Note: This is an archival copy of Security Sun Alert 200986 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000743.1.
Article ID : 1000743.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-01-19
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Systems With Sun StorEdge Enterprise Storage Manager 2.1 Installed May Allow an Unprivileged Local User to Gain Root Access

Category
Security

Release Phase
Resolved

Bug Id
5033990

Date of Resolved Release
18-JUN-2004

Impact

A local unprivileged user may be able to gain unauthorized root access on systems with Sun StorEdge Enterprise Storage Manager (ESM) 2.1 installed.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Sun StorEdge Enterprise Storage Manager (ESM) 2.1 (for Solaris 8 and Solaris 9) without patch 117367-01

This issue only occurs when a non-root user has been assigned the "ESMUser" role on the management station. (See the "Relief/Workaround" section below for information on how to determine if a user has been assigned the "ESMUser" role.)

Note 1: ESM versions 1.2 and 2.0 are not affected by this issue.

Note 2: ESM is not supported on the x86 platform.


Symptoms

There are no predictable symptoms that would indicate the described issue has been exploited to gain unauthorized root access to the system.


Workaround

Until patches can be applied, sites may want to remove the "ESMUser" role from all non-root users.

To determine if a user has been assigned the "ESMUser" role, use the following command: 

    # roles `logins -o | cut -f1 -d:` | grep ESMUser

This command will list the output in the form of: 

    <username> : <role list>

For example: 

    # roles `logins -o | cut -f1 -d:` | grep ESMUser
root : ESMUser
ESMUser : No roles
demo : ESMUser
perf : ESMUser

If "ESMUser" does not appear in the role list for any non-root username, then no further action is needed. However, if "ESMUser" does appear on the role list for a non-root username, remove it by running the following command: 

    # /opt/SUNWstm/bin/esm_user -r <username>

Given the example above, the corresponding commands to run would be: 

    # /opt/SUNWstm/bin/esm_user -r demo
Removing ESMUser role from local user: demo ...
Restarting name service cache daemon and smcwebserver...
Restarting smcwebserver...
Shutting down Sun(TM) Web Console Version 2.0.2...
Starting Sun(TM) Web Console Version 2.0.2...
See /var/log/webconsole/console_debug_log for server logging information
# /opt/SUNWstm/bin/esm_user -r perf
Removing ESMUser role from local user: perf ...
Restarting name service cache daemon and smcwebserver...
Restarting smcwebserver...
Shutting down Sun(TM) Web Console Version 2.0.2...
Starting Sun(TM) Web Console Version 2.0.2...
See /var/log/webconsole/console_debug_log for server logging information

Note: There is no need to run the "esm_user -r" command against the "ESMUser" username; only run it against other non-root usernames with "ESMUser" in their role list.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Sun StorEdge Enterprise Storage Manager 2.1 (for Solaris 8 and Solaris 9) with patch 117367-01 or later


Product
Sun StorageTek Enterprise Storage Manager 2.1

References

117367-01




Attachments
This solution has no attachment