A Security Vulnerability in the Solaris Name Service Cache Daemon (nscd(1M)) May Allow Unauthorized Access to Data and Escalation of Privileges

---

A Security Vulnerability in the Solaris Name Service Cache Daemon (nscd(1M)) May Allow Unauthorized Access to Data and Escalation of Privileges

1. Impact

A security vulnerability in the Solaris name service cache daemon (nscd(1M)) may, under certain conditions, allow local unprivileged users to gain access to unauthorized information and gain elevated privileges.

Sun acknowledges with thanks, Mike Gerdts for bringing this issue to our attention.

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform:

• Solaris 10 with patch 120011-14 and without patch 138263-03
• OpenSolaris based upon builds snv_50 through snv_104
  

x86 Platform:

• Solaris 10 with patch 120012-14 and without patch 138264-03
• OpenSolaris based upon builds snv_50 through snv_104

Notes:

1. Solaris 8, Solaris 9 and Solaris 10 releases prior to Solaris 10 Update 4 (8/07) are not impacted by this issue.

2. OpenSolaris distributions may include additional bug fixes above and beyond the build from which it was derived. The base build can be derived as follows:

$ uname -a
SunOS  phys-node-1 5.11 snv_86 i86pc i386 i86pc

3. This issue occurs only when nscd(1M) is running and the 'compat' mode is configured for the 'passwd' entry in nsswitch.conf(4).

The following command may be run to check if the nscd(1M) process is running:

$ svcs svc:/system/name-service-cache
STATE          STIME    FMRI
online         Aug_05   svc:/system/name-service-cache:default

"online" indicates nscd is running.

STATE          STIME    FMRI
disabled       12:34:55 svc:/system/name-service-cache:default

"disabled" indicates nscd is not running.

The following command may be run to check if the 'compat' mode has been configured for the passwd(1) entry in nsswitch.conf(4):

$ grep passwd: /etc/nsswitch.conf
passwd: compat

if the 'compat' mode has been configured for the passwd(1) entry.

3. Symptoms

There are no predictable symptoms to indicate this issue has been exploited to gain access to unauthorized data or gain elevated privileges.

4. Workaround

It is possible to work around the described issue with one of the following options:

A) Disable the nscd(1M) daemon. This may be done by executing the following command as the 'root' user:

# svcadm disable svc:/system/name-service-cache

Disabling nscd(1M) may slow responses to name services requests on the affected host.

B) Remove the 'compat' entry for 'passwd' in the file /etc/nsswitch.conf

C) If the entry for 'passwd_compat' in /etc/nsswitch.conf is either 'nis' or 'ldap', modify the entry for 'passwd' in the same file as follows:


If the entry for 'passwd_compat' in /etc/nsswitch.conf is 'nisplus', modify the entry for 'passwd' in the same file as follows:


where 'yyyyyy' is indeed the string 'yyyyyy' or any string that would not match a existing source.

5. Resolution

This issue is addressed in the following releases:

SPARC Platform:

• Solaris 10 with patch 138263-03 or later
  
• OpenSolaris based upon build snv_105 or later
  

x86 Platform:

• Solaris 10 with patch 138264-03 or later
• OpenSolaris based upon build snv_105 or later

For more information on Security Sun Alerts, see Technical Instruction ID 213557.

This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements.

Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.


Modification History

05-Jan-2009: Updated Contributing Factors section for patch clarification

Attachments

This solution has no attachment