Note: This is an archival copy of Security Sun Alert 231244 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1018965.1.
Article ID : 1018965.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-01-19
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Some Sun SPARC Enterprise T5120 and T5220 Servers Shipped With an Incorrect Solaris 10 Image Containing an Insecure Configuration



Category
Security

Release Phase
Resolved

Bug Id
None

Product
Sun SPARC Enterprise T5120 Server
Sun SPARC Enterprise T5220 Server

Date of Resolved Release
12-Feb-2008

Some Sun SPARC Enterprise T5120 and T5220 Servers Shipped With an Incorrect Solaris 10 Image Containing an Insecure Configuration

1. Impact

Sun SPARC Enterprise T5120 and T5220 servers with datecode prior to BEL07480000 have been mistakenly shipped with factory settings in the pre-installed Solaris 10 OS image. These settings may allow a local or remote user to be able to execute arbitrary commands with the privileges of the root (uid 0) user.

(To determine if your systems are affected by this issue please look for the changed parameters and extra files listed in the Contributing Factors section below).

2. Contributing Factors

This issue can occur on the following platforms:
  • Sun SPARC Enterprise T5120 and T5220 Servers with datecode prior to BEL07480000
Note: Systems are only impacted by this issue if they have an incorrect factory image installed.

To determine the datecode on the T5120 or T5220, use either "Lights Out Management" (LOM) or prtdiag(1M) commands:

    ILOM CLI:  > show /SYS/
    ALOM CLI:  sc> showplatform
    prtdiag -v

To determine if an incorrect factory image of Solaris 10 has been installed on a system and if the system is affected by this issue, the following items can be reviewed:

A. Remote logins are enabled for the root user which is indicated by the CONSOLE entry in /etc/default/login beginning with a hash sign (#):
    $ grep CONSOLE= /etc/default/login
#CONSOLE=/dev/console
B. The sshd(1M) daemon is configured to allow the root user to login using ssh(1) which is indicated by the 'PermitRootLogin' entry in sshd_config(4) being set to 'yes':
    $ grep PermitRootLogin /etc/ssh/sshd_config
PermitRootLogin yes
C. A profile(4) file for the root user will exist and have the 'PS1' environment variable set to a value of 'ROOT>' and the 'LOGDIR' environment variable will be set to '/export/home/utslog':
    $ egrep 'PS1|LOGDIR' /.profile
PS1='ROOT>'
LOGDIR='/export/home/utslog'
export LOGDIR
D.  Extra files and directories will exist on the system which are not part of a default install of Solaris 10:

    Files:
   /var/opt/SUNWvts/options/Huron_P2_PPA_VTS_6.4ps1_Excl_v1.1
/etc/opt/SUNWvts/sunvts.conf
/opt/SUNWvts/bin/conf/iobus.cfg
/export/home/bin/Huron_P2_PPA_VTS_6.4ps1_Func_v1.2
/export/home/bin/Huron_P2_PPA_VTS_6.4ps1_Excl_v1.1

    Directories:
   /opt/SUNWt1tsk
/export/Nebula

3. Symptoms

There are no predictable symptoms that would indicate the described issue has been exploited.

4. Workaround

Systems which are affected by this issue can modify the factory settings to no longer be insecure by performing the following steps as the root user:

For item A, modify the CONSOLE entry in the /etc/default/login file to no longer begin with a hash (#).

For item B, modify the PermitRootLogin entry in the /etc/sshd/sshd_config file from 'yes' to 'no' and then signal the sshd(1M) daemon to reread its configuration file using svcadm(1M):
    # svcadm restart svc:/network/ssh:default
For item C, the following lines can be removed from the /.profile file:
    PS1='ROOT>'
LOGDIR='/export/home/utslog'
export LOGDIR
For item D, the following files and directories can be removed using the rm(1) command:
    # /bin/rm /var/opt/SUNWvts/options/Huron_P2_PPA_VTS_6.4ps1_Excl_v1.1 /etc/opt/SUNWvts/sunvts.conf /opt/SUNWvts/bin/conf/iobus.cfg \
/export/home/bin/Huron_P2_PPA_VTS_6.4ps1_Func_v1.2 /export/home/bin/Huron_P2_PPA_VTS_6.4ps1_Excl_v1.1

# /bin/rm -f /opt/SUNWt1tsk /export/Nebula

5. Resolution

Sun SPARC Enterprise T5120 and T5220 servers with datecode BEL07480000 and later ship with the correct Solaris 10 image. The resolution for systems affected by this issue are to follow the steps outlined in the "Workaround" section above.

This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements.

Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.











Attachments
This solution has no attachment