__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Security Vulnerability in Solaris 10 "DHCP" Clients [Sun Alert ID: 101897] August 23, 2005 21:00 GMT Number P-288 ______________________________________________________________________________ PROBLEM: A security vulnerability may allow a remote privileged user the ability to execute arbitrary code with "root" privileges. PLATFORM: Solaris 10 Operating System DAMAGE: A remote privileged user may gain the ability to execute arbitrary code with "root" privileges on a "DHCP" client system if the remote user has access to a system within the network or subnet which is used by the host for "DHCP" requests. SOLUTION: Upgrade to current version. ______________________________________________________________________________ VULNERABILITY The risk is LOW. A remote privilege user may gain the ability ASSESSMENT: to execute arbitrar code with "root" privileges if the remote user already has privileged access on the DHCP server. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-288.shtml ORIGINAL BULLETIN: http://sunsolve.sun.com/search/document.do?assetkey= 1-26-101897-1&searchclause=security ______________________________________________________________________________ [***** Start Sun Alert ID: 101897 *****] Sun(sm) Alert Notification * Sun Alert ID: 101897 * Synopsis: Security Vulnerability in Solaris 10 "DHCP" Clients * Category: Security * Product: Solaris 10 Operating System * BugIDs: 6196716 * Avoidance: Patch, Workaround * State: Resolved * Date Released: 23-Aug-2005 * Date Closed: 23-Aug-2005 * Date Modified: 1. Impact A security vulnerability in the "/lib/svc/method/net-svc" script may allow a remote privileged user the ability to execute arbitrary code with "root" privileges on a "DHCP" client system if the remote user has access to a system within the network or subnet which is used by the host for "DHCP" requests. 2. Contributing Factors This issue can occur in the following releases: SPARC Platform * Solaris 10 without patch 119593-01 x86 Platform * Solaris 10 without patch 119594-01 Note: Solaris 8, and Solaris 9 are not impacted by this issue. Only systems configured as a "DHCP" client are vulnerable to this issue. If a system is configured as a "DHCP" client, the "netstat -D" command will produce output similar to the following: # netstat -D Interface State Sent Recv Declined Flags bge0 BOUND 1 1 0 (Began, Expires, Renew) = (08/15/2005 16:00, 08/15/2005 20:00, 08/15/2005 17:57) 3. Symptoms There are no predictable symptoms that would indicate the described issue has occurred. Solution Summary 4. Relief/Workaround To prevent the described issue from occurring until patches can be applied, the following workaround can be used: 1. Use the sys-unconfig(1M)command to unconfigure the system. 2. On the subsequent reboot, configure the system to use a "static IP" address instead of "DHCP". 5. Resolution This issue is addressed in the following releases: SPARC Platform * Solaris 10 with patch 119593-01 or later x86 Platform * Solaris 10 with patch 119594-01 or later This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. [***** End Sun Alert ID: 101897 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Sun Microsystems for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-278: clamav -- integer overflows P-279: Cisco Clean Access Vulnerability P-280: Security Vulnerability in The "printd" Daemon P-281: Security Vulnerabilities in the Sun StorEdge Enterprise Backup Software P-282: PHP PEAR XML-RPC Server Package Vulnerability P-283: Cisco Intrusion Prevention System Vulnerable to Privilege Escalation P-284: SSL Certificate Validation Vulnerability in IDS Management Software P-285: netpbm security update P-286: vim security update P-287: elm security update