Note: This is an archival copy of Security Sun Alert 200474 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000352.1.
Article ID : 1000352.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2006-12-06
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability With RSA Signature Affects the Sun Secure Global Desktop Software

Category
Security

Release Phase
Resolved

Product
Sun Secure Global Desktop Software 4.2

Bug Id
6469123

Date of Workaround Release
06-OCT-2006

Date of Resolved Release
07-DEC-2006

Impact

Sun Secure Global Desktop (SSGD) software 4.2 is impacted by an RSA signature forgery vulnerability. This vulnerability may allow an untrusted server to present a forged identity to clients connecting to that server when secure connections are in use.

This vulnerability may also affect SSGD servers which are configured to use web server authentication and client certificates. Under these circumstances, it may be possible for a local or remote unprivileged user to forge a valid identity and log in to an SSGD server, allowing unauthorized access to the applications available for that identity.

This issue is also described in the following documents:

CERT VU#845620 at http://www.kb.cert.org/vuls/id/845620

CVE-2006-4339 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339

Note: The issue described in this Sun Alert is specific to Sun Secure Global Desktop Software. Multiple Sun products are affected by this issue; for more details please see Sun Alert 102648


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Sun Secure Global Desktop Software 4.2 (for Solaris 8, 9, and 10)

x86 Platform

  • Sun Secure Global Desktop Software 4.2 (for Solaris 10)

Linux Platform

  • Sun Secure Global Desktop Software 4.2

Note: Sun Secure Global Desktop Software 4.2 is not supported on Solaris 8 or Solaris 9 for the x86 platform.

To determine the version of the Sun Secure Global Desktop Software running on a system, the following command can be executed on the Sun Secure Global Desktop server:

    $ <INSTALL_DIR>/bin/tarantella version
    Sun Secure Global Desktop Software for SPARC Solaris 2.8+ (4.20.983)
    Architecture code: spso0510
    This host: SunOS <SERVER NAME> 5.10 Generic_118822-25 sun4v sparc SUNW,Sun-Fire-T2000

Symptoms

There are no predictable symptoms that would indicate the described issue has been exploited to gain unauthorized access to a system.


Workaround

There is no workaround for this issue. Please see the Resolution section below.


Resolution

This issue is addressed in the following release (for all platforms: SPARC, x86 and Linux):

  • Sun Secure Global Desktop Software 4.3

The upgrade is available for download at:

http://www.sun.com/download/products.xml?id=451d9816



Modification History
Date: 07-DEC-2006

07-Dec-2006:

  • Updated Resolution section
  • State: Resolved 











Attachments
This solution has no attachment