solaris 2.6 Operating System
Solaris 7 Operating System
Solaris 8 Operating System
Date of Workaround Release
Date of Resolved Release
On Kerberos 5 enabled systems, an unprivileged local or remote user may be able to kill the Kerberos KDC and admin daemons, for example, krb5kdc(1M) and kadmind(1M). Some Kerberos client applications, such as kadmin(1M), are also affected by this issue.
This issue is described in MIT krb5 Security Advisory 2003-005 at: http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt.
This issue can occur in the following releases:
For Solaris without SEAM, this issue may only occur if the system is configured with Kerberos. To verify, please issue the following:
% grep default_realm /etc/krb5/krb5.conf | grep -v ___default_realm___ default_realm = EXAMPLE.COM
If nothing is returned or the "krb5.conf" file is not found, then the system is not configured for Kerberos.
Note: Solaris Enterprise Authentication Mechanism (SEAM) is an unbundled product available for Solaris 2.6, 7, and 8. For more information on SEAM, please see the SEAM(5) man page.
Note: SEAM 1.0.2 for the Solaris 9 x86 platform already has the fix for this security issue.
There are no predictable symptoms that would show that the described issue has occurred.
Until patches can be applied, sites may wish to block access to the affected service from untrusted networks such as the Internet or disable the daemon where possible. Use a firewall or other packet-filtering technology to block the appropriate network ports.
Consult your vendor or your firewall documentation for detailed instructions on how to configure the ports.
This issue is addressed in the following releases:
Note: It is necessary to restart the Kerberos network daemons after the patch installation(s) for the fix to take affect.
Execute the following commands as root:
# /etc/init.d/kdc stop # /etc/init.d/kdc start # /etc/init.d/kdc.master stop # /etc/init.d/kdc.master start
This solution has no attachment