Note: This is an archival copy of Security Sun Alert 200198 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000150.1.
Article ID : 1000150.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-07-01
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

A Security Vulnerability in the Implementation of the RPCSEC_GSS API Affects the Kerberos Administration Daemon (kadmind(1M))

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System

Bug Id
6554841

Date of Workaround Release
26-JUN-2007

Date of Resolved Release
02-JUL-2007

Impact

A security vulnerability in the implementation of the RPCSEC_GSS API, which impacts applications utilizing this API (rpcsec_gss(3NSL)) such as the kadmind(1M) daemon, may allow execution of arbitrary commands. In the case of Kerberos Key Distribution Centers(KDC) (which run kadmind(1M)) an unprivileged and unauthenticated remote user may be able to execute arbitrary commands on the system with the privileges of the kadmind(1M) daemon (usually 'root').

In addition, on KDC systems this issue may allow the remote user to compromise the Kerberos key database or cause the affected program to crash, which is a form of Denial of Service (DoS).

This issue is referenced in the following documents:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-004.txt

CVE-2007-2442 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2442


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 8 without patch 126928-01
  • Solaris 9 without patch 113318-31
  • Solaris 10 without patch 123809-02

x86 Platform

  • Solaris 8 without patch 126929-01
  • Solaris 9 without patch 117468-17
  • Solaris 10 without patch 126837-01

Note: This issue can only occur if a system is configured as a Kerberos Key Distribution Center (KDC).

To determine if a system is configured as a Kerberos Key Distribution Center (KDC) the following command can be run:

    % ps -ef | grep kadmin
    root   321     1  0   Dec 10        0:00 /usr/krb5/lib/kadmind

If (as in the above example) the kadmind(1M) daemon is running, then the machine is configured as a Kerberos Key Distribution Center (KDC) and may be vulnerable to this issue.

Note: The vulnerability described in CVE-2007-2443 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2443) does not affect the Solaris implementation of the RPCSEC_GSS API.


Symptoms

There are no reliable symptoms that would indicate this issue has been exploited to execute arbitrary code with elevated privileges on a system.


Workaround

There is no workaround for this issue. Please see the Resolution section below.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 8 with patch 126928-01 or later
  • Solaris 9 with patch 113318-31 or later
  • Solaris 10 with patch 123809-02 or later

x86 Platform

  • Solaris 8 without patch 126929-01 or later
  • Solaris 9 with patch 117468-17 or later
  • Solaris 10 with patch 126837-01 or later


Modification History
Date: 02-JUL-2007
  • Updated Contributing Factors and Resolution sections
  • State: Resolved


References

126928-01
123809-02
126929-01
126837-01
113318-31
117468-17




Attachments
This solution has no attachment