[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 94/04 - Three Sun Microsystems Advisories



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 94/04 dated 01.03.04  Time: 14:30  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

Three Sun Microsystems Advisories:

1. SunPlex (Sun Cluster) Multiple Security Vulnerabilities in OpenSSL Secure
Sockets Layer (SSL) and Transport Layer Security (TLS) Protocols.

2. Security Vulnerability Involving the passwd(1) Command.

3. Security Vulnerability in "/usr/lib/print/conv_fix" May Allow Unauthorized 
Privileges and/or Denial of Service.


Detail
====== 

1. On systems running Sun Cluster 3.x with SunPlex Manager configured, a
remote unprivileged user (who has obtained "root" privileges) may cause a
Denial of Service (DoS) and arbitrary code execution due to multiple 
vulnerabilities in OpenSSL Secure Sockets Layer (SSL) and Transport Layer
Security (TLS) protocols.

2. A local unprivileged user may be able to gain unauthorized root
privileges due to a security issue involving the passwd(1) command.

3. The "/usr/lib/print/conv_fix" command is invoked by the conv_lpd(1M)
script and contains a security vulnerability. If the conv_lpd(1M)script 
is executed as the "root" user, it may be possible for unprivileged local users
to exploit this vulnerability to overwrite or create any file on the system.
   







1.
     ESB-2004.0160 -- Sun(sm) Alert Notification - Sun Alert ID: 57475  SunPlex (Sun Cluster) Multiple Security Vulnerabilities in OpenSSL Secure
     Sockets Layer (SSL) and Transport Layer Security (TLS) Protocols
                                 *REVISED*
                             25 February 2004

        ---------------------------------

Product:                Sun Cluster 3.0 with SunPlex Manager configured
                        without patch 113505-02 (for Solaris 8) or
                        without patch 113508-02 (for Solaris 9)
                        Sun Cluster 3.1 with SunPlex Manager configured
Publisher:              Sun Microsystems
Operating System:       Solaris 9
                        Solaris 8
Platform:               SPARC
Impact:                 Denial of Service
                        Execute Arbitrary Code/Commands
Access Required:        Remote
CVE Names:              CAN-2003-0543 CAN-2003-0544 CAN-2003-0545

Ref:                    AL-2003.18
                        ESB-2004.0129
                        ESB-2003.0698
Original Bulletin:
         http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57475

Comment: This bulletin provides details of final patches for Sun Cluster
         3.0 with SunPlex Manager configured without patch 113505-02 or
         later (for Solaris 8) or without patch 113508-02 or later (for
         Solaris 9). T-patches are available for Sun Cluster 3.1.

- - --------------------------BEGIN INCLUDED TEXT--------------------

   DOCUMENT ID: 57475
   SYNOPSIS: SunPlex (Sun Cluster) Multiple Security Vulnerabilities in
   OpenSSL Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
   Protocols
   DETAIL DESCRIPTION:
   
Sun(sm) Alert Notification

     * Sun Alert ID: 57475
     * Synopsis: SunPlex (Sun Cluster) Multiple Security Vulnerabilities
       in OpenSSL Secure Sockets Layer (SSL) and Transport Layer Security
       (TLS) Protocols
     * Category: Security
     * Product: Sun Cluster
     * BugIDs: 4959521
     * Avoidance: Workaround, T-Patch
     * State: Engineering Complete
     * Date Released: 16-Jan-2004
     * Date Closed:
     * Date Modified: 09-Feb-2004, 23-Feb-2004
       
1. Impact

   On systems running Sun Cluster 3.x with SunPlex Manager configured, a
   remote unprivileged user (who has obtained "root" privileges) may
   cause a Denial of Service (DoS) and arbitrary code execution due to
   multiple vulnerabilities in OpenSSL Secure Sockets Layer (SSL) and
   Transport Layer Security (TLS) protocols.
   
   This issue is also described in CERT Vulnerability VU#104280 at
   [1]http://www.kb.cert.org/vuls/id/104280, which is referenced in CERT
   Advisory CA-2003-26 at
   [2]http://www.cert.org/advisories/CA-2003-26.html. Also see the NISCC
   Vulnerability Advisory 006489/TLS at
   [3]http://www.uniras.gov.uk/vuls/2003/006489/tls.htm.
   
2. Contributing Factors

   This issue can occur in the following releases:
   
   SPARC Platform
     * Sun Cluster 3.0 (for Solaris 8) with SunPlex Manager configured,
       without patch 113505-02
     * Sun Cluster 3.0 (for Solaris 9) with SunPlex Manager configured,
       without patch 113508-02
     * Sun Cluster 3.1 (for Solaris 8) with SunPlex Manager configured
     * Sun Cluster 3.1 (for Solaris 9) with SunPlex Manager configured
       
   Notes:
    1. Sun Cluster 3.x is not supported on Solaris 7 or Solaris x86
       platforms.
    2. Sun Cluster 2.x is not affected by this issue.
    3. Sun Cluster component SunPlex Manager uses OpenSSL.
       
   To determine if SunPlex Manager is configured and running on a cluster
   node, run the following command:
    $ /usr/bin/ps -fp `/usr/bin/cat /var/cluster/spm/httpd.pid`


   If the output is similar to the following:
    UID   PID   PPID   C   STIME TTY  TIME  CMD
    root  2907     1   0   Nov 19 ?   0:02  /usr/apache/bin/httpd -DSSL -f /opt
/SUNWscvw/conf/httpd.conf

   then SunPlex Manager is running on this cluster node. If the above
   command returns no process information or an error, SunPlex Manager is
   not running on this cluster node.
   
3. Symptoms

   There are no predictable symptoms that would indicate the above
   described issue has been exploited.
   SOLUTION SUMMARY:
   
4. Relief/Workaround

   To work around the described issue, systems can be protected by
   completely stopping the SunPlex Manager by running the following
   command:
    $ /etc/init.d/initspm stop

   The following T-patches are available through normal support channels
   for the following releases:
   
   SPARC Platform
     * Sun Cluster 3.1 (for Solaris 8) T-Patch T115054-01
     * Sun Cluster 3.1 (for Solaris 9) T-Patch T115055-01
       
5. Resolution

   This issue is addressed in the following releases:
   
   SPARC Platform
     * Sun Cluster 3.0 (for Solaris 8) with patch 113505-02 or later
     * Sun Cluster 3.0 (for Solaris 9) with patch 113508-02 or later
       
   A final resolution is pending release of final patches for Sun Cluster
   3.1 for Solaris 8 and 9.
   
Change History

   09-Feb-2004:
     * Updated Contributing Factors and Relief/Workaround sections to add
       T-Patch information
       
   23-Feb-2004:
     * Updated Contributing Factors and Resolution sections
       
   This Sun Alert notification is being provided to you on an "AS IS"
   basis. This Sun Alert notification may contain information provided by
   third parties. The issues described in this Sun Alert notification may
   or may not impact your system(s). Sun makes no representations,
   warranties, or guarantees as to the information contained herein. ANY
   AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
   WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
   NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
   YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
   INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
   OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
   This Sun Alert notification contains Sun proprietary and confidential
   information. It is being provided to you pursuant to the provisions of
   your agreement to purchase services from Sun, or, if you do not have
   such an agreement, the Sun.com Terms of Use. This Sun Alert
   notification may only be used for the purposes contemplated by these
   agreements.
   
   Copyright 2000-2004 Sun Microsystems, Inc., 4150 Network Circle, Santa
   Clara, CA 95054 U.S.A. All rights reserved.
   

References

   1. http://www.kb.cert.org/vuls/id/104280
   2. http://www.cert.org/advisories/CA-2003-26.html
   3. http://www.uniras.gov.uk/vuls/2003/006489/tls.htm






2. 
     ESB-2004.0168 -- Sun(sm) Alert Notification - Sun Alert ID: 57454
          Security Vulnerability Involving the passwd(1) Command
                               01 March 2004

        ---------------------------------

Product:                passwd
Publisher:              Sun Microsystems
Operating System:       Solaris 9
                        Solaris 8
Platform:               SPARC
                        x86
Impact:                 Root Compromise
Access Required:        Existing Account

- - --------------------------BEGIN INCLUDED TEXT--------------------

   DOCUMENT ID: 57454
   SYNOPSIS: Security Vulnerability Involving the passwd(1) Command
   DETAIL DESCRIPTION:
   
Sun(sm) Alert Notification

     * Sun Alert ID: 57454
     * Synopsis: Security Vulnerability Involving the passwd(1) Command
     * Category: Security
     * Product: Solaris
     * BugIDs: 4793719
     * Avoidance: Patch
     * State: Resolved
     * Date Released: 26-Feb-2004
     * Date Closed: 26-Feb-2004
     * Date Modified:
       
1. Impact

   A local unprivileged user may be able to gain unauthorized root
   privileges due to a security issue involving the passwd(1) command.
   
   Sun acknowledges, with thanks, Tim Wort (Tim.Wort@xxxxxxxxxxxxxxxxxxx)
   for contacting us regarding this issue.
   
2. Contributing Factors

   This issue can occur in the following releases:
   
   SPARC Platform
     * Solaris 8 with patch 108993-14 through 108993-31 and without patch
       108993-32
     * Solaris 9 without patch 113476-11
       
   x86 Platform
     * Solaris 8 with patch 108994-14 through 108994-31 and without patch
       108994-32
     * Solaris 9 without patch 114242-07
       
   Note: Solaris 7 is not affected by this issue.
   
3. Symptoms

   There are no reliable symptoms that would show the described issue has
   been exploited to gain unauthorized elevated privileges to a host.
   SOLUTION SUMMARY:
   
4. Relief/Workaround

   There is no workaround for this issue.
   
5. Resolution

   This issue is addressed in the following releases:
   
   SPARC Platform
     * Solaris 8 with patch 108993-32 or later
     * Solaris 9 with patch 113476-11 or later
       
   x86 Platform
     * Solaris 8 with patch 108994-32 or later
     * Solaris 9 with patch 114242-07 or later
       
   This Sun Alert notification is being provided to you on an "AS IS"
   basis. This Sun Alert notification may contain information provided by
   third parties. The issues described in this Sun Alert notification may
   or may not impact your system(s). Sun makes no representations,
   warranties, or guarantees as to the information contained herein. ANY
   AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
   WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
   NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
   YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
   INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
   OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
   This Sun Alert notification contains Sun proprietary and confidential
   information. It is being provided to you pursuant to the provisions of
   your agreement to purchase services from Sun, or, if you do not have
   such an agreement, the Sun.com Terms of Use. This Sun Alert
   notification may only be used for the purposes contemplated by these
   agreements.
   
   Copyright 2000-2004 Sun Microsystems, Inc., 4150 Network Circle, Santa
   Clara, CA 95054 U.S.A. All rights reserved.
   





3.


     ESB-2004.0169 -- Sun(sm) Alert Notification - Sun Alert ID: 57509
       Security Vulnerability in "/usr/lib/print/conv_fix" May Allow
             Unauthorized Privileges and/or Denial of Service
                               01 March 2004


Product:                conv_fix (executed by conv_lpd)
Publisher:              Sun Microsystems
Operating System:       Solaris 9
                        Solaris 8
                        Solaris 7
Platform:               SPARC
                        IA-32
Impact:                 Create Arbitrary Files
                        Overwrite Arbitrary Files
                        Denial of Service
Access Required:        Existing Account

Original Bulletin:

         http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57509

- - --------------------------BEGIN INCLUDED TEXT--------------------

   DOCUMENT ID: 57509
   SYNOPSIS: Security Vulnerability in "/usr/lib/print/conv_fix" May
   Allow Unauthorized Privileges and/or Denial of Service
   DETAIL DESCRIPTION:
   
Sun(sm) Alert Notification

     * Sun Alert ID: 57509
     * Synopsis: Security Vulnerability in "/usr/lib/print/conv_fix" May
       Allow Unauthorized Privileges and/or Denial of Service
     * Category: Security
     * Product: Solaris
     * BugIDs: 4705947, 4705948
     * Avoidance: Patch, Workaround
     * State: Resolved
     * Date Released: 26-Feb-2004
     * Date Closed: 26-Feb-2004
     * Date Modified:
       
1. Impact

   The "/usr/lib/print/conv_fix" command is invoked by the conv_lpd(1M)
   script and contains a security vulnerability. If the conv_lpd(1M)
   script is executed as the "root" user, it may be possible for
   unprivileged local users to exploit this vulnerability to overwrite or
   create any file on the system. This could lead to unauthorized
   elevated privileges or allow a Denial of Service (DoS) against the
   system.
   
2. Contributing Factors

   This issue can occur in the following releases:
   
   SPARC Platform
     * Solaris 7 without patch 107115-14
     * Solaris 8 without patch 109320-09
     * Solaris 9 without patch 113329-05
       
   x86 Platform
     * Solaris 7 without patch 107116-14
     * Solaris 8 without patch 109321-09
     * Solaris 9 without patch 114980-05
       
3. Symptoms

   There are no reliable symptoms that would indicate the described issue
   has been exploited, as it depends on which file is overwritten or
   created.
   SOLUTION SUMMARY:
   
4. Relief/Workaround

   To work around the described issue, run conv_lpd(1M) as a non-root
   user.
   
5. Resolution

   This issue is addressed in the following releases:
   
   SPARC Platform
     * Solaris 7 with patch 107115-14 or later
     * Solaris 8 with patch 109320-09 or later
     * Solaris 9 with patch 113329-05 or later
       
   x86 Platform
     * Solaris 7 with patch 107116-14 or later
     * Solaris 8 with patch 109321-09 or later
     * Solaris 9 with patch 114980-05 or later
       
   This Sun Alert notification is being provided to you on an "AS IS"
   basis. This Sun Alert notification may contain information provided by
   third parties. The issues described in this Sun Alert notification may
   or may not impact your system(s). Sun makes no representations,
   warranties, or guarantees as to the information contained herein. ANY
   AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
   WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
   NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
   YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
   INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
   OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
   This Sun Alert notification contains Sun proprietary and confidential
   information. It is being provided to you pursuant to the provisions of
   your agreement to purchase services from Sun, or, if you do not have
   such an agreement, the Sun.com Terms of Use. This Sun Alert
   notification may only be used for the purposes contemplated by these
   agreements.
   
   Copyright 2000-2004 Sun Microsystems, Inc., 4150 Network Circle, Santa
   Clara, CA 95054 U.S.A. All rights reserved.





- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Sun Microsystems for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQENHTIpao72zK539AQFZRQP+JQYBiI85C0m+nTAEr2lgWVjkseHCLV9v
Awqc7xYSMjE3hUZMTnI4pdGtksp5Kr4simH3jh6avEqoYfYHIUZ+uTe0x9uHZiLz
qw/1Wj7mzxr9hZtQyrrnJu/74FU73YjUCaJuQ+pT6mNTuROZJCjYm8DZ6Tjt78oL
zNkUTq+yg8w=
=Ih9d
-----END PGP SIGNATURE-----