A security vulnerability exists for Solaris 10 systems with kernel patches 120011-04 or later (SPARC) and 120012-04 or later (x86) which are configured as NFS servers and grant root user access to remote clients. This vulnerability may allow root users on remote clients which are not authorized to access the shared file systems as root to also have root access to files shared by the NFS server.

This issue can occur in the following releases:

SPARC Platform:

• Solaris 10 with patch 120011-04 or later and without patch 127111-05

x86 Platform:

• Solaris 10 with patch 120012-04 or later and without patch 127954-03

NOTE: Solaris 8 and 9 are not impacted by this issue.

A system is only impacted by this issue if both the following are true:

a) The system is acting as a NFS server, is sharing root access to remote clients using the "root=" option and is mounting the file systems either as read-only ("ro=" option) or as read-write ("rw=" option). See share_nfs(1M) for information on file system sharing options. To list all file systems shared by an NFS server, the '/usr/sbin/share' command may be used as in the following example:

    $ share
    /NFSTEST   root=hostname   ""

b) Either the 'ipnodes' OR the 'hosts' entry (OR both these entries) in /etc/nsswitch.conf have only "files" used to define the source. The following command may be executed to check these entries in /etc/nsswitch.conf:

    $ egrep '^ipnodes|^hosts' /etc/nsswitch.conf
    hosts:      files nisplus dns [NOTFOUND=return] files
    ipnodes:    nisplus [NOTFOUND=return] files

There are no predictable symptoms that would indicate the described vulnerability has been exploited.

A) To work around this issue, patch 120011-04 or later (SPARC) or patch 120012-04 or later (x86) may be removed using the patchrm(1M) command.

Note however that these patches cannot be removed on Solaris 10 8/07 systems, as they are part of the initial installation of Solaris 10 8/07.

B) Alternatively, this issue can be avoided by adding another name service for hosts and ipnodes in /etc/nsswitch.conf. For example:

    $ egrep '^ipnodes|^hosts' /etc/nsswitch.conf
    hosts:      files nis
    ipnodes:    files nis

C) This issue can also be avoided by disabling the nscd(1M) daemon on the NFS server. Disabling the nscd daemon may slow responses to name service requests on the NFS server. The nscd daemon may be disabled by running the following command (as 'root' user):

    # svcadm disable svc:/system/name-service-cache:default

This issue is addressed in the following releases:

SPARC Platform

• Solaris 10 with patch 127111-05 or later

x86 Platform

• Solaris 10 with patch 127954-03 or later

• Updated Contributing Factors section

• Updated Impact and Contributing Factors sections for clarification

• Updated Impact section

This solution has no attachment