===================================================================== CERT-Renater Note d'Information No. 2006/VULN456 _____________________________________________________________________ DATE : 22/08/2006 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Solaris 8, Solaris 9, Solaris 10 running Sun Ray Server 3.x Software. ====================================================================== Sun(sm) Alert Notification * Sun Alert ID: 101924 * Synopsis: Security Vulnerability in the Sun Ray Utility utxconfig(1) * Category: Security * Product: Sun Ray Server Software 3.0 * BugIDs: 6319180 * Avoidance: Patch * State: Resolved * Date Released: 07-Aug-2006 * Date Closed: 07-Aug-2006 * Date Modified: 10-Aug-2006 1. Impact A security vulnerability in the Sun Ray Server 3.x Software (SRSS) utxconfig(1) utility may allow a local unprivileged user the ability to create or overwrite arbitrary files on the system. Note: utxconfig(1) is the Sun Ray DTU X server configuration utility. 2. Contributing Factors This issue can occur in the following releases: SPARC Platform * Sun Ray Server Software 3.0 (for Solaris 8 and 9) without patch 118979-02 * Sun Ray Server Software 3.1 (for Solaris 8, 9 and 10) without patch 120879-01 x86 Platform * Sun Ray Server Software 3.1 (for Solaris 10) without patch 120880-01 Linux Platform * Sun Ray Server Software 3.0 (for JDS R2, RHELAS 3.0, SLES 8.0) without patch 119836-02 * Sun Ray Server Software 3.1 (for JDS R2, RHELAS 3.0, SLES 8.0) without patch 120881-01 Notes: 1. Sun Ray Server Software 1.x and 2.x are not affected by this issue. 2. Sun Ray Server Software 3.0 is not supported on the Solaris x86 platform. (3.1 only) 3. Sun Ray Server Software 3.1 is not supported for Solaris 8 and 9 on the x86 platform. (Solaris 10 only) To determine the version of Sun Ray Server Software on a system, the following command can be run: # /usr/bin/pkginfo -l SUNWuto | grep -i version VERSION: 3.1_32,REV=2005.08.24.08.55 To determine if the utxconfig(1) utility has been installed as part of the Sun Ray server software, the following command can be run: $ pkginfo SUNWuta 3. Symptoms There are no symptoms that would indicate the described issue has occurred. 4. Relief/Workaround To work around the described issue, temporarily remove the setuid(2) bit from the utxconfig(1) command until the patch can be applied. To apply this change, the following command can be run: # chmod u-s /opt/SUNWut/bin/utxconfig Note: Removing the setuid(2) bit from the command may decrease its functionality for non-privileged users. 5. Resolution This issue is addressed in the following releases: SPARC Platform * Sun Ray Server Software 3.0 (for Solaris 8 and 9) with patch 118979-02 or later * Sun Ray Server Software 3.1 (for Solaris 8, 9 and 10) with patch 120879-01 or later x86 Platform * Sun Ray Server Software 3.1 (for Solaris 10) with patch 120880-01 or later Linux Platform * Sun Ray Server Software 3.0 (for JDS R2, RHELAS 3.0, SLES 8.0) with patch 119836-02 or later * Sun Ray Server Software 3.1 (for JDS R2, RHELAS 3.0, SLES 8.0) with patch 120881-01 or later Change History 10-Aug-2006: * Updated Contributing Factors and Resolution sections ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================