[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 39/04 - Two Sun Microsystems Security Alerts



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 39/04 dated 03.02.04  Time: 10:05
 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

Two Sun Microsystems Security Alerts

1. The pfexec(1) Command May Execute a "Profile" Command With Additional Privileges.
                     
2. Security Vulnerability Involving the tcsetattr(3C) Library Function on SPARC Based
   Systems.



Detail
====== 

1.  A local unprivileged user with a custom rights profile (see profiles(1)) may be able
to execute a profile command with greater privileges than originally assigned, if the 
execution profiles database (exec_attr(4)) contains an invalid entry for that custom
rights profile.  
   

2.  On SPARC based Solaris systems, a security vulnerability in the tcsetattr(3C) library function may
allow an unprivileged local user the ability to hang the system hard which is a type of Denial of
Service (DoS).   
   



1.   ESB-2004.0079 -- Sun(sm) Alert Notification - Sun Alert ID: 57453
               The pfexec(1) Command May Execute a "Profile" 
                     Command With Additional Privileges
                             02 February 2004


Product:                pfexec(1)
Publisher:              Sun Microsystems
Operating System:       Solaris 9
                        Solaris 8
Platform:               SPARC
                        IA-32
Impact:                 Increased Privileges
Access Required:        Existing Account

Original Bulletin:
         http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57453

- - --------------------------BEGIN INCLUDED TEXT--------------------

   DOCUMENT ID: 57453
   SYNOPSIS: The pfexec(1) Command May Execute a "Profile" Command With
   Additional Privileges
   DETAIL DESCRIPTION:
   
Sun(sm) Alert Notification

     * Sun Alert ID: 57453
     * Synopsis: The pfexec(1) Command May Execute a "Profile" Command
       With Additional Privileges
     * Category: Security
     * Product: Solaris
     * BugIDs: 4925561
     * Avoidance: Patch
     * State: Resolved
     * Date Released: 29-Jan-2004
     * Date Closed: 29-Jan-2004
     * Date Modified:
       
1. Impact

   A local unprivileged user with a custom rights profile (see
   profiles(1)) may be able to execute a profile command with greater
   privileges than originally assigned, if the execution profiles
   database (exec_attr(4)) contains an invalid entry for that custom
   rights profile.
   
2. Contributing Factors

   This issue can occur in the following releases:
   
   SPARC Platform
     * Solaris 8 without patch 109007-15
     * Solaris 9 without patch 116237-01
       
   x86 Platform
     * Solaris 8 without patch 109008-15
     * Solaris 9 without patch 116238-01
       
   Notes:
    1. Solaris 7 is not affected by this issue.
    2. The modification of the exec_attr(4) file requires "root"
       privileges.
       
   The pfexec(1) program is used to execute commands with the attributes
   specified by the user's profiles in the exec_attr(4) database. A user
   must be part of an execution profile in addition to the default
   profiles of "Basic Solaris User" and "All". A user can determine which
   profiles they are part of by running the profiles(1) command, as in
   this example:
    % profiles
    Basic Solaris User
    All                  

3. Symptoms

   There are no reliable symptoms that would show the described issue has
   been exploited to gain unauthorized elevated privileges on a host.
   SOLUTION SUMMARY:
   
4. Relief/Workaround

   There is no workaround. Please see the "Resolution" section below.
   
5. Resolution

   This issue is addressed in the following releases:
   
   SPARC Platform
     * Solaris 8 with patch 109007-15 or later
     * Solaris 9 with patch 116237-01 or later
       
   x86 Platform
     * Solaris 8 with patch 109008-15 or later
     * Solaris 9 with patch 116238-01 or later
       
   This Sun Alert notification is being provided to you on an "AS IS"
   basis. This Sun Alert notification may contain information provided by
   third parties. The issues described in this Sun Alert notification may
   or may not impact your system(s). Sun makes no representations,
   warranties, or guarantees as to the information contained herein. ANY
   AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
   WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
   NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
   YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
   INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
   OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
   This Sun Alert notification contains Sun proprietary and confidential
   information. It is being provided to you pursuant to the provisions of
   your agreement to purchase services from Sun, or, if you do not have
   such an agreement, the Sun.com Terms of Use. This Sun Alert
   notification may only be used for the purposes contemplated by these
   agreements.
   
   Copyright 2000-2004 Sun Microsystems, Inc., 4150 Network Circle, Santa
   Clara, CA 95054 U.S.A. All rights reserved.






2.   ESB-2004.0085 -- Sun(sm) Alert Notification - Sun Alert ID: 57474
  Security Vulnerability Involving the tcsetattr(3C) Library Function on
                            SPARC Based Systems
                             03 February 2004


Product:                tcsetattr(3C) library function
Publisher:              Sun Microsystems
Operating System:       Solaris 8
                        Solaris 7
                        Solaris 2.6
Platform:               SPARC
Impact:                 Denial of Service
Access Required:        Existing Account

Comment: Original Bulletin:

         http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57474

- - --------------------------BEGIN INCLUDED TEXT--------------------

   DOCUMENT ID: 57474
   SYNOPSIS: Security Vulnerability Involving the tcsetattr(3C) Library
   Function on SPARC Based Systems
   DETAIL DESCRIPTION:
   
Sun(sm) Alert Notification

     * Sun Alert ID: 57474
     * Synopsis: Security Vulnerability Involving the tcsetattr(3C)
       Library Function on SPARC Based Systems
     * Category: Security
     * Product: Solaris
     * BugIDs: 4360114
     * Avoidance: Patch
     * State: Resolved
     * Date Released: 30-Jan-2004
     * Date Closed: 30-Jan-2004
     * Date Modified:
       
1. Impact

   On SPARC based Solaris systems, a security vulnerability in the
   tcsetattr(3C) library function may allow an unprivileged local user
   the ability to hang the system hard which is a type of Denial of
   Service (DoS).
   
2. Contributing Factors

   This issue can occur in the following releases:
   
   SPARC Platform
     * Solaris 2.6 without patch 105924-12
     * Solaris 7 without patch 107589-06
     * Solaris 8 without patch 109815-20
       
   Note: Solaris 9 and Solaris on the x86 platform are not affected by
   this issue.
   
3. Symptoms

   If the described issue occurs, the system will be unresponsive, and a
   reboot is typically required to regain functionality.
   SOLUTION SUMMARY:
   
4. Relief/Workaround

   There is no workaround. Please see the "Resolution" section below.
   
5. Resolution

   This issue is addressed in the following releases:
   
   SPARC Platform
     * Solaris 2.6 with patch 105924-12 or later
     * Solaris 7 with patch 107589-06 or later
     * Solaris 8 with patch 109815-20 or later
     * Solaris 9
       
   This Sun Alert notification is being provided to you on an "AS IS"
   basis. This Sun Alert notification may contain information provided by
   third parties. The issues described in this Sun Alert notification may
   or may not impact your system(s). Sun makes no representations,
   warranties, or guarantees as to the information contained herein. ANY
   AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
   WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
   NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
   YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
   INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
   OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
   This Sun Alert notification contains Sun proprietary and confidential
   information. It is being provided to you pursuant to the provisions of
   your agreement to purchase services from Sun, or, if you do not have
   such an agreement, the Sun.com Terms of Use. This Sun Alert
   notification may only be used for the purposes contemplated by these
   agreements.
   
   Copyright 2000-2004 Sun Microsystems, Inc., 4150 Network Circle, Santa
   Clara, CA 95054 U.S.A. All rights reserved.
   



 
- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via EMail to:
uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Sun Microsystems for the information
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQB9zH4pao72zK539AQFzMAQAkkfgIJGLLtR5QJ5AohB59kVqfow2xRb/
EHzHSPIage9zaK/Zkfz6KeSBOu7adAG0FbiXHHrFIOALLxN2hXF4egILfDOgjZk3
PQHO7gjy2XAxhCm3KznQ6tUCPlcCLD/SGt2hB1Hh3ynaTATUyQuMbE7hE8mUkqwn
HRSnag4Rf+M=
=pk4k
-----END PGP SIGNATURE-----