October 2006
Four Sun Security Bulletins
ID: 00668
Ref: 640/2006
Date: 02 October 2006:14:57:30
Version: 1
Title: Four Sun Security Bulletins
Abstract:
Vendors affected: Sun
Operating systems affected: Sun
Applications affected: Sun
Title
=====
Four Sun Security Bulletins:
1. Sun Alert ID: 102324 - Sun Cobalt sendmail(8) Security
Issue Involving Signal Handling Daemon.
2. Sun Alert ID: 102576 - On Solaris 10 libnsl(3LIB) or TLI/XTI API Routines
May Cause Listener Programs for Databases or Other Network Aware Applications
to Stop Responding
3. Sun Alert ID: 102324 - Cross-site Scripting Vulnerabilities in the Sun Secure
Global Desktop Software
4. Sun Alert ID: 102144 - Vulnerability With Solaris IPv6 May Allow a Remote User
the Ability to Create a Denial of Service Condition
Detail
======
1. A local or remote unprivileged user may be able to execute arbitrary
code with elevated privileges or cause a Denial of Service (DoS)
condition on a Sun Cobalt system due to a security vulnerability in
the sendmail(8) daemon involving signal handling.
2. A race condition may cause listener programs for databases or other
network aware applications to cease to respond if those listeners are
coded using routines from libnsl(3LIB) or TLI/XTI APIs.
3. Two Cross Site Scripting vulnerabilities in the Sun Secure Global
Desktop (SSGD) software may allow a local or remote unprivileged user
to execute arbitrary script commands in another user's context,
potentially allowing an unprivileged remote user to steal cookie
information, hijack sessions, or cause a loss of data privacy between
a client and the server.
4. On Solaris 8, 9 and 10 systems utilizing an IPv6 address, a remote
unprivileged user may be able to panic the system, causing a Denial of
Service (DoS) condition.
1.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
ESB-2006.0715 -- [SUN]
Sun Cobalt sendmail(8) Security Issue Involving Signal Handling Daemon
29 September 2006
===========================================================================
Product: sendmail(8)
Publisher: Sun Microsystems
Operating System: Sun Cobalt RaQ XTR Server
Sun Cobalt RaQ 4 Server
Sun Cobalt RaQ 550 Server
Impact: Execute Arbitrary Code/Commands
Denial of Service
Access: Remote/Unauthenticated
CVE Names: CVE-2006-0058
Ref: AL-2006.0020
Original Bulletin:
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-102324-1
- - --------------------------BEGIN INCLUDED TEXT--------------------
Sun(sm) Alert Notification
* Sun Alert ID: 102324
* Synopsis: Sun Cobalt sendmail(8) Security Issue Involving Signal
Handling Daemon
* Category: Security
* Product: Sun Cobalt RaQ XTR Server, Sun Cobalt RaQ 4 Server, Sun
Cobalt RaQ 550 Server
* BugIDs: 17084, 17085, 17086
* Avoidance: Workaround, Patch
* State: Resolved
* Date Released: 25-Apr-2006, 27-Sep-2006
* Date Closed: 27-Sep-2006
* Date Modified: 27-Sep-2006
1. Impact
A local or remote unprivileged user may be able to execute arbitrary
code with elevated privileges or cause a Denial of Service (DoS)
condition on a Sun Cobalt system due to a security vulnerability in
the sendmail(8) daemon involving signal handling.
This issue is referenced in the following documents:
CERT VU#834865 http://www.kb.cert.org/vuls/id/834865 which is
referenced in CERT Technical Cyber Security Alert TA06-081A:
http://www.us-cert.gov/cas/techalerts/TA06-081A.html
2. Contributing Factors
This issue can occur in the following releases:
* RaQ4 with sendmail versions 8.10.2-C4stackguard or earlier
* RaQ550 with sendmail versions 8.11.6-1C6stackguard or earlier
* RaQXTR with sendmail versions 8.11.6-1C6stackguard or earlier
with the sendmail(8) service enabled.
The sendmail package version can be determined by running the
following command:
# rpm -qa | grep -i sendmail
sendmail-8.11.6-1C6stackguard
To determine whether sendmail(8) is enabled for the various run
levels, the following command can be used:
# /sbin/chkconfig --list sendmail
sendmail 0:off 1:off 2:off 3:on 4:on 5:on 6:off
3. Symptoms
There are no reliable symptoms that would indicate this issue has been
exploited to execute arbitrary commands with elevated privileges on a
system. The symptoms of the Denial of Service would be the sendmail
daemon no longer running.
4. Relief/Workaround
To work around the described issue, sites may wish to block access to
the affected service from untrusted networks such as the Internet, or
disable the sendmail daemon where possible. Use a firewall or other
packet-filtering technology to block the appropriate network ports.
Consult your vendor or your firewall documentation for detailed
instructions on how to configure the ports.
The following command can be used to temporarily disable sendmail for
all run levels:
# /sbin/chkconfig --del sendmail
5. Resolution
This issue is addressed in the following releases:
* RaQ550 at
ftp://ftp.cobalt.sun.com/pub/packages/raq550/all/RaQ550-All-Sec
urity-0.0.1-17084.pkg
* RaQ4 at
ftp://ftp.cobalt.sun.com/pub/packages/raq4/jpn/RaQ4-All-Securit
y-2.0.2-17084.pkg
* RaQ XTR at
ftp://ftp.cobalt.sun.com/pub/packages/raqxtr/eng/RaQXTR-All-Sec
urity-1.0.1-17084.pkg and
* ftp://ftp.cobalt.sun.com/pub/packages/raqxtr/jpn/RaQXTR-All-Sec
urity-1.0.1-17084.pkg
Change History
27-Sep-2006:
* Updated Resolution section
* State: Resolved
This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved
- - --------------------------END INCLUDED TEXT--------------------
iQCVAwUBRRx5ACh9+71yA2DNAQIkxwP+OglfQXiUL6DzgZ3oUplzSVDkiusfGsrH
/PlWHx6AloqaG+3Nr0MY/K9REjSczZkfbS9YUOBq4zgN/3murs7dYYMJHj/bnDJ7
hzAJZbSBuDRHVqsXNsb9R2PtTA1kTt5Yjyu6+8gGleglolzN019cTXtN/H1wyfFe
yWkT+Sy21Iw=
=qSlS
- -----END PGP SIGNATURE-----
2.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
ESB-2006.0718 -- [Solaris]
On Solaris 10 libnsl(3LIB) or TLI/XTI API Routines May Cause Listener
Programs for Databases or Other Network Aware Applications
to Stop Responding
2 October 2006
===========================================================================
Product: libnsl
TLI/XTI API Routines
Publisher: Sun Microsystems
Operating System: Solaris 10
Platform: SPARC
Impact: Denial of Service
Access: Remote/Unauthenticated
Original Bulletin:
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-102576-1
- - --------------------------BEGIN INCLUDED TEXT--------------------
Sun(sm) Alert Notification
* Sun Alert ID: 102576
* Synopsis: On Solaris 10 libnsl(3LIB) or TLI/XTI API Routines May
Cause Listener Programs for Databases or Other Network Aware
Applications to Stop Responding
* Category: Availability
* Product: Solaris 10 Operating System
* BugIDs: 6389163
* Avoidance: Binary, Patch
* State: Workaround
* Date Released: 16-Aug-2006, 29-Sep-2006
* Date Closed:
* Date Modified: 29-Sep-2006
1. Impact
A race condition may cause listener programs for databases or other
network aware applications to cease to respond if those listeners are
coded using routines from libnsl(3LIB) or TLI/XTI APIs.
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform
* Solaris 10 with patch 118833-04 through 118833-23 and without
patch 118833-24
x86 Platform
* Solaris 10 with patch 118833-03 or later
Note: Solaris 8 and 9 are not impacted by this issue.
3. Symptoms
Listener processes cease to respond to new connection attempts and
begin to consume excessive CPU cycles.
Using the truss(1) command on the listener process will find it to be
executing in a tight loop through pollsys() or poll().
Because of the fact that the coding of listener processes varies
considerably, it is difficult to provide a truly representative truss
output.
This however is one example:
342: pollsys(0x0005DE48, 6, 0x00000000, 0x00000000) = 1
342: lwp_sigmask(SIG_SETMASK, 0x00002000, 0x00000000) = 0xFFBFFEFF
[0x0000FFFF]
342: fstat(5, 0xFFBFF8C0) = 0
342: ioctl(5, I_PEEK, 0xFFBFF99C) = 1
342: lwp_sigmask(SIG_SETMASK, 0x00000000, 0x00000000) = 0xFFBFFEFF
[0x0000FFFF]
342: pollsys(0x0005DE48, 6, 0x00000000, 0x00000000) = 1
342: lwp_sigmask(SIG_SETMASK, 0x00002000, 0x00000000) = 0xFFBFFEFF
[0x0000FFFF]
342: fstat(5, 0xFFBFF8C0) = 0
342: ioctl(5, I_PEEK, 0xFFBFF99C) = 1
342: lwp_sigmask(SIG_SETMASK, 0x00000000, 0x00000000) = 0xFFBFFEFF
[0x0000FFFF]
If the listener uses t_look(3NSL) it can be seen that a T_DATA message
is present on the listener Stream, instead of the expected T_LISTEN
messages, (T_DATA is defined as 0x4 in /usr/include/sys/tiuser.h)
Truss of a listener which uses t_look() experiencing this issue would
show something similar to this:
libnsl:t_look() = 4
This results when a data message intended for an accepting endpoint is
misdirected during the accept() processing, to the listener endpoint.
4. Relief/Workaround
Binary relief is available through normal support channels for the
following releases:
x86 Platform
* Solaris 10
The following workaround should be used until the above can be
implemented.
Disable TCP fusion by adding the following line to the "/etc/system"
file:
set ip:do_tcp_fusion = 0x0
Add a comment referencing this Sun Alert and undo the above change
before applying binaries or final resolution. Reboot the system so
changes to /etc/system can take effect.
5. Resolution
SPARC Platform
* Solaris 10 with patch 118833-24 or later
A final resolution is pending completion for the x86/x64 platform.
Change History
29-Sep-2006:
* Updated Contributing Factors, Relief/Workaround and Resolution
sections
This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved
- - --------------------------END INCLUDED TEXT--------------------
iQCVAwUBRSBrkSh9+71yA2DNAQKuwAP/alMjvVy+nMAcMeFoynnOFOwfBJEenJMe
6RQQEiU/GVTS9iLblCmlLTk+j1zxUKPkROToCgJrzNSQEAEJqcVWwAfQwa8wK6rr
WW9QGDwc9UKTpx7k8UY1QrkP4O1vvkSeNhZTxmJeX/jHm6DWVFF8VNts//CWBhuB
E/H2QgyQNRo=
=O5kA
- -----END PGP SIGNATURE-----
3.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2006.0722 -- [Linux][Solaris]
Cross-site Scripting Vulnerabilities in the Sun Secure
Global Desktop Software
2 October 2006
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Sun Secure Global Desktop Software 4.2
Publisher: Sun Microsystems
Operating System: Solaris 10
Solaris 9
Solaris 8
Linux variants
Impact: Execute Arbitrary Code/Commands
Read-only Data Access
Reduced Security
Access: Remote/Unauthenticated
Original Bulletin:
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-102650-1
- - --------------------------BEGIN INCLUDED TEXT--------------------
Sun(sm) Alert Notification
* Sun Alert ID: 102650
* Synopsis: Cross-site Scripting Vulnerabilities in the Sun Secure
Global Desktop Software
* Category: Security
* Product: Sun Secure Global Desktop Software 4.2
* BugIDs: 6467099
* Avoidance: Upgrade
* State: Resolved
* Date Released: 29-Sep-2006
* Date Closed: 29-Sep-2006
* Date Modified:
1. Impact
Two Cross Site Scripting vulnerabilities in the Sun Secure Global
Desktop (SSGD) software may allow a local or remote unprivileged user
to execute arbitrary script commands in another user's context,
potentially allowing an unprivileged remote user to steal cookie
information, hijack sessions, or cause a loss of data privacy between
a client and the server.
Sun acknowledges, with thanks, Marc Ruef of scip AG for bringing this
issue to our attention.
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform
* Sun Secure Global Desktop Software 4.2 (for Solaris 8, 9, 10)
prior to build 4.20.983
x86 Platform
* Sun Secure Global Desktop Software 4.2 (for Solaris 10) prior to
build 4.20.983
Linux Platform
* Sun Secure Global Desktop Software 4.2 prior to build 4.20.983
To determine the version of the Sun Secure Global Desktop Software
running on a system, the following command can be executed on the Sun
Secure Global Desktop server:
$ /bin/tarantella version
Sun Secure Global Desktop Software for SPARC Solaris 2.8+ (4.20.983)
Architecture code: spso0510
This host: SunOS 5.10 Generic_118822-25 sun4v sparc
SUNW,Sun-Fire-T2000
3. Symptoms
There are no predictable symptoms that would indicate the described
issue has occurred.
4. Relief/Workaround
There is no workaround for this issue. Please see the Resolution
section below.
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
* Sun Secure Global Desktop Software 4.2 (for Solaris 8, 9, 10)
build 4.20.983 or later
x86 Platform
* Sun Secure Global Desktop Software 4.2 (for Solaris 10) build
4.20.983 or later
Linux Platform
* Sun Secure Global Desktop Software 4.2 build 4.20.983 or later
The latest build of Sun Secure Global Desktop Software can be
downloaded for all of the above platforms from the following URL:
http://www.sun.com/download/products.xml?id=43321db9
This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved
- - --------------------------END INCLUDED TEXT--------------------
iQCVAwUBRSCOzCh9+71yA2DNAQKe5gP/WJ5F2e/j1jSHRkAIS3BneJPw2MrPPC2l
A1tkaqy+ON9d9S5uftiWiJshKyxZvRHBRFMbxAHFwEbfYT7dYxOJLr6eZyEt0Frp
3wYFBljD7CQM8HOkSQ+IE8AoysBdmUyklLRMkZ+cC4WxM2lc+g0RDWS0IfFbZ/oy
p+PjDgspDNw=
=mWAV
- -----END PGP SIGNATURE-----
4.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2006.0723 -- [Solaris]
Vulnerability With Solaris IPv6 May Allow a Remote User the
Ability to Create a Denial of Service Condition
2 October 2006
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IPv6
Publisher: Sun Microsystems
Operating System: Solaris 10
Solaris 9
Solaris 8
Impact: Denial of Service
Access: Remote/Unauthenticated
Ref: ESB-2006.0705
Original Bulletin:
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-102144-1
- - --------------------------BEGIN INCLUDED TEXT--------------------
Sun(sm) Alert Notification
* Sun Alert ID: 102144
* Synopsis: Vulnerability With Solaris IPv6 May Allow a Remote User
the Ability to Create a Denial of Service Condition
* Category: Security
* Product: Solaris 9 Operating System, Solaris 10 Operating System,
Solaris 8 Operating System
* BugIDs: 6241739
* Avoidance: Patch
* State: Resolved
* Date Released: 28-Sep-2006
* Date Closed: 28-Sep-2006
* Date Modified:
1. Impact
On Solaris 8, 9 and 10 systems utilizing an IPv6 address, a remote
unprivileged user may be able to panic the system, causing a Denial of
Service (DoS) condition.
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform
* Solaris 8 without patch 116965-22
* Solaris 9 without patch 114344-20
* Solaris 10 without patch 119075-13
x86 Platform
* Solaris 8 without patch 116966-21
* Solaris 9 without patch 119435-10
* Solaris 10 without patch 119076-11
Solaris systems are only impacted by this issue if they have an IPv6
address configured. If an IPv6 address is configured, the ifconfig(1M)
command will show an output line which contains the word "IPv6" as in
the following example:
# /usr/sbin/ifconfig -a | /usr/bin/grep IPv6
eri0: flags=2000840 mtu 1500 index 2
3. Symptoms
The system may panic with a stack trace similar to the following:
...
msgdsize+0x54()
ip_rput_frag_v6+0x9d4()
ip_rput_data_v6+0x1254()
putnext+0x450()
...
4. Relief/Workaround
There is no workaround if the system under consideration is using the
IPv6 address for network communications. If an IPv6 address is enabled
but not being used, then disabling the IPv6 address will prevent this
issue from occurring on the system.
To disable the IPv6 address, use the ifconfig(1M) command. For
example, If "eri0" is the network interface, then the following
command will disable the IPv6 address:
# /usr/sbin/ifconfig eri0 inet6 unplumb
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
* Solaris 8 with patch 116965-22 or later
* Solaris 9 with patch 114344-20 or later
* Solaris 10 with patch 119075-13 or later
x86 Platform
* Solaris 8 with patch 116966-21 or later
* Solaris 9 with patch 119435-10 or later
* Solaris 10 with patch 119076-11 or later
This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved
- - --------------------------END INCLUDED TEXT--------------------
iQCVAwUBRSCX+yh9+71yA2DNAQI83QP9F7VRwFwjs6Jo2A5unsM8Svz+sgnny81u
kmmxlFRj/a2Cb6RmLkSpKX8VXseebbUA0CNYDOWhbP1f0f1POWXE7tBebXXAJoXj
X88Ltwf/nqLfCZiliOhGe6zTTscesUuJpocYLEd83eZfPZICJ8AbbvSUhkts/sb/
3BCZ01wDwDQ=
=nsPx
- -----END PGP SIGNATURE-----