Note: This is an archival copy of Security Sun Alert 200068 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000052.1.
Article ID : 1000052.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-05-20
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in Sun Remote Services (SRS) Net Connect Software



Category
Security

Release Phase
Resolved

Product
Sun Net Connect 3.2 Services

Bug Id
6492570

Date of Resolved Release
11-MAY-2007

Impact

A security vulnerability in Sun Remote Services (SRS) Net Connect Software may allow a local unprivileged user to read partial contents of any file on the system.

Sun acknowledges with thanks, iDefense (http://www.idefense.com) for bringing this issue to our attention.

This issue is also described in the following document:

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=531


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • SRS Net Connect Software 3.2.3 (for Solaris 8, 9 and 10) without patch 125713-01
  • SRS Net Connect Software 3.2.4 (for Solaris 8, 9 and 10) without patch 123870-02

Notes:

  1. The SRS Net Connect software only runs on the SPARC platform.
  2. This issue only occurs on systems which have installed the Sun Remote Services (SRS) Net Connect software. (SRS Net Connect software is not bundled with Solaris).

To determine if the SRS Net Connect software has been installed on a system, the following command can be run:

    $ pkginfo SUNWsrspx
    system      SUNWsrspx Sun(SM) Net Connect Proxy Core

To determine the version of the SRS Net Connect software installed on the system, the filename of the SRS Net Connect Uninstall script can be examined:

    $ ls -l /opt/SUNWsrspx/bin/Uninstall*
    -r-xr-----   1 root     root    6422 Mar 16 19:34
    /opt/SUNWsrspx/bin/UninstallNetConnect.003.002.004.sh

The above output indicates SRS Net Connect version 3.2.4 is installed on the system.


Symptoms

There are no predictable symptoms that would indicate the described issue has been exploited to read the contents of a file on the system.


Workaround

There is no workaround for this issue. Please see the Resolution section below.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • SRS Net Connect Software 3.2.3 (for Solaris 8, 9 and 10) with patch 125713-01 or later
  • SRS Net Connect Software 3.2.4 (for Solaris 8, 9 and 10) with patch 123870-02 or later


References

125713-01
123870-02




Attachments
This solution has no attachment