Product
Solaris 9 Operating System
Solaris 2.6 Operating System
Solaris 7 Operating System
Solaris 8 Operating System

Bug Id
4836676

Date of Workaround Release
28-APR-2003

Date of Resolved Release
11-NOV-2003

Impact

On Kerberos 5 enabled systems, an unprivileged local or remote user may be able to kill the Kerberos KDC and admin daemons, for example, krb5kdc(1M) and kadmind(1M). Some Kerberos client applications, such as kadmin(1M), are also affected by this issue.

This issue is described in MIT krb5 Security Advisory 2003-005 at: http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt.

Contributing Factors

This issue can occur in the following releases:

SPARC Platform

• SEAM 1.0 for Solaris 2.6 without patches 112534-03 and 110057-07
• SEAM 1.0 for Solaris 7 without patches 112536-04 and 110057-07
• SEAM 1.0.1 for Solaris 8 without patch 110060-14
• SEAM 1.0.2 for Solaris 9 without patch 116462-01
• Solaris 8 without patches 112237-09 and 112390-08
• Solaris 9 without patches 112925-03, 112923-03, 112921-02, and 112908-10

x86 Platform

• SEAM 1.0 for Solaris 2.6 without patches 112535-03 and 110058-07
• SEAM 1.0 for Solaris 7 without patches 112537-04 and 110058-07
• SEAM 1.0.1 for Solaris 8 without patches 110061-14 SEAM 1.0.1 for Solaris 8
• Solaris 8 without patches 112238-08 and 112240-07
• Solaris 9 without patches 116044-01, 116045-01, 116046-03, 113990-04, and 115168-02

For Solaris without SEAM, this issue may only occur if the system is configured with Kerberos. To verify, please issue the following:

    % grep default_realm /etc/krb5/krb5.conf | grep -v ___default_realm___
default_realm = EXAMPLE.COM

If nothing is returned or the "krb5.conf" file is not found, then the system is not configured for Kerberos.

Note: Solaris Enterprise Authentication Mechanism (SEAM) is an unbundled product available for Solaris 2.6, 7, and 8. For more information on SEAM, please see the SEAM(5) man page.

Note: SEAM 1.0.2 for the Solaris 9 x86 platform already has the fix for this security issue.

Symptoms

There are no predictable symptoms that would show that the described issue has occurred.

Workaround

Until patches can be applied, sites may wish to block access to the affected service from untrusted networks such as the Internet or disable the daemon where possible. Use a firewall or other packet-filtering technology to block the appropriate network ports.

Consult your vendor or your firewall documentation for detailed instructions on how to configure the ports.

Resolution

This issue is addressed in the following releases:

SPARC Platform

• SEAM 1.0 for Solaris 2.6 with patches 112534-03 and 110057-07 or later
• SEAM 1.0 for Solaris 7 with patches 112536-04 and 110057-07 or later
• SEAM 1.0.1 for Solaris 8 with patch 110060-14 or later
• SEAM 1.0.2 for Solaris 9 with patch 116462-01 or later
• Solaris 8 with patches 112237-09 and 112390-08 or later
• Solaris 9 with patches 112925-03, 112923-03, 112921-02, and 112908-10 or later

x86 Platform

• SEAM 1.0 for Solaris 2.6 with patches 112535-03 and 110058-07 or later
• SEAM 1.0 for Solaris 7 with patches 112537-04 and 110058-07 or later
• SEAM 1.0.1 for Solaris 8 with patch 110061-14 or later
• Solaris 8 with patches 112238-08 and 112240-07 or later
• Solaris 9 with patches 116044-01, 116045-01, 116046-03, 113990-04, and 115168-02 or later

Note: It is necessary to restart the Kerberos network daemons after the patch installation(s) for the fix to take affect.

Execute the following commands as root:

    # /etc/init.d/kdc stop
# /etc/init.d/kdc start
# /etc/init.d/kdc.master stop
# /etc/init.d/kdc.master start

Modification History
Date: 11-NOV-2003

• Updated Contributing Factors, Relief/Workaround and Resolution sections
• State: Resolved

References

112925-03
116044-01
112923-03
116045-01
112921-02
116046-03
112908-10
113990-04
115168-02
112237-09
112238-08
112390-08
112240-07
116462-01
110060-14
110061-14
110057-07
110058-07
112536-04
112537-04
112534-03
112535-03




Attachments

This solution has no attachment