Category
Security
Release Phase
Resolved
Bug Id
6853222
ProductSun Ray Server Software 4.1
Date of Resolved Release10-Dec-2009
Vulnerability in Sun Ray Server Software due to Logout Failure, see below:
1. Impact
When a local user logs out of a Sun Ray desktop session, the session
may log the user back in again. The user may be unaware that the
session has logged in again and is unlocked, which may allow another
user to access to the desktop session.
The issue does not occur when one locks the screen or when the
smartcard used to access a session is removed from the Sun Ray DTU.
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform
- Sun Ray Server Software 4.1 (for Solaris 10) without patch 139548-03
x86 Platform
- Sun Ray Server Software 4.1 (for Solaris 10) without patch 139549-03
Note 1: Sun Ray Server Software 4.0 and Sun Ray Server Software 4.1 on the
Linux platform are not impacted by this issue.
Note 2: For the issue to occur, Sun Ray "Automatic Multi-Group
Hotdesking" (AMGH) feature must be enabled and supplying usernames
and one of the following must also apply:
a) "Non Smartcard Mobility" (NSCM) is not configured (i.e. non-mobile
pseudo sessions are used) and another user has physical access to the
Sun Ray DTU where the user had previously logged out.
b) Smartcards are used to access a session, and another user has
physical access to that smartcard and physical access to any Sun Ray DTU.
3. Symptoms
Upon logout, a local user is automatically logged in again.
4. Workaround
If smartcards are not used for Sun Ray session authentication, then enable NSCM
policy and do not use smartcards. If that is not feasible, then disable Remote Hotdesk
Authentication (RHA).
To disable RHA, use the Admin GUI or the -D option of utpolicy(1M).
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
- Sun Ray Server Software 4.1 (for Solaris 10) with patch 139548-03
x86 Platform
- Sun Ray Server Software 4.1 (for Solaris 10) with patch 139549-03
For more information on Security Sun Alerts, see
References
139548-03
139549-03
References
SUNPATCH:139548-03
SUNPATCH:139549-03
AttachmentsThis solution has no attachment