Category
Security
Release Phase
Resolved
ProductSolaris 9 Operating System
Solaris 8 Operating System
Bug Id
4830525
Date of Workaround Release26-MAR-2003
Date of Resolved Release12-DEC-2003
Impact
On Solaris 8 and Solaris 9 systems with the LDAP name service enabled, an unprivileged local user may be able to gain unauthorized root access due to a buffer overflow in the "nss_ldap.so.1" library.
Contributing Factors
This issue can occur in the following releases:
SPARC Platform
-
Solaris 8 without patch 108993-29
-
Solaris 9 without patch 112960-09
x86 Platform
-
Solaris 8 without patch 108994-29
-
Solaris 9 without patch 114328-02
Note: Solaris 2.6 and Solaris 7 are not affected.
Solaris 2.5.1 will not be evaluated regarding the potential impact of the issue described in this Sun Alert document.
Only Solaris 8 and Solaris 9 systems with the LDAP name service enabled in the "/etc/nsswitch.conf" file for any of the following databases are affected by this issue:
-
bootparams
-
ethers
-
hosts
-
ipnodes
-
netgroup
-
netmasks
-
networks
The LDAP name service is enabled for a database if the "ldap" keyword is present in the "/etc/nsswitch.conf" as shown for the "hosts", "networks", and "netgroup" databases in the following example:
$ grep ldap /etc/nsswitch.conf
hosts: ldap dns [NOTFOUND=return] files
networks: ldap [NOTFOUND=return] files
netgroup: ldap
Symptoms
There are no predictable symptoms that would show the described issue has been exploited to gain root privileges.
Workaround
To work around the described issue, edit the "/etc/nsswitch.conf" file to not use LDAP with the following databases (i.e. remove the "ldap" keyword for these database entries):
-
bootparams
-
ethers
-
hosts
-
ipnodes
-
netgroup
-
netmasks
-
networks
For example, edit the following line in "/etc/nsswitch.conf" from:
hosts: ldap dns [NOTFOUND=return] files
to
hosts: dns [NOTFOUND=return] files
Editing the "/etc/nsswitch.conf" file requires root access rights.
Resolution
This issue is addressed in the following releases:
SPARC Platform
-
Solaris 8 with patch 108993-29 or later
-
Solaris 9 with patch 112960-09 or later
x86 Platform
-
Solaris 8 with patch 108994-29 or later
-
Solaris 9 with patch 114328-02 or later
Modification History
Date: 22-OCT-2003
-
Updated Relief/Workaround section with temporary patches
Date: 23-OCT-2003
-
Updated Relief/Workaround section
Date: 30-OCT-2003
Date: 06-NOV-2003
-
Updated Contributing Factors, Relief/Workaround and Resolution sections
Date: 12-DEC-2003
-
Updated Contributing Factors and Resolution sections
-
State: Resolved
Date: 15-DEC-2003
-
Minor modification to Contributing Factors and Resolution sections
References
112960-09
114328-02
108993-29
108994-29
AttachmentsThis solution has no attachment