Search:

February 2006

Sun Security Advisory: 102186 - Security Vulnerability in the in.rexecd(1M) Daemon on Kerberos Systems

ID: 00137
Ref: 135/2006
Date: 16 February 2006:13:32:07
Version: 1

Title: Sun Security Advisory: 102186 - Security Vulnerability in the in.rexecd(1M) Daemon on Kerberos Systems
Abstract: An unprivileged local user may be able to execute arbitrary commands with elevated privileges on Kerberos systems due to a security vulnerability in the in.rexecd(1M) daemon.
Vendors affected: Sun
Operating systems affected: Sun
Applications affected: Sun

Title
=====

-----BEGIN PGP SIGNED MESSAGE-----

Sun Security Advisory: 102186 - Security Vulnerability in the in.rexecd(1M)
Daemon on Kerberos Systems

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQCVAwUBQ/R+KYpao72zK539AQHCgAP+LtwZWSngZPVpie4HJTgjy5+1WzYgE15M
lQ9/vdEGMV9tEfw0bzIJg2uL5SpEAlztE9CZJKdnhNcFrfL07ePDAHKoCHb1NUnE
kr8FkEwcsXbXHvuu6sOx04U536OH2jUfTCalDEOyvmkL2oQKwNiB/ShSdZO5pSmE
v2/s2/vsNxI=
=3nNM
-----END PGP SIGNATURE-----

Detail
======

An unprivileged local user may be able to execute arbitrary commands
with elevated privileges on Kerberos systems due to a security
vulnerability in the in.rexecd(1M) daemon.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================

ESB-2006.0134 -- [Solaris]
Security Vulnerability in the in.rexecd(1M) Daemon on Kerberos Systems
16 February 2006

===========================================================================

Product: Solaris 10 Operating System
Publisher: Sun Microsystems
Operating System: Solaris 10
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated

Original Bulletin:
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-102186-1

- --------------------------BEGIN INCLUDED TEXT--------------------

Sun(sm) Alert Notification
* Sun Alert ID: 102186
* Synopsis: Security Vulnerability in the in.rexecd(1M) Daemon on
Kerberos Systems
* Category: Security
* Product: Solaris 10 Operating System
* BugIDs: 6371429
* Avoidance: Patch, Workaround
* State: Resolved
* Date Released: 14-Feb-2006
* Date Closed: 14-Feb-2006
* Date Modified:

1. Impact

An unprivileged local user may be able to execute arbitrary commands
with elevated privileges on Kerberos systems due to a security
vulnerability in the in.rexecd(1M) daemon.

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform
* Solaris 10 without patch 120329-02

x86 Platform
* Solaris 10 without patch 120330-02

Note 1: Solaris 8 and Solaris 9 are not affected by this issue.

Note 2: This issue only affects systems with the in.rexecd(1M) service
enabled.

To determine if a system has the in.rexecd(1M) service enabled, the
svcs(1) command can be run as follows:
$ svcs svc:/network/rexec:default
STATE STIME FMRI
online Jan_27 svc:/network/rexec:default

By default, the in.rexecd(1M) service is disabled on Solaris systems.

Note 3: This issue only affects systems which are configured to
reference pam_krb5(5) in their pam.conf(4) file for the "other" column
which is typically done as part of configuring a Kerberos client.

To determine if pam_krb5(5) is configured for the "other" service in
the "/etc/pam.conf" file the following command can be run:
$ egrep "^other.*krb5" /etc/pam.conf || echo "Not impacted."
other auth sufficient pam_krb5.so.1

3. Symptoms

There are no reliable symptoms that would indicate the described issue
has been exploited to execute arbitrary commands with elevated
privilege on a host.

4. Relief/Workaround

Until patches can be applied, sites may wish to disable the
in.rexecd(1M) service using the svcadm(1M) command. For example:
# svcadm disable svc:/network/rexec:default

The service can be re-enabled using svcadm(1M) using the same command
syntax as above except with "enable" in place of "disable".

5. Resolution

This issue is addressed in the following releases:

SPARC Platform
* Solaris 10 with patch 120329-02 or later

x86 Platform
* Solaris 10 with patch 120330-02 or later

This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.

Copyright 2000-2005 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved

- --------------------------END INCLUDED TEXT--------------------