Note: This is an archival copy of Security Sun Alert 201800 as previously published on http://sunsolve.sun.com. Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001338.1. |
Category Security Release Phase Resolved Solaris 9 Operating System Solaris 7 Operating System Solaris 8 Operating System Bug Id 5055875 Date of Workaround Release 10-JUN-2004 Date of Resolved Release 30-SEP-2004 Impact On Kerberos 5 enabled systems using "auth_to_local" mapping through appropriate entries in the krb5 configuration file krb5.conf(4), an unprivileged local or remote user with kerberos credentials may be able to execute arbitrary code with root privileges due to buffer overflows in "krb5_aname_to_localname()" function. This issue is described in CERT vulnerability VU#686862 at http://www.kb.cert.org/vuls/id/686862 and MIT krb5 Security Advisory 2004-001 at http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-001-an_to_ln.txt. Contributing Factors This issue can occur in the following releases: SPARC Platform
x86 Platform
Notes:
For Solaris without SEAM, this issue may only occur if the system is configured to be a Kerberos client, verified by running the following command: % grep default_realm /etc/krb5/krb5.conf | grep -v __default_realm__ default_realm = EXAMPLE.COM If the command returns no output or the krb5.conf(4) file is not found, then the system is not configured for Kerberos. In addition, systems are only vulnerable to this issue if they have been configured to enable the "explicit" mapping or "rules-based" mapping of the principal mapping functionality. This is not the default configuration. A system which is vulnerable will have one of the following entries in the krb5 configuration file (see krb5.conf(4)): The explicit mapping form is similar to: auth_to_local_names = { aname = lname } The rule-based mapping form is similar to: auth_to_local = RULE:foo Symptoms There are no predictable symptoms that would indicate the described issue has been exploited. Workaround To work around the described issue, disable the "auth_to_local" rules by commenting out the code for "auth_to_local" from the "/etc/krb5/krb5.conf" configuration file. Resolution This issue is addressed in the following releases: SPARC Platform
x86 Platform
Note: For Solaris 8, both patches must be installed to resolve this issue. Note: Although this issue is shown to be resolved in patch release 112908-15 (see patch README), that patch revision has been obsoleted is no longer available for download. Please use 112908-16 or later. Modification History Date: 30-SEP-2004
Date: 28-SEP-2004
Date: 24-SEP-2004
Date: 22-SEP-2004
References112537-05112536-05 112237-11 112238-10 112240-08 112390-09 Attachments This solution has no attachment |
|