Note: This is an archival copy of Security Sun Alert 268328 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1020974.1.
Article ID : 1020974.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-12-06
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

A Security Vulnerability in Sun Virtual Desktop Infrastructure (VDI) Software 3.0 may Lead to Unauthorized Access to the VirtualBox Web Service



Category
Security

Release Phase
Resolved

Bug Id
6880209

Date of Resolved Release
03-Nov-2009

1. Impact

A security vulnerability in the Sun Virtual Infrastructure (VDI) 3.0 authentication mechanism may
allow remote unprivileged users to gain unauthorized access to the VirtualBox web service.

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Sun VDI Software 3.0 (for Solaris 10) without patch 141481-03 and using VirtualBox 2.0.8 or 2.0.10
x86 Platform
  • Sun VDI Software 3.0 (for Solaris 10) without patch 141482-03 and using VirtualBox 2.0.8 or 2.0.10

Note 1: Sun VDI 2.0 does not provide integration with VirtualBox and therefore is not impacted by this issue.
To determine the version of Sun VDI Software on a system, the following command can be run:

 $ pkgparam SUNWvda-service VERSION  
3.0_71,REV=2009.03.11.11.27

Note 2: This issue is only present in Sun VDI 3.0 configurations using VirtualBox desktop providers.
To determine the type of desktop providers configured for Sun VDI 3.0, the following command can be run:

 # /opt/SUNWvda/sbin/vda provider-list | grep -i VirtualBox
<ProviderName> Sun VirtualBox 5 0 1% (155 MHz) 13% (2.2 GB) 0% (16.1 GB)

Note 3: This issue is only present for VirtualBox version 2.0.8 and 2.0.10 for Sun VDI.
To determine the version of VirtualBox on a system, the following command can be run:

 $ pkgparam SUNWvbox VERSION 
2.0.10,REV=r50334.2009.07.21.16.12


3. Symptoms

There are no predictable symptoms that would indicate the described issue has been exploited.
Access from hosts/IPs other than Sun VDI 3.0 core servers in the Apache2 access log
 (/var/apache2/logs/access_log) may indicate an unauthorized user.

4. Workaround

To work around the described issue, firewall rules may be configured on the VirtualBox hosts to allow
connections only from the VDI core servers. See the firewall product documentation for more information
on how to configure firewall rules.

5. Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Sun VDI Software 3.0 (for Solaris 10) with patch 141481-03 or later and with VirtualBox 2.0.12 or later

x86 Platform

  • Sun VDI Software 3.0 (for Solaris 10) with patch 141482-03 or later and with VirtualBox 2.0.12 or later.
Note: VirtualBox 2.0.12 is required to address the issue described, and may be
downloaded from the following URL:

    http://www.sun.com/software/vdi/get.jsp

Click on the "Download" button in the "Download Sun VDI Software 3" section.
VirtualBox 2.0.12 should be installed after applying the Sun VDI 3.0 patch (141481-03 or 141482-03).

For more information on Security Sun Alerts, see 1009886.1

Product
Sun Virtual Desktop Infrastructure Software 3.0

References

141481-03
141482-03

References

SUNPATCH:141481-03
SUNPATCH:141482-03



Attachments
This solution has no attachment