Note: This is an archival copy of Security Sun Alert 268228 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1020969.1.
Article ID : 1020969.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-12-03
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Vulnerability in Sun Ray Server Software due to Logout Failure

Category
Security

Release Phase
Resolved

Bug Id
6853222

Product
Sun Ray Server Software 4.1

Date of Resolved Release
10-Dec-2009

Vulnerability in Sun Ray Server Software due to Logout Failure, see below:

1. Impact

When a local user logs out of a Sun Ray desktop session, the session
may log the user back in again. The user may be unaware that the
session has logged in again and is unlocked, which may allow another
user to access to the desktop session.

The issue does not occur when one locks the screen or when the
smartcard used to access a session is removed from the Sun Ray DTU.


2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Sun Ray Server Software 4.1 (for Solaris 10) without patch 139548-03
x86 Platform
  • Sun Ray Server Software 4.1 (for Solaris 10) without patch 139549-03

Note 1:  Sun Ray Server Software 4.0 and Sun Ray Server Software 4.1 on the
Linux platform are not impacted by this issue.

Note 2:  For the issue to occur, Sun Ray "Automatic Multi-Group
Hotdesking" (AMGH) feature must be enabled and supplying usernames
and one of the following must also apply:

a) "Non Smartcard Mobility" (NSCM) is not configured (i.e. non-mobile
pseudo sessions are used) and another user has physical access to the
Sun Ray DTU where the user had previously logged out.

b) Smartcards are used to access a session, and another user has
physical access to that smartcard and physical access to any Sun Ray DTU.


3. Symptoms

Upon logout, a local user is automatically logged in again.



4. Workaround

If smartcards are not used for Sun Ray session authentication, then enable NSCM
policy and do not use smartcards. If that is not feasible, then disable Remote Hotdesk
Authentication (RHA).

To disable RHA, use the Admin GUI or the -D option of utpolicy(1M).



5. Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Sun Ray Server Software 4.1 (for Solaris 10) with patch 139548-03
x86 Platform
  • Sun Ray Server Software 4.1 (for Solaris 10) with patch 139549-03

For more information on Security Sun Alerts, see

References

139548-03
139549-03

References

SUNPATCH:139548-03
SUNPATCH:139549-03



Attachments
This solution has no attachment