Some Sun SPARC Enterprise T5120 and T5220 Servers Shipped With an Incorrect Solaris 10 Image Containing an Insecure Configuration |
|
| Category : | Security |
| Release Phase : | Resolved |
| Bug Id : | None
|
| Product : | Sun SPARC Enterprise T5120 Server
Sun SPARC Enterprise T5220 Server
|
| Date of Resolved Release : | 12-Feb-2008
|
Some Sun SPARC Enterprise T5120 and T5220 Servers Shipped With an Incorrect Solaris 10 Image Containing an Insecure Configuration
1. Impact
Sun SPARC Enterprise T5120 and T5220 servers with datecode prior
to
BEL07480000 have
been mistakenly shipped with factory settings in the pre-installed
Solaris 10 OS image. These settings may allow a local or remote user to
be able to execute arbitrary commands with the privileges of the root
(uid 0) user.
(To determine if your systems are affected by this issue please look
for the
changed parameters and extra files listed in the Contributing Factors
section below).
2. Contributing Factors
This issue can occur on the following platforms:
- Sun SPARC Enterprise T5120 and T5220 Servers with datecode
prior to BEL07480000
Note: Systems are only impacted
by this issue if they have an incorrect factory image installed.
To determine the datecode on the T5120 or T5220, use either
"Lights Out Management" (LOM) or prtdiag(1M) commands:
ILOM CLI: > show
/SYS/
ALOM CLI: sc> showplatform
prtdiag -v
To determine if an incorrect factory image of Solaris 10 has been
installed on a system and if the system is affected by this issue, the following items can be reviewed:
A.
Remote logins are
enabled for the root user which is indicated by
the CONSOLE entry in
/etc/default/login beginning with a hash sign
(#):
$ grep CONSOLE= /etc/default/login
#CONSOLE=/dev/console
B. The sshd(1M) daemon is configured to allow the root user to login
using ssh(1) which is indicated by the 'PermitRootLogin' entry in
sshd_config(4) being set to 'yes':
$ grep PermitRootLogin /etc/ssh/sshd_config
PermitRootLogin yes
C.
A profile(4) file for
the root user will exist and have the 'PS1'
environment variable set to a
value of 'ROOT>' and the 'LOGDIR'
environment variable will be
set to '/export/home/utslog':
$ egrep 'PS1|LOGDIR' /.profile
PS1='ROOT>'
LOGDIR='/export/home/utslog'
export LOGDIR
D. Extra files and directories will exist on the system which are
not
part of a default
install of Solaris 10:
Files:
/var/opt/SUNWvts/options/Huron_P2_PPA_VTS_6.4ps1_Excl_v1.1
/etc/opt/SUNWvts/sunvts.conf
/opt/SUNWvts/bin/conf/iobus.cfg
/export/home/bin/Huron_P2_PPA_VTS_6.4ps1_Func_v1.2
/export/home/bin/Huron_P2_PPA_VTS_6.4ps1_Excl_v1.1
Directories:
/opt/SUNWt1tsk
/export/Nebula
3. Symptoms
There are no predictable symptoms that would indicate the described
issue has been exploited.
4. Workaround
Systems which are affected by this issue can modify the factory
settings to no longer be
insecure by performing the following steps as
the root user:
For item A, modify the CONSOLE entry in the /etc/default/login file to
no longer begin with a hash
(#).
For item B, modify the PermitRootLogin entry in the
/etc/sshd/sshd_config file from 'yes' to 'no' and then signal the
sshd(1M) daemon to reread its configuration file using svcadm(1M):
# svcadm restart svc:/network/ssh:default
For item C, the following lines can be removed from the /.profile file:
PS1='ROOT>'
LOGDIR='/export/home/utslog'
export LOGDIR
For item D, the following files and directories can be removed using
the rm(1) command:
# /bin/rm /var/opt/SUNWvts/options/Huron_P2_PPA_VTS_6.4ps1_Excl_v1.1 /etc/opt/SUNWvts/sunvts.conf /opt/SUNWvts/bin/conf/iobus.cfg \
/export/home/bin/Huron_P2_PPA_VTS_6.4ps1_Func_v1.2 /export/home/bin/Huron_P2_PPA_VTS_6.4ps1_Excl_v1.1
# /bin/rm -f /opt/SUNWt1tsk /export/Nebula
5. Resolution
Sun SPARC Enterprise T5120 and T5220 servers with datecode
BEL07480000 and later ship
with the correct Solaris 10 image. The resolution for systems affected
by this issue are to follow the steps outlined in the "Workaround"
section above.
This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This
Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.
AttachmentsThis solution has no attachment
|
Subscribe |
Careers |
Contact Us |
Site Maps |
Legal Notices |
Terms of Use |
Your Privacy Rights |
Sun Contracted Content
Sun Contracted Feature
