Note: This is an archival copy of Security Sun Alert 200199 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000151.1.
Article ID : 1000151.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-06-04
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in the Authentication Mechanism for Solaris Management Console (SMC) May Lead to Escalation of Privileges

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System

Bug Id
6365758

Date of Resolved Release
05-JUN-2007

Impact

A security vulnerability in the authentication mechanism for Solaris Management Console (SMC) may allow a local or remote authenticated user to gain unauthorized root access to a Solaris system.

Sun acknowledges with thanks, Adam Gowdiak for bringing this issue to our attention.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 8 without patch 111313-05
  • Solaris 9 without patch 112945-45
  • Solaris 10 without patch 121308-09

x86 Platform

  • Solaris 8 without patch 111314-05
  • Solaris 9 without patch 114193-35
  • Solaris 10 without patch 121309-09

Note: The described issue will only occur if the Solaris Management Console (SMC) is running on the system.

To determine if SMC is running on a system, the following command can be run (as 'root' on Solaris 8 and 9 systems and as any user on Solaris 10 systems):

for Solaris 8:

    # /etc/init.d/init.wbem status
    Solaris Management Console server not running on port 898

for Solaris 9:

    # /etc/init.d/init.wbem status
    Solaris Management Console server version 2.1.0 running on port 898

for Solaris 10:

    $ svcs svc:/application/management/wbem
    STATE      STIME    FMRI
    online     Apr_12   svc:/application/management/wbem:default

Symptoms

There are no predictable symptoms that would indicate the described issue has been exploited to gain unauthorized root access on a system.


Workaround

To prevent this issue from occurring until the resolution patches can be applied, the SMC server can be stopped by issuing the following command as 'root' (note that this will remove the functionality of the SMC service on that host):

For Solaris 8 and 9:

    # /etc/init.d/init.wbem stop

For Solaris 10:

    # svcadm disable svc:/application/management/wbem

Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 8 with patch 111313-05 or later
  • Solaris 9 with patch 112945-45 or later
  • Solaris 10 with patch 121308-09 or later

x86 Platform

  • Solaris 8 with patch 111314-05 or later
  • Solaris 9 with patch 114193-35 or later
  • Solaris 10 with patch 121309-09 or later


References

121308-09
121309-09
111313-05
111314-05
112945-45
114193-35




Attachments
This solution has no attachment