Category
Security
Release Phase
Resolved
Bug Id
6856923
Date of Resolved Release
14-Aug-2009
A security vulnerability in Sun Virtual Desktop Infrastructure (VDI)
Software 3.0 may lead to inadvertent use of an insecure LDAP connection:
1. Impact
A security vulnerability in Sun Virtual Desktop Infrastructure (VDI)
Software 3.0 may allow a remote privileged user to be able to view
client LDAP requests for VDI configuration data.
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform
- Sun VDI Software 3.0 (for Solaris 10) without patch 141481-02
x86 Platform
- Sun VDI Software 3.0 (for Solaris 10) without patch 141482-02
Note
1: Sun VDI 2.0 does not provide integration with LDAP directories
and therefore is not impacted by this issue.
To determine the version of Sun Virtual Desktop Infrastructure Software
on a system, the following command can be run:
$ /usr/bin/pkginfo -l SUNWvda-service | grep -i version
Note 2: Only systems which have
been setup to use a secure LDAP connection are vulnerable to this
issue. To determine if a system has been set up in this way, execute
the following command:
# /opt/SUNWvda/sbin/vda directory-show
Authentication: secure
...
3.
Symptoms
There are no predictable symptoms that would indicate the described
issue has been exploited.
Unless the LDAP User Directory has an insecure configuration, the Sun
VDI
3.0 service will not function.
4. Workaround
To work around this issue, anonymous binding should be disabled (using
ACLs or other settings, depending on the type of LDAP directory used)
on the LDAP directory to prevent the silent fallback to unencrypted
connection.
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
- Sun VDI Software 3.0 (for Solaris 10) with patch 141481-02 or
later
x86 Platform
- Sun VDI Software 3.0 (for Solaris 10) with patch 141482-02 or
later
For more information on
Security Sun Alerts, see 1009886.1.
Product
Sun Virtual Desktop Infrastructure Software 3.0
References
141481-02
141482-02
References
SUNPATCH:141481-02
SUNPATCH:141482-02
AttachmentsThis solution has no attachment