|
Note: This is an archival copy of Security Sun Alert 234303 as previously published on http://sunsolve.sun.com. Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1019071.1. |
Category Security Release Phase Resolved 2 of 3 -- Security Sun Alert Archive Reference for Year 2001
If you need additional information for any of the following
Sun Alerts please contact the Sun Alert Program Office at:
sunalert_pmo@sun.com
These Sun Alerts are only available upon request. They are not part
of the current collection which begins with January 1, 2003.
=================================================================================
1)
Buffer Overflow in "arp" Command Might Lead to Unauthorized Root Access
Sun Alert ID: 100808 (formerly 25330)
# BugIDs: 4296166
Product: Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7 Operating System
Unauthorized users might be able to gain root access rights.
=================================================================================
2)
Audit Log Files in Solaris 8 64-bit Mode Are Not Written Correctly
Sun Alert ID: 100814 (formerly 25468)
# BugIDs: 4349180
Product: Solaris 8 Operating System
This problem results in Solaris 8 (in 64-bit mode) audit log review and analysis not being possible.
=================================================================================
3)
Java Application Might Modify Command Array, Leading to Potential Security Risk
Sun Alert ID: 100820 (formerly 25610)
BugIDs: none
Product: JDK and JRE 1.1.6
A vulnerability in certain versions of the Java(TM) Runtime Environment may allow malicious Java code to execute unauthorized commands. However, permission to execute at least one command must have been granted in order for this vulnerability to be exploited. Since no permission is granted by default, the circumstances necessary to exploit this vulnerability are relatively rare. On the Java Development Kit 1.1.x (JDK(TM) 1.1.x) (browsers included), an applet must be signed to have execute permission (signed applets may execute anything in JDK 1.1.x.)
=================================================================================
4)
If Default Settings for Multicast Are Changed or Removed, the System is Vulnerable to Panic From Users
Sun Alert ID: 100804 (formerly 24919)
# BugIDs: 4364977, 4081009
Product: Solaris 2.6 Operating System
A Solaris 2.6 system can be forced to panic from non-root users, if the multicast route has been changed or removed any time after the system has been booted.
=================================================================================
5)
Session IDs Generated by Java Web Server 2.0 and Java Web Server 1.x may be Prone to Spoofing
Sun Alert ID: 100787 (formerly 24492)
# BugIDs: 4386914
Product: Java Web Server 2.0
Session IDs generated by Java Web Server 2.0 or Java Web Server 1.x are not random and therefore might be guessed by unauthorized users. A successfully guessed session ID allows hijacking of another user's HTTP/HTTPS session. In this case, an unauthorized user would be able to view any information and perform any action on the Java Web Server the original user is allowed to.
=================================================================================
6)
Socket Based Applications Using poll(), select() and accept() Function Calls Can Hang
Sun Alert ID: 100753 (formerly 23484)
# BugIDs: 4158542, 4337605
Product: Solaris 2.6 Operating System, Solaris 7 Operating System, Solaris 8 Operating System
Socket based network server applications could stop responding.
One important example of a network server application at risk is "inetd". If "inetd" stopped responding, all services provided by "inetd" (e.g. telnet, ftp, rlogin/rsh) would be unavailable.
=================================================================================
7)
Buffer Overflow in X Socket Transport Code
Sun Alert ID: 100789 (formerly 24526)
# Product: Solaris 2.6 Operating System, Solaris 7 Operating System, Solaris 8 Operating System
# BugIDs: 4379301
Unauthorized users might be able to gain root access rights.
=================================================================================
8)
Buffer Overflow in "cu" Command
Sun Alert ID: 100857 (formerly 27047)
# BugIDs: 4406722
Product: Solaris 2.5, Solaris 2.4, Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7 Operating System, Solaris 8 Operating System
Local users may be able to gain unauthorized "uucp" user ID access, and potentially subsequent unauthorized root access, due to a buffer overflow in the "cu" command.
=================================================================================
9)
"/usr/bin/finger" May Divulge Too Much User Account Information Which May be Misused
ID: 100855 (formerly 27020)
# BugIDs: 4298986
Product: Solaris 2.5, Solaris 2.4, Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7 Operating System, Solaris 8 Operating System
Under certain circumstances the command "/usr/bin/finger" can divulge too much user account information which could be misused
=================================================================================
10)
Buffer Overflow in "ufsrestore" Command
ID: 100856 (formerly 27046)
# BugIDs: 4339366
Product: Solaris 2.5, Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7 Operating System, Solaris 8 Operating System
Unprivileged local users may be able to gain unauthorized root access due to a buffer overflow in the "ufsrestore" command.
=================================================================================
11)
Setting PAM Authentication Mode to "Kerberos-only", Reveals a System's List of Valid User Login Names
ID: 100852 (formerly 26979)
# BugIDs: 4351689
Product: Solaris 8 Operating System
Unauthorized local or remote users can determine if a given user login name is valid (i.e. if it is present in the "passwd" database) on the affected system.
=================================================================================
12)
The "send(3SOCKET)" Library Function Does Not Handle Invalid Arguments Correctly
ID: 100861 (formerly 27115)
# BugIDs: 4432295
Product: Solaris 7 Operating System, Solaris 8 Operating System
Unprivileged local users may be able to create socket based applications which pass invalid arguments to the "send(3SOCKET)" library function. This can cause the kernel to enter a busy loop and may result in a significant degradation of a system's responsiveness.
=================================================================================
13)
tcsh(1) Creates Predictable tmpfiles When Using "here" ('<<') Documents
ID: 100859 (formerly 27103)
# BugIDs: 4384076
Product: Solaris 8 Operating System
Unprivileged local users may be able to overwrite or create any file on the system if a root user had used the tcsh(1) shell to create a "here" document.
=================================================================================
14)
"in.fingerd" May Divulge Too Much User Account Information Which May be Misused
ID: 100862 (formerly 27116)
# Product: Solaris 2.5, Solaris 2.4, Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7 Operating System, Solaris 8 Operating System
# BugIDs: 4298915
Under certain circumstances the command "/usr/bin/finger" can divulge too much user account information, specifically a complete list of all account names on a remote system.
=================================================================================
15)
Security Issue with Automatic Mounting of Removable Media in Solaris 7 and Solaris 8
ID: 100865 (formerly 27203)
# Product: Solaris 7 Operating System, Solaris 8 Operating System
# BugIDs: 4205437
Unprivileged local users may be able to gain unauthorized root access.
=================================================================================
16)
100864 2001-06-06 00:00:00.0 A Vulnerability in Sun Cluster 2.1 and 2.2 Might Cause the NFS Data Service to Overwrite System Files
ID: 100864 (formerly 27158)
# Product: Sun Cluster 2.2
# BugIDs: 4394811
A vulnerability in Sun Cluster 2.x might cause the NFS data service to overwrite system files.
=================================================================================
17)
Buffer Overflow in admintool(1M) in Solaris
ID: 100870 (formerly 27353)
# Product: Solaris 2.5, Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7 Operating System, Solaris 8 Operating System
# BugIDs: 4354306
Unprivileged local users may be able to gain unauthorized root access due to a buffer overflow in admintool(1M).
=================================================================================
18)
Unauthorised Users May Gain Access to Kernel Memory
ID: 100873 (formerly 27385)
# Product: Solaris 2.5, Solaris 2.5.1, Solaris 2.6 Operating System
# BugIDs: 4110589
Unauthorised users can gain access to kernel memory where sensitive data may be held.
=================================================================================
19)
Buffer overflow in ypbind(1M) in Solaris
ID: 100878 (formerly 27488)
# Product: Solaris 2.5, Solaris 2.4, Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7 Operating System, Solaris 8 Operating System
# BugIDs: 4362647
Unprivileged local or remote users may be able to gain unauthorized root access due to a buffer overflow in ypbind(1M). Unprivileged local or remote users may also be able to kill the ypbind(1M) process which will prevent NIS network lookup services from succeeding.
=================================================================================
20)
Vulnerabilities in the Domain Name System (DNS) 'in.named' Process May Allow Remote Access to Superuser (root)
ID: 100851 (formerly 26965)
# Product: Solaris 2.5, Solaris 2.4, Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7 Operating System, Solaris 8 Operating System
# BugIDs: 4409676, 4444745
Vulnerabilities in the Domain Name System (DNS) 'in.named' process may allow remote intruders to:
#1 Gain access with the permissions and privileges of the superuser (root).
#2 Cause 'in.named' to abort
#3 Obtain 'in.named' process information such as environment variables.
=================================================================================
21)
The "in.ftpd" Process can Spuriously be Instructed to Connect to Privileged Ports
ID: 100772 (formerly 23892)
# Product: Solaris 2.5, Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7 Operating System
# BugIDs: 4139895
The "in.ftpd" (FTP server) process can be instructed to connect and send data to privileged ports (ports < 1024) on arbitrary machines. This behavior can be exploited by unprivileged local or remote users to breach a systems security.
=================================================================================
22)
The 'catman' Command has a Potential Security Vulnerability
ID: 100872 (formerly 27371)
# Product: Solaris 2.5, Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7 Operating System, Solaris 8 Operating System
# BugIDs: 4392144
Unprivileged local users may be able to overwrite or create any file on the system if a root user runs catman(1M).
=================================================================================
23)
Buffer Overflow in "uucp" Command Might Allow Unauthorized uucp User ID Access
ID: 100887 (formerly 27592)
# Product: Solaris 2.5, Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7 Operating System, Solaris 8 Operating System
# BugIDs: 4416701
Local users may be able to gain unauthorized uucp user ID access due to a possible buffer overflow in the "uucp" binary. Users with uucp user ID access may subsequently gain unauthorized root user access rights.
=================================================================================
24)
Using the Solstice AdminSuite 3.0.1 GUI User Rights May be Spuriously Allocated
ID: 100891 (formerly 27695)
# Product:
# BugIDs: 4470402
When using the Solstice AdminSuite 3.0.1 GUI, unprivileged users can potentially receive administration and access rights for various privileged operations, for example the ability to change other user's passwords, share file systems, assign IP addresses and other administration tasks within the domain in which AdminSuite is operating.
=================================================================================
25)
Buffer Overflow in tip(1) Command Might Allow Unauthorized uucp User ID Access
ID: 100894 (formerly 27770)
# Product: Solaris 2.5, Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7 Operating System, Solaris 8 Operating System
# BugIDs: 4430971, 4063098, 4330475
Local users may be able to gain unauthorized uucp user ID access due to a possible buffer overflow in the "tip" binary. Users with uucp user ID access may subsequently gain unauthorized root user access rights.
=================================================================================
26)
Problem in "snmpXdmi" Might Allow Remote Root Access
ID: 100853 (formerly 26981)
# Product: Solaris 2.6 Operating System, Solaris 7 Operating System, Solaris 8 Operating System
# BugIDs: 4412996, 4451002
A local or remote user can get Superuser (root) access and thus system security may be compromised.
=================================================================================
27)
The "pam_ldap" PAM Module may Allow Unauthorized Access to a System
ID: 100889 (formerly 27601)
# Product: Solaris 8 Operating System
# BugIDs: 4384816, 4357912
Unauthorized local or remote users may be able to access user accounts and applications on a system.
=================================================================================
28)
Buffer Overflow in "in.telnetd" or "telnetd" Process
ID: 100906 (formerly 28063)
# Product: Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7 Operating System, Solaris 8 Operating System
# BugIDs: 4484541, 4483514
Unprivileged local and remote users may be able to kill the "in.telnetd" daemon. The "in.telnetd" daemon is normally spawned by the inetd daemon (see inetd(1M)) in response to a connection to the TELNET port as indicated by the /etc/services file (see services(4)). Sun does not believe that this issue can be exploited on Solaris systems to gain elevated privileges.
This issue is described in CERT Advisory CA-2001-21 'Buffer Overflow in telnetd' (see http://www.cert.org/advisories/CA-2001-21.html).
=================================================================================
29)
FTP Server Buffer Overflows May Allow Unauthorized Root Access and Memory Leaks May Cause Possible System Hang
ID: 100900 (formerly 27843)
# Product: Solaris 2.5, Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7 Operating System, Solaris 8 Operating System
# BugIDs: 4436988
An FTP server (in.ftpd(1M)) buffer overflow might allow unprivileged local or remote users to gain unauthorized root privileges.
Some FTP commands may cause the FTP server to use 100% of the CPU time and leak memory. As a result a system hang may occur causing a denial of service.
=================================================================================
30)
Buffer Overflow in "libsldap.so.1" May Lead to Root Compromise
ID: 100905 (formerly 27890)
# Product: Solaris 8 Operating System
# BugIDs: 4449613
Unprivileged local users may be able to gain unauthorized root access due to a buffer overflow in libsldap.so.1.
=================================================================================
31)
Buffer Overflow in "in.lpd" in Solaris Printing May Allow Remote Root Access
ID: 100897 (formerly 27797)
# Product: Solaris 2.6 Operating System, Solaris 7 Operating System, Solaris 8 Operating System
# BugIDs: 4446925
Unprivileged remote and local users may be able to gain unauthorized root access due to a buffer overflow in in.lpd(1M).
=================================================================================
32)
Sendmail 8.9.3 is Susceptible to Misuse as a Spam Relay
ID: 100793 (formerly 24623)
# Product: Solaris 7, Solaris 8
# BugIDs: 4344081
Certain scenarios of misusing the "sendmail" program to relay mail on behalf on an external request can be avoided by running sendmail with the "-R hdrs" option. Sendmail 8.9.3 does not take account of this option, thereby being more susceptible to misuse as a relay for unsolicited email ("Spam").
=================================================================================
33)
Buffer Overflow in whodo(1M) Command
ID: 100893 (formerly 27730)
# Product: Solaris 2.5, Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7 Operating System, Solaris 8 Operating System
# BugIDs: 4477380
Unprivileged local users may be able to gain unauthorized root access due to a buffer overflow in the whodo(1M) command.
=================================================================================
34)
Using Kerberized Telnet with Solaris 8 May Lead to Unauthorized Root Access
ID: 100913 (formerly 40035)
# Product: Solaris 8 Operating System
# BugIDs: 4491825
Unprivileged local or remote users may be able to gain unauthorized root access due to a security vulnerability in the SEAM Kerberos V5 version of telnet.
=================================================================================
35)
Remote User May Gain Unauthorized Superuser (root) Access if Using Kerberized "ftpd"
ID: 100854 (formerly 26987)
# Product: SEAM 1.0.1
# BugIDs: 4451327
If using Kerberos there are 3 possible outcomes to this issue:
* If anonymous FTP is enabled, a remote user may gain unauthorized root access.
* A user with access to a local account may gain unauthorized root access.
* A remote user authenticating the FTP daemon may obtain unauthorized root access, regardless of whether anonymous FTP is enabled or whether access is granted to a local account.
=================================================================================
36)
Buffer Overflow in Curses(3CURSES) Library
100916 (formerly 40094)
# Product: Solaris 2.5, Solaris 2.4, Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7 Operating System, Solaris 8 Operating System
# BugIDs: 4313067
Unprivileged local users may be able to gain unauthorized elevated privileges if an application which uses the curses library is installed with setuid or setgid permissions.
Note: There are no setuid or setgid Sun applications which are affected by this issue.
=================================================================================
37)
PC Netlink's Access Control List Permissions May be Lost After Restore of a Backup
ID: 100899 (formerly 27807)
# Product: PC Netlink 1.x
# BugIDs: None
Backing up and later restoring "PC Netlink" shared files or directories may cause PC Netlink Access Control List (ACL) information to get lost. As a result, access restrictions might get lost for files or directories accessed by PC clients through PC Netlink.
=================================================================================
38)
The "patchadd" Utility Creates Temporary Files Insecurely
ID: 100917 (formerly 40122)
# Product: Solaris 2.6 Operating System, Solaris 7 Operating System, Solaris 8 Operating System
# BugIDs: 4399797
Unprivileged local users may be able to overwrite or create any file on the system if "patchadd" is used.
=================================================================================
39)
Buffer Overflow in "rpc.yppasswdd" Process Might Lead to Unauthorized Root Access
ID: 100877 (formerly 27486)
# Product: Solaris 2.6 Operating System, Solaris 7 Operating System, Solaris 8 Operating System
# BugIDs: 4456994
Remote users may be able to gain unauthorized root access to a NIS master server.
=================================================================================
40)
vi(1) Creates Temporary Files Insecurely
ID: 100892 (formerly 27728)
# Product: Solaris 2.5, Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7 Operating System, Solaris 8 Operating System
# BugIDs: 4364594
Unprivileged local users may be able to overwrite or create any file on the system if a root user uses vi(1) or any of the related vi(1) commands, edit(1), ex(1), vedit(1), or view(1).
=================================================================================
41)
Multi-homed Systems may Enter Wrong Entries Into Their ARP Table, Leading to a Loss of Network Connectivity
ID: 100921 (formerly 40303)
# Product: Solaris 8 Operating System
# BugIDs: 4363786
A multi-homed system (i.e. a system with more than one network interface) might lose network connectivity.
=================================================================================
41)
auditreduce(1M) Fails to Parse Socket Tokens in the Audit Trail
ID: 100923 (formerly 40449)
# Product: Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7 Operating System
# BugIDs: 4174308
Attempts to merge or select audit records from the audit trail using auditreduce(1M) will fail if network events are being audited and a socket token is encountered.
=================================================================================
42)
Java Runtime Environment May Allow an Untrusted Applet to Access the System Clipboard
ID: 100926 (formerly 40705)
# Product: SDK and JRE 1.2
# BugIDs: 4411888
A vulnerability in the Java Runtime Environment may allow an untrusted applet to access the system clipboard.
=================================================================================
43)
Buffer Overflow in "ipcs" Command Might Allow Unauthorized sys Group ID Access
ID: 100888 (formerly 27600)
# Product: Solaris 7 Operating System, Solaris 8 Operating System
# BugIDs: 4446945
Local users may be able to gain unauthorized sys group ID access due to a possible buffer overflow in the "ipcs" binary. Users with sys group ID access may subsequently gain unauthorized root user access rights.
=================================================================================
44)
Sun Cluster 2.2 Components Create and Manipulate Temporary Files in an Insecure Way
ID: 100850 (formerly 26878)
# Product: Sun Cluster 2.2
# BugIDs: 4402020, 4406121, 4406127, 4406129, 4406137, 4406130, 4406131, 4406132, 4406133, 4402009
Several Sun Cluster 2.2 components create and manipulate temporary files in insecure ways. Some occurances of this problem can lead to a local denial of service, as they can allow local users to potentially disable the system by overwriting critical system files such as /etc / passwd.
=================================================================================
45)
Format String Vulnerability in ToolTalk Database Server
ID: 100931 (formerly 40770)
# Product: Solaris 2.5, Solaris 2.4, Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7 Operating System, Solaris 8 Operating System
# BugIDs: 4499995
The ToolTalk Database Server contains a format string vulnerability in "rpc.ttdbserverd" that could allow a remote attacker to gain root access to the affected system.
=================================================================================
46)
bdiff(1) and sdiff(1) Create Temporary Files Insecurely
ID: 100935 (formerly 40837)
# Product: Solaris 2.5, Solaris 2.5.1, Solaris 2.6 Operating System
# BugIDs: 4064007
Unprivileged local users may be able to overwrite or create any file on the system if a root user runs either bdiff(1) or sdiff(1).
=================================================================================
47)
Setting the "KMF_REDZONE" Kernel Flag Might Lead to a System Panic
ID: 100867 (formerly 27325)
# Product: Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7 Operating System, Solaris 8 Operating System
# BugIDs: 4448655
A system might panic on incoming telnet connections.
=================================================================================
48)
Buffer Overflow in mailx(1) in Solaris
ID: 100941 (formerly 41017)
# Product: Solaris 2.5, Solaris 2.5.1, Solaris 2.6 Operating System
# BugIDs: 4152234
Unprivileged local users may be able to gain unauthorized "gid" mail access due to a buffer overflow in mailx(1). This would allow users with access to a mail server to read, modify, and delete the e-mail of other users in /var/mail. This may possibly allow those users with unauthorized "gid" mail to subsequently gain unauthorized root access.
=================================================================================
49)
Local Users May be able to Prevent an Enterprise 10000 System from Booting
ID: 100938 (formerly 40983)
# Product: Sun Enterprise 10000 Server
# BugIDs: None
Local users may be able to prevent an Enterprise 10000 system from booting. This does not pose an external security risk, however there is a remote chance that an unauthorized user with an account on the system could gain root access.
=================================================================================
50)
Buffer overflow in Xsun(1) in Solaris
ID: 100839 (formerly 26359)
# Product: Solaris 2.5, Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7 Operating System, Solaris 8 Operating System
# BugIDs: 4356377, 4425845
Unauthorized local users may be able to gain unauthorized root access on Solaris x86 systems or gid root access on Solaris SPARC systems due to a buffer overflow in the Xsun server.
=================================================================================
51)
Buffer Overflow in mailx(1) -F Option in Solaris
ID: 100952 (formerly 41400)
# Product: Solaris 2.5, Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7 Operating System, Solaris 8 Operating System
# BugIDs: 4452732
Unprivileged local users may be able to gain unauthorized gid mail access due to a buffer overflow in mailx(1). This would allow users with access to a mail server to read, modify, and delete the e-mail of other users in /var/mail.
=================================================================================
52)
Buffer Overflow in CDE Subprocess Control Service Daemon (dtspcd)
ID: 100955 (formerly 41764)
# Product: Solaris 2.4, Solaris 2.6 Operating System, Solaris 7 Operating System, Solaris 8 Operating System
# BugIDs: 4527363
A library that the CDE Subprocess Control Service (dtspcd) daemon uses contains a buffer overflow vulnerability that could allow a remote user to gain root access to the affected system.
This issue is described in the CERT Vulnerability VU#172583 (
=================================================================================
53)
Buffer Overflow in login(1)
ID: 100966 (formerly 41987)
# Product: Solaris 2.5.1, Solaris 2.6 Operating System, Solaris 7 Operating System, Solaris 8 Operating System
# BugIDs: 4516885
Unprivileged local or remote users may be able to gain unauthorized root access due to a buffer overflow in login(1).
================= End of 2001 ===========================================
Product Solaris 8 Operating System Attachments This solution has no attachment | |||||||||||||||
|
|