Note: This is an archival copy of Security Sun Alert 231244 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1018965.1.
Sun SPARC Enterprise T5120 Server
Sun SPARC Enterprise T5220 Server
Date of Resolved Release
Some Sun SPARC Enterprise T5120 and T5220 Servers Shipped With an Incorrect Solaris 10 Image Containing an Insecure Configuration
1. ImpactSun SPARC Enterprise T5120 and T5220 servers with datecode prior to BEL07480000 have been mistakenly shipped with factory settings in the pre-installed Solaris 10 OS image. These settings may allow a local or remote user to be able to execute arbitrary commands with the privileges of the root (uid 0) user.
(To determine if your systems are affected by this issue please look for the changed parameters and extra files listed in the Contributing Factors section below).
2. Contributing FactorsThis issue can occur on the following platforms:
To determine the datecode on the T5120 or T5220, use either "Lights Out Management" (LOM) or prtdiag(1M) commands:
ILOM CLI: > show /SYS/
ALOM CLI: sc> showplatform
To determine if an incorrect factory image of Solaris 10 has been installed on a system and if the system is affected by this issue, the following items can be reviewed:
A. Remote logins are enabled for the root user which is indicated by the CONSOLE entry in /etc/default/login beginning with a hash sign (#):
$ grep CONSOLE= /etc/default/loginB. The sshd(1M) daemon is configured to allow the root user to login using ssh(1) which is indicated by the 'PermitRootLogin' entry in sshd_config(4) being set to 'yes':
$ grep PermitRootLogin /etc/ssh/sshd_configC. A profile(4) file for the root user will exist and have the 'PS1' environment variable set to a value of 'ROOT>' and the 'LOGDIR' environment variable will be set to '/export/home/utslog':
$ egrep 'PS1|LOGDIR' /.profileD. Extra files and directories will exist on the system which are not part of a default install of Solaris 10:
3. SymptomsThere are no predictable symptoms that would indicate the described issue has been exploited.
4. WorkaroundSystems which are affected by this issue can modify the factory settings to no longer be insecure by performing the following steps as the root user:
For item A, modify the CONSOLE entry in the /etc/default/login file to no longer begin with a hash (#).
For item B, modify the PermitRootLogin entry in the /etc/sshd/sshd_config file from 'yes' to 'no' and then signal the sshd(1M) daemon to reread its configuration file using svcadm(1M):
# svcadm restart svc:/network/ssh:defaultFor item C, the following lines can be removed from the /.profile file:
PS1='ROOT>'For item D, the following files and directories can be removed using the rm(1) command:
# /bin/rm /var/opt/SUNWvts/options/Huron_P2_PPA_VTS_6.4ps1_Excl_v1.1 /etc/opt/SUNWvts/sunvts.conf /opt/SUNWvts/bin/conf/iobus.cfg \
5. ResolutionSun SPARC Enterprise T5120 and T5220 servers with datecode BEL07480000 and later ship with the correct Solaris 10 image. The resolution for systems affected by this issue are to follow the steps outlined in the "Workaround" section above.
Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
This solution has no attachment