[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 35/05 - Three Sun Security Advisories:



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 35/05 dated 18.01.05  Time: 14:30  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

Three Sun Security Advisories:

1. 57712 - Security Vulnerability in Kerberos 5 Administration Library 
for Solaris/SEAM

2. 57707 - Java Runtime Environment Remote Denial-of-Service (DoS) 
Vulnerability

3.57717 - SMC Default Configuration GUI Creates User Accounts With
Blank Password Instead of Locked Account 

Detail
====== 

1. Impact Due to a heap buffer overflow, an authenticated user (not
necessarily one with administrative privileges), could execute
arbitrary code on the Kerberos Key Distribution Center (KDC) host,
compromising an entire Kerberos realm.

2. A vulnerability in the Java Runtime Environment (JRE)
involving object deserialization could be exploited remotely to cause
the Java Virtual Machine to become unresponsive, which is a type of
Denial-of-Service (DoS). This issue can affect the JRE if an
application that runs on it accepts serialized data from an untrusted
source.

3. User accounts created with the Solaris Management Console
(SMC) GUI which are configured for password aging (the shadow(4)
fields <min> and <max> fields will be set) may allow login without
specifying a password.





1.



- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             
               ESB-2005.0051 -- Sun Alert Notification 57712
        Security Vulnerability in Kerberos 5 Administration Library
                             for Solaris/SEAM
                              18 January 2005

===========================================================================

        

Product:           Solaris Enterprise Authentication Mechanism (SEAM)
Publisher:         Sun Microsystems
Operating System:  Solaris
Impact:            Execute Arbitrary Code/Commands
Access:            Existing Account
CVE Names:         CAN-2004-1189

Ref:               ESB-2004.0805

Original Bulletin: 
  http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57712-1

- - --------------------------BEGIN INCLUDED TEXT--------------------


   Sun(sm) Alert Notification 
     * Sun Alert ID: 57712
     * Synopsis: Security Vulnerability in Kerberos 5 Administration
       Library for Solaris/SEAM
     * Category: Security
     * Product: Solaris, Solaris Enterprise Authentication Mechanism
       (SEAM)
     * BugIDs: 6209960
     * Avoidance: Workaround
     * State: Committed
     * Date Released: 22-Dec-2004
     * Date Closed:
     * Date Modified:

   1. Impact Due to a heap buffer overflow, an authenticated user (not
   necessarily one with administrative privileges), could execute
   arbitrary code on the Kerberos Key Distribution Center (KDC) host,
   compromising an entire Kerberos realm.

   This issue is described in the following documents:

   MIT krb5 Security Advisory at
   [2]http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-004-pwhist.txt

   CVE CAN-2004-1189 at
   [3]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1189

   2. Contributing Factors This issue can occur in the following
   releases:

   SPARC Platform

     * Solaris 9
     * SEAM 1.0.1 for Solaris 8
     * SEAM 1.0.2 for Solaris 9

   x86 Platform

     * Solaris 9
     * SEAM 1.0.1 for Solaris 8
     * SEAM 1.0.2 for Solaris 9

   Notes:

    1. Systems running Solaris Enterprise Authentication Mechanism (SEAM)
       1.0.1 for Solaris 8 and SEAM 1.0.2 for Solaris 9 are impacted by
       this issue as SEAM 1.0.1 and 1.0.2 use the affected Kerberos
       libraries delivered in Solaris.
    2. Solaris Enterprise Authentication Mechanism (SEAM) is an unbundled
       product available for Solaris 7, 8 and 9. For more information on
       SEAM, please see the SEAM(5) man page.

   This issue may occur if the machine is configured as the Key
   Distribution Center (KDC). To verify this, the following command can
   be run:

    % ps -ef | grep kadmin
    root   321     1  0   Dec 10 ?        0:00 /usr/krb5/lib/kadmind


   If the above command shows that the daemon kadmind(1M) is running,
   then the machine is configured as the Key Distribution Center (KDC).

   3. Symptoms There are no predictable symptoms that would indicate the
   described issue has been exploited.

   Solution Summary [4]Top

   4. Relief/Workaround It is advised that the history count is NOT
   decreased on any policy in the Kerberos realm. If the count has been
   decreased, it is advised to change it back to the previous higher
   value. (Kerberos password history count is the number of previous
   passwords that have been used by the principal that cannot be used).

   To administer Kerberos, use kadmin(1M). To get the current history
   count, the following command can be run at the kadmin(1M) prompt:

    kadmin: get_policy <name of the policy>
    Policy: ...
    ...
    Number of old keys kept: 3
    ...

   Here, the history count is the number of "old keys" kept. If the
   history count is changed from a higher number to the (current) lower
   number, change it back to the previous higher number. This can be done
   by running the following command at the kadmin(1M) prompt:

    kadmin: modify_policy -history <number> default

   Please refer to kadmin(1M) man pages for further details.

   5. Resolution A final resolution is pending completion.

   This Sun Alert notification is being provided to you on an "AS IS"
   basis. This Sun Alert notification may contain information provided by
   third parties. The issues described in this Sun Alert notification may
   or may not impact your system(s). Sun makes no representations,
   warranties, or guarantees as to the information contained herein. ANY
   AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
   WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
   NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
   YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
   INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
   OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
   This Sun Alert notification contains Sun proprietary and confidential
   information. It is being provided to you pursuant to the provisions of
   your agreement to purchase services from Sun, or, if you do not have
   such an agreement, the Sun.com Terms of Use. This Sun Alert
   notification may only be used for the purposes contemplated by these
   agreements.

   Copyright 2000-2004 Sun Microsystems, Inc., 4150 Network Circle, Santa
   Clara, CA 95054 U.S.A. All rights reserved.

References

   1. http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57712-1#top
   2. http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-004-pwhist.txt
   3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1189
   4. http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57712-1#top

- - --------------------------END INCLUDED TEXT--------------------


iQCVAwUBQexbaSh9+71yA2DNAQLB3gP/XVrCsAPDW9lGndjkTPiDXw6tJfjrledB
wbkgO+omyqZ/HxLedX0wxP8TFrIXZIN67P3yVrS4SqwhShoJ2c7uGRq2Alxr4ryk
yc5OljoK/cxA1jrgC4TN5AirmIkQsCXiUPpDC2U8WrOY14Yu8jRCdFWDYejY3u3x
ugh2QnWUm3M=
=+yWT
- -----END PGP SIGNATURE-----



2.


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             
               ESB-2005.0050 -- Sun Alert Notification 57707
   Java Runtime Environment Remote Denial-of-Service (DoS) Vulnerability
                              18 January 2005

===========================================================================

       

Product:           Java SDK and JRE
Publisher:         Sun Microsystems
Operating System:  Solaris
                   Linux variants
                   Windows
Impact:            Denial of Service
Access:            Remote/Unauthenticated

Original Bulletin: 
  http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57707-1

- - --------------------------BEGIN INCLUDED TEXT--------------------


   Sun(sm) Alert Notification 
     * Sun Alert ID: 57707
     * Synopsis: Java Runtime Environment Remote Denial-of-Service (DoS)
       Vulnerability
     * Category: Security
     * Product: Java SDK and JRE
     * BugIDs: 5037001
     * Avoidance: Upgrade
     * State: Resolved
     * Date Released: 20-Dec-2004
     * Date Closed: 20-Dec-2004
     * Date Modified:

   1. Impact A vulnerability in the Java Runtime Environment (JRE)
   involving object deserialization could be exploited remotely to cause
   the Java Virtual Machine to become unresponsive, which is a type of
   Denial-of-Service (DoS). This issue can affect the JRE if an
   application that runs on it accepts serialized data from an untrusted
   source.

   Sun acknowledges with thanks, Marc Schoenefeld, for bringing this
   issue to our attention.

   2. Contributing Factors This issue can occur in the following
   releases:

     * SDK and JRE 1.4.2_05 and earlier, and all 1.4.1 and 1.4.0 releases
       for Windows, Solaris and Linux

   Note: JDK and JRE 5.0 and releases prior to SDK and JRE 1.4 are not
   affected by this issue.

   To determine the version of Java on a system, the following command
   can be run:

    % java -fullversion
    java full version "1.4.1_06-b01"

   3. Symptoms The Java Runtime Environment (JRE) is unresponsive.

   Solution Summary [2]Top

   4. Relief/Workaround There is no workaround. Please see the
   "Resolution" section below.

   5. Resolution This issue is addressed in the following releases:

     * SDK and JRE 1.4.2_06 and later for Windows, Solaris, and Linux

   J2SE releases are available for download at:

     * J2SE 5.0 at [3]http://java.sun.com/j2se/1.5.0/download.jsp
     * J2SE 1.4.2_06 at [4]http://java.sun.com/j2se/1.4.2/download.html
       and [5]http://java.com/

   Note: It is recommended that affected versions be removed from your
   system. For more information, please see the installation notes on the
   respective java.sun.com download pages.

   This Sun Alert notification is being provided to you on an "AS IS"
   basis. This Sun Alert notification may contain information provided by
   third parties. The issues described in this Sun Alert notification may
   or may not impact your system(s). Sun makes no representations,
   warranties, or guarantees as to the information contained herein. ANY
   AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
   WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
   NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
   YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
   INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
   OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
   This Sun Alert notification contains Sun proprietary and confidential
   information. It is being provided to you pursuant to the provisions of
   your agreement to purchase services from Sun, or, if you do not have
   such an agreement, the Sun.com Terms of Use. This Sun Alert
   notification may only be used for the purposes contemplated by these
   agreements.

   Copyright 2000-2004 Sun Microsystems, Inc., 4150 Network Circle, Santa
   Clara, CA 95054 U.S.A. All rights reserved.

References

   1. http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57707-1#top
   2. http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57707-1#top
   3. http://java.sun.com/j2se/1.5.0/download.jsp
   4. http://java.sun.com/j2se/1.4.2/download.html
   5. http://java.com/

- - --------------------------END INCLUDED TEXT--------------------



iQCVAwUBQexZlCh9+71yA2DNAQJNuAP/eJ4fh9uEvgONA+66svOL4lBVv/YtX0oM
UI052p8mOiFbz/MsO6MJBw96tSiXV9LJJtXlbapdmtM5f3wUBJnZrBNVv4ley5O1
Ar1fDsfY6h3eXmnWP2eRhMfYMHox5s3gIp34gbUSsCB9aj1hD96OPQ9o9JjtDHae
nChVYPTPMIk=
=Q5Mj
- -----END PGP SIGNATURE-----



3.


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             

               ESB-2005.0043 -- Sun Alert Notification 57717
         SMC Default Configuration GUI Creates User Accounts With
                 Blank Password Instead of Locked Account
                              17 January 2005

===========================================================================

        

Product:           Solaris Management Console (SMC)
Publisher:         Sun Microsystems
Operating System:  Solaris
Impact:            Reduced Security
Access:            Existing Account

Original Bulletin:
  http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57717-1

- - --------------------------BEGIN INCLUDED TEXT--------------------

   Sun(sm) Alert Notification 
     * Sun Alert ID: 57717
     * Synopsis: SMC Default Configuration GUI Creates User Accounts With
       Blank Password Instead of Locked Account
     * Category: Security
     * Product: Solaris, Solaris Management Console (SMC)
     * BugIDs: 4997883
     * Avoidance: Patch, Workaround
     * State: Resolved
     * Date Released: 10-Jan-2005
     * Date Closed: 10-Jan-2005
     * Date Modified:

   1. Impact User accounts created with the Solaris Management Console
   (SMC) GUI which are configured for password aging (the shadow(4)
   fields <min> and <max> fields will be set) may allow login without
   specifying a password.

   2. Contributing Factors This issue can occur in the following
   releases:

   SPARC Platform

     * Solaris 8 without patches [2]113749-02 and [3]109134-31
     * Solaris 9 without patches [4]114503-08 and [5]112945-29

   x86 Platform

     * Solaris 8 without patches [6]113750-02 and [7]109135-31
     * Solaris 9 without patches [8]114504-08 and [9]114193-20

   Note: Solaris 7 is not affected by this issue.

   3. Symptoms This issue can occur when a user account is created with
   SMC (default configuration) with aging fields set and no password
   supplied. The user account (when being created) is not prompted for a
   password.

   Solution Summary [10]Top

   4. Relief/Workaround To work around the described issue, always supply
   a password while creating user accounts with SMC (locked by default).

   5. Resolution This issue is resolved in the following releases:

   SPARC Platform

     * Solaris 8 with patches [11]113749-02 or later and [12]109134-31 or
       later
     * Solaris 9 with patches [13]114503-08 or later and [14]112945-29 or
       later

   x86 Platform

     * Solaris 8 with patches [15]113750-02 or later and [16]109135-31 or
       later
     * Solaris 9 with patches [17]114504-08 or later and [18]114193-20 or
       later

   Note: Both patches listed for each version of Solaris must be
   installed to resolve this issue.

   This Sun Alert notification is being provided to you on an "AS IS"
   basis. This Sun Alert notification may contain information provided by
   third parties. The issues described in this Sun Alert notification may
   or may not impact your system(s). Sun makes no representations,
   warranties, or guarantees as to the information contained herein. ANY
   AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
   WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
   NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
   YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
   INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
   OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
   This Sun Alert notification contains Sun proprietary and confidential
   information. It is being provided to you pursuant to the provisions of
   your agreement to purchase services from Sun, or, if you do not have
   such an agreement, the Sun.com Terms of Use. This Sun Alert
   notification may only be used for the purposes contemplated by these
   agreements.

   Copyright 2000-2005 Sun Microsystems, Inc., 4150 Network Circle, Santa
   Clara, CA 95054 U.S.A. All rights reserved.

References

   1. http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57717-1#top
   2. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-113749-02-1
   3. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-109134-31-1
   4. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-114503-08-1
   5. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-112945-29-1
   6. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-113750-02-1
   7. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-109135-31-1
   8. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-114504-08-1
   9. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-114193-20-1
  10. http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57717-1#top
  11. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-113749-02-1
  12. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-109134-31-1
  13. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-114503-08-1
  14. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-112945-29-1
  15. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-113750-02-1
  16. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-109135-31-1
  17. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-114504-08-1
  18. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-114193-20-1

- - --------------------------END INCLUDED TEXT--------------------


iQCVAwUBQeruxSh9+71yA2DNAQL6yAP/boBimx1IvE4+i7nXdMwjDQ9E0rsCleLi
Ou8ucro2v3aE4OrJx9zwqlVDDaAjyQQRStwmVDwvH+ZakzdQ881jlxo/m5wPxFPl
6RVBJ5vhtfwBRdpdprDzGOuEiJ85rcpKdutyqLL5Lt4VhIbwOVWqLdkS0PXTC+FH
eprFb2EtLj8=
=atzr
- -----END PGP SIGNATURE-----


- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Sun Microsystems for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQe0cz4pao72zK539AQEszQP9Etq4nefaIaFrjumPwerlIaJCWIawa7iX
ZcVTBS6zmw/XTycNr4aSxn+A9/M++18Csm7NdPpsGPb3nufBVGslYnsRjF673nLj
o1DetopjiNvsIDIUuZuEAptONKrZAo01gYmNs03tq6NImIx43mThBpJ+oDLJ5dHI
w82aWAXKdwU=
=iMxE
-----END PGP SIGNATURE-----