Note: This is an archival copy of Security Sun Alert 236944 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1019202.1.
Sun Ray Server Software 4.0
Date of Resolved Release
A Security Vulnerability in Sun Ray Kiosk Mode 4.0 May Allow Escalation of Privileges
A security vulnerability in the Sun Ray Kiosk Mode software included with Sun Ray Server Software (SRSS) 4.0 may allow a local or remote user with Sun Ray administration privileges to execute arbitrary commands with root privileges.
2. Contributing Factors
This issue can occur in the following releases:
1. Sun Ray Server Software 3.1.1, Sun Ray Server Software 3.1 and earlier releases of Sun Ray Server Software are not affected.
2. This issue only affects systems which have the Sun Ray Server Software installed and Sun Ray Kiosk Mode configured and enabled. Kiosk mode is enabled if the -k <type> option is present in the current policy, where <type> may be 'pseudo', 'card' or 'both'. Example output, if kiosk mode is enabled for non-smartcard sessions:
To determine if kiosk mode is enabled for individual tokens, regardless of global policy, the utuser(1M) command can be run. Example output if kiosk mode is enabled for an individual smartcard:
$ /opt/SUNWut/sbin/utuser -L -s kiosk
3. Exploiting this issue requires Sun Ray administration privileges. The shared 'admin' account is used by default for administering Sun Ray services.
If the PAM configuration for the utadmingui service has been modified to use UNIX accounts, the following command may be used to list authorized Sun Ray administrator accounts:
4. Access to the Sun Ray Web Administration GUI is necessary in order to exploit this issue. The following command may be run to check if the Sun Ray Web Administration GUI is enabled:
# /opt/SUNWut/lib/utwebadmin status
To detect whether the Sun Ray Web Administration GUI permits remote access, the following command can be run:
$ grep remote.access
There are no predictable symptoms that would indicate the described issue has been exploited.
To detect an ongoing attempt to exploit the described issue, inspect the output of the following command for unexpected kiosk-related settings:
# /opt/SUNWut/sbin/utkiosk -e session
Presence of arbitrary code execution constructs in the output of this command may indicate that this issue is being exploited.
To work around the described issue, either temporarily disable the Sun Ray Web Administration GUI or temporarily disable Sun Ray Kiosk Mode. To reduce network exposure for this vulnerability, configure the Sun Ray Web Administration GUI to accept connections only from the local host.
To disable the Sun Ray Web Administration GUI, the following command can be run:
# /opt/SUNWut/sbin/utconfig -uw
To disable Sun Ray Kiosk Mode, use the following procedure in the Sun Ray Web Administration GUI:
1. Select the Advanced/System Policy tab.
2. Uncheck both 'Kiosk Mode' check boxes (if they are checked).
3. Click Save to save your changes.
4. Select the Servers tab.
5. Select all listed servers.
6. Click Cold Restart to restart Sun Ray services.
WARNING: This will terminate all current Sun Ray sessions
To reconfigure the Sun Ray Web Administration GUI with the option to allow access only from the local host, run the following command:
This issue is addressed in the following releases:
Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
This solution has no attachment