|
Note: This is an archival copy of Security Sun Alert 200581 as previously published on http://sunsolve.sun.com. Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000443.1. |
Category Security Release Phase Resolved Sun Net Connect 3.2 Services Bug Id 6582431 Date of Resolved Release 02-NOV-2007 Impact A format string security vulnerability in the Sun Remote Services (SRS) Net Connect Software may allow an unprivileged local user to execute arbitrary code with root privileges. Sun acknowledges with thanks, Sean Larsson of iDefense Labs (http://www.idefense.com) for bringing this issue to our attention. This issue is also described in the following document: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=610 Contributing Factors This issue can occur in the following releases: SPARC Platform
Notes: 1. The SRS Net Connect software only runs on the SPARC platform; therefore the x86 platform is not affected by this issue. 2. This issue only occurs on systems which have installed the Sun Remote Services (SRS) Net Connect software. The SRS Net Connect software is not bundled with Solaris but is available for download at: https://srsnetconnect.sun.com/ 3. To determine the version of the SRS Net Connect software installed on the system, the filename of the SRS Net Connect Uninstall script can be examined by running the following command: $ ls -l /opt/SUNWsrspx/bin/Uninstall* -r-xr----- 1 root root 6422 Mar 16 19:34 /opt/SUNWsrspx/bin/UninstallNetConnect.003.002.004.sh The example above shows SRS Net Connect version 3.2.4 is installed on the system. Symptoms There are no predictable symptoms that would indicate the described issue has been exploited. Workaround There is no workaround for this issue. Please see the Resolution section below. Resolution This issue is addressed in the following releases: SPARC Platform
References125713-02123870-03 Attachments This solution has no attachment | |||||||||||||||
|
|