|
ITSS Information Security Services
ITSS
Security Alerts > Sun
Releases Patches for Two Privilege Escalation Vulnerabilities
-- 23 January 2004
On this page:
Summary
Technical Details
Countermeasures
References
Summary
If you run Solaris 7, 8, or 9, you need
to install a critical patch to prevent a local user
from gaining root access to your system. This vulnerability
is part of the default install and there is NO workaround.
Stanford has experienced a rash of Solaris intrusions
in the last month related to escalation of privileges
on local accounts, so installing this one promptly is
HIGHLY recommended.
Solaris 7 (SPARC): http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=106541&rev=29
Solaris 7 (Intel): http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=106542&rev=29
Solaris 8 (SPARC): http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=108528&rev=27
Solaris 8 (Intel): http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=108529&rev=27
Solaris 9 (SPARC): http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=112233&rev=11
Solaris 9 (Intel): http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=112234&rev=11
These patches require the system to be rebooted after
installation.
Note: Solaris 2.6 HAS NOT BEEN EVALUATED for vulnerability
to this issue, which means we don't know whether the
same problem is there or not. Sun is not releasing a
patch for 2.6.
In addition, if you run Solaris 9, there's a vulnerability
in the software that supports IPsec, which comes in
the default installation of Solaris 9. This vulnerability
may allow a local user or a non authenticated remote
user to achieve root access, so it's also critical to
apply this one:
SPARC: http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=113451&rev=05
Intel: http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=114435&rev=03
This patch also requires a reboot.
Technical
Details
Sun has provided little information about
either of the vulnerabilities they announced on 22 January
2004 [1,2]. The first vulnerability exists in the loading
of arbitrary kernel modules -- apparently this action
can be performed by an unprivileged local user. Due
to an unexplained problem, this may allow a malicious
local user to elevate privileges and execute code within
the root
user security context, giving her essentially unlimited
control over the system. This problem exists in Solaris
7, 8 and 9, on x86 and SPARC platforms.
The second vulnerability exists only in
Solaris 9. Problems in the processing of malformed ASN.1
elements exist within the Internet Key Exchange daemon,
which is required for the establishment and management
of IPsec connections. (IPsec is the collection of security
protocols used to provide network connections with strong
authentication and encryption.) An attacker can craft
an ASN.1 element that may either kill the in.inetd
daemon and create a Denial of Service condition for
IPsec connection, or may allow the execution of arbitrary
code within the security context of the daemon (which
runs as root).
Countermeasures
All Solaris administrators are strongly
encouraged to apply these patches as quickly as possible.
References
[1] Sun
Security Alert #57479: Security Vulnerability with Loading
Arbitrary Kernel Modules in Solaris Kernel
[2] Sun
Security Alert #57472: Security Vulnerability in ASN.1
May Affect Solaris Internet Key Exchange (IKE)
Last modified Wednesday, 08-Feb-2006 11:46:22 PST
© 2003, Stanford University. All rights reserved.
Comments about this document? Use
the HelpSU
submission form.
Need computing help? Visit HelpSU or call 5-HELP (650-725-4357).
|
| 
