Security Vulnerability in the Logging Mechanism for Solaris Management Console (SMC) May Lead to Escalation of Privileges

A security vulnerability in the logging mechanism for Solaris Management Console (SMC) may allow a local or remote unprivileged user to gain unauthorized root access to a Solaris system.

Document Audience: PUBLIC
Document ID: 102903
Title: Security Vulnerability in the Logging Mechanism for Solaris Management Console (SMC) May Lead to Escalation of Privileges
Copyright Notice: Copyright © 2007 Sun Microsystems, Inc. All Rights Reserved
Update Date: Tue Jun 05 00:00:00 MDT 2007

--------------------------------------------------------------------------------
Status Issued


Description Top

Sun(sm) Alert Notification
Sun Alert ID: 102903
Synopsis: Security Vulnerability in the Logging Mechanism for Solaris Management Console (SMC) May Lead to Escalation of Privileges
Category: Security
Product: Solaris 9 Operating System, Solaris 10 Operating System, Solaris 8 Operating System
BugIDs: 6365746
Avoidance: Patch, Workaround
State: Resolved
Date Released: 05-Jun-2007
Date Closed: 05-Jun-2007
Date Modified:
1. Impact
A security vulnerability in the logging mechanism for Solaris Management Console (SMC) may allow a local or remote unprivileged user to gain unauthorized root access to a Solaris system.

Sun acknowledges with thanks, Adam Gowdiak for bringing this issue to our attention.

2. Contributing Factors
This issue can occur in the following releases:

SPARC Platform:

Solaris 8 without patch 111313-06
Solaris 9 without patch 112945-45
Solaris 10 without patch 121308-04
x86 Platform:

Solaris 8 without patch 111314-06
Solaris 9 without patch 114193-35
Solaris 10 without patch 121309-04
Note: The described issue only occurs if the SMC server is running on the system.

To determine if SMC is running on a system, the following command can be run (as 'root' on Solaris 8 and 9 systems and as any user on Solaris 10 systems):

for Solaris 8:

    # /etc/init.d/init.wbem status
    Solaris Management Console server not running on port 898
for Solaris 9:

    # /etc/init.d/init.wbem status
    Solaris Management Console server version 2.1.0 running on port 898
for Solaris 10:

    $ svcs svc:/application/management/wbem
    STATE          STIME    FMRI
    online         Apr_12   svc:/application/management/wbem:default
3. Symptoms
There are no predictable symptoms that would indicate the described issue has been exploited to gain unauthorized root access on a system.



Solution Summary Top

4. Relief/Workaround
To prevent this issue from occurring until the resolution patches can be applied, the SMC server can be stopped by issuing the following command as 'root' (note that this will remove the functionality of the SMC service on that host):

for Solaris 8 or 9:

    # /etc/init.d/init.wbem stop
for Solaris 10:

    # svcadm disable svc:/application/management/wbem


5. Resolution
SPARC Platform

Solaris 8 with patch 111313-06 or later
Solaris 9 with patch 112945-45 or later
Solaris 10 with patch 121308-04 or later
x86 Platform

Solaris 8 with patch 111314-06 or later
Solaris 9 with patch 114193-35 or later
Solaris 10 with patch 121309-04 or later


This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements.


Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.

Telegram Подписывайтесь на канал "SecurityLab" в Telegram, чтобы первыми узнавать о новостях и эксклюзивных материалах по информационной безопасности.