Note: This is an archival copy of Security Sun Alert 200370 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000262.1.
Article ID : 1000262.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2004-02-05
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in Solaris Systems With Basic Security Module (BSM) Configured to Audit the "ad" or "as" Audit Class

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 7 Operating System
Solaris 8 Operating System

Bug Id
4857394

Date of Resolved Release
22-JUN-2004

Impact

Local unprivileged users may be able to panic Solaris systems with Basic Security Module (BSM) enabled causing a Denial of Service (DoS). This issue can only occur on systems where BSM has been configured to audit the Administrative audit class "ad" or the System-Wide Administration audit class "as".


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 7 without patch 106541-33
  • Solaris 8 without patch 109007-18
  • Solaris 9 without patch 114332-12

x86 Platform

  • Solaris 7 without patch 106542-33
  • Solaris 8 without patch 109008-18
  • Solaris 9 without patch 116558-01

Note: This issue can only occur on systems with BSM configured to audit either the Administrative audit class "ad" or the System-Wide Administration audit class "as".

If a Solaris system has BSM enabled, the following line will be present in the "/etc/system" file: 

    $ grep c2audit /etc/system
set c2audit:audit_load = 1

To determine if either the Administrative audit class or the System-Wide Administration audit class is configured to be audited, the "flags" line of the "/etc/security/audit_control" file will contain either "ad" or "as": 

    # egrep ^flags:.*a[sd] /etc/security/audit_control
flags:lo,ad

Symptoms

The system panics with a stack trace similar to the following: 

    pcache_poll+0x98(0, 30005437bc8, 25, 2a100aebaec, 1, 20)
poll+0x3e0(ffbfaa60, 1, 300053f7ef0, 1388, 0, 18)
syscall_trap32+0xa8(ffbfaa60, 3, 1388, 0, 1388, 0)

Workaround

There is no workaround. Please see the "Resolution" section below.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 7 with patch 106541-33 or later
  • Solaris 8 with patch 109007-18 or later
  • Solaris 9 with patch 114332-12 or later

x86 Platform

  • Solaris 7 with patch 106542-33 or later
  • Solaris 8 with patch 109008-18 or later
  • Solaris 9 with patch 116558-01 or later


Modification History

References
 109007-18

 109008-18

 106541-33

 106542-33

 114332-12

 116558-01



                                                                                                        


Attachments
This solution has no attachment