An unprivileged local user may be able to execute arbitrary commands with elevated privileges on Kerberos systems due to a security vulnerability in the in.rexecd(1M) daemon.

This issue can occur in the following releases:

SPARC Platform

• Solaris 10 without patch 120329-02

x86 Platform

• Solaris 10 without patch 120330-02

Note 1: Solaris 8 and Solaris 9 are not affected by this issue.

Note 2: This issue only affects systems with the in.rexecd(1M) service enabled.

To determine if a system has the in.rexecd(1M) service enabled, the svcs(1) command can be run as follows:

    $ svcs svc:/network/rexec:default
    STATE          STIME    FMRI
    online         Jan_27   svc:/network/rexec:default

By default, the in.rexecd(1M) service is disabled on Solaris systems.

Note 3: This issue only affects systems which are configured to reference pam_krb5(5) in their pam.conf(4) file for the "other" column which is typically done as part of configuring a Kerberos client.

To determine if pam_krb5(5) is configured for the "other" service in the "/etc/pam.conf" file the following command can be run:

    $ egrep "^other.*krb5" /etc/pam.conf || echo "Not impacted."
    other   auth sufficient      pam_krb5.so.1

There are no reliable symptoms that would indicate the described issue has been exploited to execute arbitrary commands with elevated privilege on a host.

Until patches can be applied, sites may wish to disable the in.rexecd(1M) service using the svcadm(1M) command. For example:

    # svcadm disable svc:/network/rexec:default

The service can be re-enabled using svcadm(1M) using the same command syntax as above except with "enable" in place of "disable".

This issue is addressed in the following releases:

SPARC Platform

• Solaris 10 with patch 120329-02 or later

x86 Platform

• Solaris 10 with patch 120330-02 or later

This solution has no attachment