[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
UNIRAS Brief - 35/05 - Three Sun Security Advisories:
-----BEGIN PGP SIGNED MESSAGE-----
- ----------------------------------------------------------------------------------
UNIRAS (UK Govt CERT) Briefing Notice - 35/05 dated 18.01.05 Time: 14:30
UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ----------------------------------------------------------------------------------
UNIRAS material is also available from its website at www.uniras.gov.uk and
Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------
Title
=====
Three Sun Security Advisories:
1. 57712 - Security Vulnerability in Kerberos 5 Administration Library
for Solaris/SEAM
2. 57707 - Java Runtime Environment Remote Denial-of-Service (DoS)
Vulnerability
3.57717 - SMC Default Configuration GUI Creates User Accounts With
Blank Password Instead of Locked Account
Detail
======
1. Impact Due to a heap buffer overflow, an authenticated user (not
necessarily one with administrative privileges), could execute
arbitrary code on the Kerberos Key Distribution Center (KDC) host,
compromising an entire Kerberos realm.
2. A vulnerability in the Java Runtime Environment (JRE)
involving object deserialization could be exploited remotely to cause
the Java Virtual Machine to become unresponsive, which is a type of
Denial-of-Service (DoS). This issue can affect the JRE if an
application that runs on it accepts serialized data from an untrusted
source.
3. User accounts created with the Solaris Management Console
(SMC) GUI which are configured for password aging (the shadow(4)
fields <min> and <max> fields will be set) may allow login without
specifying a password.
1.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
ESB-2005.0051 -- Sun Alert Notification 57712
Security Vulnerability in Kerberos 5 Administration Library
for Solaris/SEAM
18 January 2005
===========================================================================
Product: Solaris Enterprise Authentication Mechanism (SEAM)
Publisher: Sun Microsystems
Operating System: Solaris
Impact: Execute Arbitrary Code/Commands
Access: Existing Account
CVE Names: CAN-2004-1189
Ref: ESB-2004.0805
Original Bulletin:
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57712-1
- - --------------------------BEGIN INCLUDED TEXT--------------------
Sun(sm) Alert Notification
* Sun Alert ID: 57712
* Synopsis: Security Vulnerability in Kerberos 5 Administration
Library for Solaris/SEAM
* Category: Security
* Product: Solaris, Solaris Enterprise Authentication Mechanism
(SEAM)
* BugIDs: 6209960
* Avoidance: Workaround
* State: Committed
* Date Released: 22-Dec-2004
* Date Closed:
* Date Modified:
1. Impact Due to a heap buffer overflow, an authenticated user (not
necessarily one with administrative privileges), could execute
arbitrary code on the Kerberos Key Distribution Center (KDC) host,
compromising an entire Kerberos realm.
This issue is described in the following documents:
MIT krb5 Security Advisory at
[2]http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-004-pwhist.txt
CVE CAN-2004-1189 at
[3]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1189
2. Contributing Factors This issue can occur in the following
releases:
SPARC Platform
* Solaris 9
* SEAM 1.0.1 for Solaris 8
* SEAM 1.0.2 for Solaris 9
x86 Platform
* Solaris 9
* SEAM 1.0.1 for Solaris 8
* SEAM 1.0.2 for Solaris 9
Notes:
1. Systems running Solaris Enterprise Authentication Mechanism (SEAM)
1.0.1 for Solaris 8 and SEAM 1.0.2 for Solaris 9 are impacted by
this issue as SEAM 1.0.1 and 1.0.2 use the affected Kerberos
libraries delivered in Solaris.
2. Solaris Enterprise Authentication Mechanism (SEAM) is an unbundled
product available for Solaris 7, 8 and 9. For more information on
SEAM, please see the SEAM(5) man page.
This issue may occur if the machine is configured as the Key
Distribution Center (KDC). To verify this, the following command can
be run:
% ps -ef | grep kadmin
root 321 1 0 Dec 10 ? 0:00 /usr/krb5/lib/kadmind
If the above command shows that the daemon kadmind(1M) is running,
then the machine is configured as the Key Distribution Center (KDC).
3. Symptoms There are no predictable symptoms that would indicate the
described issue has been exploited.
Solution Summary [4]Top
4. Relief/Workaround It is advised that the history count is NOT
decreased on any policy in the Kerberos realm. If the count has been
decreased, it is advised to change it back to the previous higher
value. (Kerberos password history count is the number of previous
passwords that have been used by the principal that cannot be used).
To administer Kerberos, use kadmin(1M). To get the current history
count, the following command can be run at the kadmin(1M) prompt:
kadmin: get_policy <name of the policy>
Policy: ...
...
Number of old keys kept: 3
...
Here, the history count is the number of "old keys" kept. If the
history count is changed from a higher number to the (current) lower
number, change it back to the previous higher number. This can be done
by running the following command at the kadmin(1M) prompt:
kadmin: modify_policy -history <number> default
Please refer to kadmin(1M) man pages for further details.
5. Resolution A final resolution is pending completion.
This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2004 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.
References
1. http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57712-1#top
2. http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-004-pwhist.txt
3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1189
4. http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57712-1#top
- - --------------------------END INCLUDED TEXT--------------------
iQCVAwUBQexbaSh9+71yA2DNAQLB3gP/XVrCsAPDW9lGndjkTPiDXw6tJfjrledB
wbkgO+omyqZ/HxLedX0wxP8TFrIXZIN67P3yVrS4SqwhShoJ2c7uGRq2Alxr4ryk
yc5OljoK/cxA1jrgC4TN5AirmIkQsCXiUPpDC2U8WrOY14Yu8jRCdFWDYejY3u3x
ugh2QnWUm3M=
=+yWT
- -----END PGP SIGNATURE-----
2.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
ESB-2005.0050 -- Sun Alert Notification 57707
Java Runtime Environment Remote Denial-of-Service (DoS) Vulnerability
18 January 2005
===========================================================================
Product: Java SDK and JRE
Publisher: Sun Microsystems
Operating System: Solaris
Linux variants
Windows
Impact: Denial of Service
Access: Remote/Unauthenticated
Original Bulletin:
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57707-1
- - --------------------------BEGIN INCLUDED TEXT--------------------
Sun(sm) Alert Notification
* Sun Alert ID: 57707
* Synopsis: Java Runtime Environment Remote Denial-of-Service (DoS)
Vulnerability
* Category: Security
* Product: Java SDK and JRE
* BugIDs: 5037001
* Avoidance: Upgrade
* State: Resolved
* Date Released: 20-Dec-2004
* Date Closed: 20-Dec-2004
* Date Modified:
1. Impact A vulnerability in the Java Runtime Environment (JRE)
involving object deserialization could be exploited remotely to cause
the Java Virtual Machine to become unresponsive, which is a type of
Denial-of-Service (DoS). This issue can affect the JRE if an
application that runs on it accepts serialized data from an untrusted
source.
Sun acknowledges with thanks, Marc Schoenefeld, for bringing this
issue to our attention.
2. Contributing Factors This issue can occur in the following
releases:
* SDK and JRE 1.4.2_05 and earlier, and all 1.4.1 and 1.4.0 releases
for Windows, Solaris and Linux
Note: JDK and JRE 5.0 and releases prior to SDK and JRE 1.4 are not
affected by this issue.
To determine the version of Java on a system, the following command
can be run:
% java -fullversion
java full version "1.4.1_06-b01"
3. Symptoms The Java Runtime Environment (JRE) is unresponsive.
Solution Summary [2]Top
4. Relief/Workaround There is no workaround. Please see the
"Resolution" section below.
5. Resolution This issue is addressed in the following releases:
* SDK and JRE 1.4.2_06 and later for Windows, Solaris, and Linux
J2SE releases are available for download at:
* J2SE 5.0 at [3]http://java.sun.com/j2se/1.5.0/download.jsp
* J2SE 1.4.2_06 at [4]http://java.sun.com/j2se/1.4.2/download.html
and [5]http://java.com/
Note: It is recommended that affected versions be removed from your
system. For more information, please see the installation notes on the
respective java.sun.com download pages.
This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2004 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.
References
1. http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57707-1#top
2. http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57707-1#top
3. http://java.sun.com/j2se/1.5.0/download.jsp
4. http://java.sun.com/j2se/1.4.2/download.html
5. http://java.com/
- - --------------------------END INCLUDED TEXT--------------------
iQCVAwUBQexZlCh9+71yA2DNAQJNuAP/eJ4fh9uEvgONA+66svOL4lBVv/YtX0oM
UI052p8mOiFbz/MsO6MJBw96tSiXV9LJJtXlbapdmtM5f3wUBJnZrBNVv4ley5O1
Ar1fDsfY6h3eXmnWP2eRhMfYMHox5s3gIp34gbUSsCB9aj1hD96OPQ9o9JjtDHae
nChVYPTPMIk=
=Q5Mj
- -----END PGP SIGNATURE-----
3.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
ESB-2005.0043 -- Sun Alert Notification 57717
SMC Default Configuration GUI Creates User Accounts With
Blank Password Instead of Locked Account
17 January 2005
===========================================================================
Product: Solaris Management Console (SMC)
Publisher: Sun Microsystems
Operating System: Solaris
Impact: Reduced Security
Access: Existing Account
Original Bulletin:
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57717-1
- - --------------------------BEGIN INCLUDED TEXT--------------------
Sun(sm) Alert Notification
* Sun Alert ID: 57717
* Synopsis: SMC Default Configuration GUI Creates User Accounts With
Blank Password Instead of Locked Account
* Category: Security
* Product: Solaris, Solaris Management Console (SMC)
* BugIDs: 4997883
* Avoidance: Patch, Workaround
* State: Resolved
* Date Released: 10-Jan-2005
* Date Closed: 10-Jan-2005
* Date Modified:
1. Impact User accounts created with the Solaris Management Console
(SMC) GUI which are configured for password aging (the shadow(4)
fields <min> and <max> fields will be set) may allow login without
specifying a password.
2. Contributing Factors This issue can occur in the following
releases:
SPARC Platform
* Solaris 8 without patches [2]113749-02 and [3]109134-31
* Solaris 9 without patches [4]114503-08 and [5]112945-29
x86 Platform
* Solaris 8 without patches [6]113750-02 and [7]109135-31
* Solaris 9 without patches [8]114504-08 and [9]114193-20
Note: Solaris 7 is not affected by this issue.
3. Symptoms This issue can occur when a user account is created with
SMC (default configuration) with aging fields set and no password
supplied. The user account (when being created) is not prompted for a
password.
Solution Summary [10]Top
4. Relief/Workaround To work around the described issue, always supply
a password while creating user accounts with SMC (locked by default).
5. Resolution This issue is resolved in the following releases:
SPARC Platform
* Solaris 8 with patches [11]113749-02 or later and [12]109134-31 or
later
* Solaris 9 with patches [13]114503-08 or later and [14]112945-29 or
later
x86 Platform
* Solaris 8 with patches [15]113750-02 or later and [16]109135-31 or
later
* Solaris 9 with patches [17]114504-08 or later and [18]114193-20 or
later
Note: Both patches listed for each version of Solaris must be
installed to resolve this issue.
This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2005 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.
References
1. http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57717-1#top
2. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-113749-02-1
3. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-109134-31-1
4. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-114503-08-1
5. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-112945-29-1
6. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-113750-02-1
7. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-109135-31-1
8. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-114504-08-1
9. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-114193-20-1
10. http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57717-1#top
11. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-113749-02-1
12. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-109134-31-1
13. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-114503-08-1
14. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-112945-29-1
15. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-113750-02-1
16. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-109135-31-1
17. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-114504-08-1
18. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-114193-20-1
- - --------------------------END INCLUDED TEXT--------------------
iQCVAwUBQeruxSh9+71yA2DNAQL6yAP/boBimx1IvE4+i7nXdMwjDQ9E0rsCleLi
Ou8ucro2v3aE4OrJx9zwqlVDDaAjyQQRStwmVDwvH+ZakzdQ881jlxo/m5wPxFPl
6RVBJ5vhtfwBRdpdprDzGOuEiJ85rcpKdutyqLL5Lt4VhIbwOVWqLdkS0PXTC+FH
eprFb2EtLj8=
=atzr
- -----END PGP SIGNATURE-----
- ----------------------------------------------------------------------------------
For additional information or assistance, please contact the HELP Desk by
telephone or Not Protectively Marked information may be sent via
EMail to: uniras@xxxxxxxxxxxx
Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749
Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts
- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Sun Microsystems for the information
contained in this Briefing.
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some
of the information may have changed since it was released. If the vulnerability
affects you, it may be prudent to retrieve the advisory from the canonical site
to ensure that you receive the most current information concerning that problem.
Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views
and opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.
Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they shall
not be liable for any loss or damage whatsoever, arising from or in connection
with the usage of information contained within this notice.
UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to prompt
rapid reaction to incidents, and to promote information sharing amongst its
members and the community at large.
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQCVAwUBQe0cz4pao72zK539AQEszQP9Etq4nefaIaFrjumPwerlIaJCWIawa7iX
ZcVTBS6zmw/XTycNr4aSxn+A9/M++18Csm7NdPpsGPb3nufBVGslYnsRjF673nLj
o1DetopjiNvsIDIUuZuEAptONKrZAo01gYmNs03tq6NImIx43mThBpJ+oDLJ5dHI
w82aWAXKdwU=
=iMxE
-----END PGP SIGNATURE-----