Note: This is an archival copy of Security Sun Alert 200250 as previously published on
Latest version of this security advisory is available from as Sun Alert 1000197.1.
Article ID : 1000197.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2005-08-22
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in Solaris 10 "DHCP" Clients


Release Phase

Solaris 10 Operating System

Bug Id

Date of Resolved Release


A security vulnerability in the "/lib/svc/method/net-svc" script may allow a remote privileged user the ability to execute arbitrary code with "root" privileges on a "DHCP" client system if the remote user has access to a system within the network or subnet which is used by the host for "DHCP" requests.

Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 10 without patch 119593-01

x86 Platform

  • Solaris 10 without patch 119594-01

Note: Solaris 8, and Solaris 9 are not impacted by this issue.

Only systems configured as a "DHCP" client are vulnerable to this issue. If a system is configured as a "DHCP" client, the "netstat -D" command will produce output similar to the following:

    # netstat -D
    Interface  State         Sent  Recv  Declined  Flags
    bge0       BOUND            1     1         0
    (Began, Expires, Renew) = (08/15/2005 16:00, 08/15/2005 20:00,
    08/15/2005 17:57)



There are no predictable symptoms that would indicate the described issue has occurred.


To prevent the described issue from occurring until patches can be applied, the following workaround can be used:

1. Use the sys-unconfig(1M)command to unconfigure the system.

2. On the subsequent reboot, configure the system to use a "static IP" address instead of "DHCP".


This issue is addressed in the following releases:

SPARC Platform

  • Solaris 10 with patch 119593-01 or later

x86 Platform

  • Solaris 10 with patch 119594-01 or later



This solution has no attachment