[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Sun] Schwachstelle im Solaris 10 Loopback Dateisystem - Sun Alert ID 102699



-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5

Liebe Kolleginnen und Kollegen,

soeben erreichte uns das nachfolgende Bulletin des SUN Customer Warning
System. Wir geben diese Informationen unveraendert an Sie weiter.

Solaris 10 bietet die Moeglichkeit, die Resourcen des Betriebssystems
(z.B. Dateisystem und CPU-Zeit), innerhalb von Zonen zu partionieren.
Dabei kann ein Prozess nur auf die Resourcen innerhalb der eigenen Zone
zugreifen. Es wird dabei zwischen der globalen Zone und nicht-globalen
Zonen unterschieden.

  Schwachstelle im Solaris 10 Loopback Dateisystem

  In Solaris 10 existiert eine Schwachstelle im Loopback Dateisystem
  (LOFS), die im Zusammenhang mit dem Solaris Zonenkonzept steht. Bei
  bestimmten Zonen- und LOFS-Konfigurationen koennen Dateien in nur
  lesbar montierten LOFS-Dateisystemen geloescht oder umbenannt werden.
  Dies betrifft auch Dateien in der globalen Zone, die durch das
  LOFS-Dateisystem in nicht-globale Zonen exportiert werden. Ein
  lokaler, privilegierter Angreifer in einer nicht-globalen Zone kann
  diese Schwachstelle fuer Denial of Service Angriffe auf das System
  ausnutzen und eventuell auch seine eigenen Privilegien in der globalen
  Zone erhoehen.

Betroffen sind die folgenden Software Pakete und Plattformen:

  SPARC Platform
   Solaris 10 vor Patch 118833-28
  
  x86 Platform
   Solaris 10 vor Patch 118855-28

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

Hersteller Advisory:
  http://sunsolve.sun.com/search/document.do?assetkey=1-26-102699-1


(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
		Klaus Moeller, DFN-CERT


Sun(sm) Alert Notification
     * Sun Alert ID: 102699
     * Synopsis: A Security Vulnerability in the Solaris 10 Loopback FileSystem
       (LOFS) May Allow Files in a Non-global Zone to be Moved or Renamed From
       a Read-Only Fileystem
     * Category: Security
     * Product: Solaris 10 Operating System
     * BugIDs: 6366432
     * Avoidance: Patch
     * State: Resolved
     * Date Released: 01-Feb-2007
     * Date Closed: 01-Feb-2007
     * Date Modified: 

1. Impact

   Local privileged users inside a non-global zone may be able to move or
   rename files which are part of a read-only mounted loopback file system (see
   lofs(7FS)). This filesystem may be shared with the global zone, which would
   result in the files being removed from the global zone also.  This can
   result in a Denial of Service (DoS) to the non-global zone and the global
   zone.

2. Contributing Factors

   This issue can occur in the following releases:

   SPARC Platform
     * Solaris 10 without patch 118833-28

   x86 Platform
     * Solaris 10 without patch 118855-28

   Note: Solaris 8 and Solaris 9 are not impacted by this issue.

   This issue only impacts systems which have non-global zones configured with
   the read-only LOFS root filesystem using the root filesystem of the global
   zone as the underlying filesystem.

   To determine if a system is configured with non-global zones utilizing
   read-only loopback filesystems the following commands can be run from the
   global zone:

   1. Display the name of the current zones on the system:
    $ zoneadm list -cv
    ID NAME             STATUS         PATH
    0 global           running        /
    2 localzone1       running        /zones/localzone1
    3 localzone2       running        /export/localzone2

   2. Search the mounted file system table file (mnttab(4)) for read-only and
   loopback entries for the path to the non-global zones (as listed under the
   "PATH" heading above):
    $ egrep "(/zones/localzone1|/export/localzone2).*lofs.*ro"
    /lib - /zones/localzone1/root/lib lofs - no ro,nodevices,nosub
    /usr - /export/localzone2/root/usr lofs - no ro,nodevices,nosub

   Any pathname which is found by the egrep(1) command is affected by this
   issue.

3. Symptoms

   If this issue has been exploited, the user may notice files missing or moved
   out of the affected filesystem, either in the global zone or in the
   non-global zone. Services which depend on these files may no longer be
   available.
   Solution Summary Top

4. Relief/Workaround

   There is no workaround. Please see the "Resolution" section below.

5. Resolution

   This issue is addressed in the following releases:

   SPARC Platform
     * Solaris 10 with patch 118833-28 or later

   x86 Platform
     * Solaris 10 with patch 118855-28 or later

   This Sun Alert notification is being provided to you on an "AS IS" basis.
   This Sun Alert notification may contain information provided by third
   parties. The issues described in this Sun Alert notification may or may not
   impact your system(s). Sun makes no representations, warranties, or
   guarantees as to the information contained herein. ANY AND ALL WARRANTIES,
   EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF
   MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE
   HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL
   IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR
   CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE
   INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun
   proprietary and confidential information. It is being provided to you
   pursuant to the provisions of your agreement to purchase services from Sun,
   or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun
   Alert notification may only be used for the purposes contemplated by these
   agreements.

   Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
   Clara, CA 95054 U.S.A. All rights reserved.

- -- 
Dipl. Inform. Klaus Moeller (CSIRT)
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iQEVAwUBRcNUTxYd1iQZmhQQAQGnJwf/dknrlMy0GC+dhYbZ32RtnfIwUoj9t2oL
g5fBjHJx7zsIdkuZH9QdfTrVG8phmgdp31lAXxvOr4a/hkd/ziw8sVWsVM/JzKx5
hURJH9EP1U5Ut0vLw/bWIUUi/O+MYKZGtYCLuQCRkfFbCwyqAonjyS7yMmqCJgRH
7pd/cUhDwwsKwCisP8r6VWXVeRmfQAFnHVmuBu5boQT8XuaFiUXUGozvt9TPCm8P
06rs5dqUn51NGxR+h7M5GQRusz55hkB5M4oLH6eCDOkd+D3xe2Qj+r6YTvaUN9Ji
RDqdIbw5dNSxGFzmHCqijOXLtZJqMy4lT29+HD6axqvNZ3DaXdLzqQ==
=LBY9
-----END PGP SIGNATURE-----