Category
Security
Release Phase
Resolved
ProductSolaris 10 Operating System
Bug Id
6371429
Date of Resolved Release14-FEB-2006
Impact
An unprivileged local user may be able to execute arbitrary commands with elevated privileges on Kerberos systems due to a security vulnerability in the in.rexecd(1M) daemon.
Contributing Factors
This issue can occur in the following releases:
SPARC Platform
- Solaris 10 without patch 120329-02
x86 Platform
- Solaris 10 without patch 120330-02
Note 1: Solaris 8 and Solaris 9 are not affected by this issue.
Note 2: This issue only affects systems with the in.rexecd(1M) service enabled.
To determine if a system has the in.rexecd(1M) service enabled, the svcs(1) command can be run as follows:
$ svcs svc:/network/rexec:default
STATE STIME FMRI
online Jan_27 svc:/network/rexec:default
By default, the in.rexecd(1M) service is disabled on Solaris systems.
Note 3: This issue only affects systems which are configured to reference pam_krb5(5) in their pam.conf(4) file for the "other" column which is typically done as part of configuring a Kerberos client.
To determine if pam_krb5(5) is configured for the "other" service in the "/etc/pam.conf" file the following command can be run:
$ egrep "^other.*krb5" /etc/pam.conf || echo "Not impacted."
other auth sufficient pam_krb5.so.1
Symptoms
There are no reliable symptoms that would indicate the described issue has been exploited to execute arbitrary commands with elevated privilege on a host.
Workaround
Until patches can be applied, sites may wish to disable the in.rexecd(1M) service using the svcadm(1M) command. For example:
# svcadm disable svc:/network/rexec:default
The service can be re-enabled using svcadm(1M) using the same command syntax as above except with "enable" in place of "disable".
Resolution
This issue is addressed in the following releases:
SPARC Platform
- Solaris 10 with patch 120329-02 or later
x86 Platform
- Solaris 10 with patch 120330-02 or later
References
120329-02
120330-02
AttachmentsThis solution has no attachment