===================================================================== CERT-Renater Note d'Information No. 2005/VULN420 _____________________________________________________________________ DATE : 30/06/2005 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Solaris 8, Solaris 9, Solaris 10. ====================================================================== Sun(sm) Alert Notification * Sun Alert ID: 101794 * Synopsis: Security vulnerability in the Solaris runtime linker (ld.so.1(1)) * Category: Security * Product: Solaris 9 Operating System, Solaris 10 Operating System, Solaris 8 Operating System * BugIDs: 6291547 * Avoidance: Workaround * State: Workaround * Date Released: 28-Jun-2005 * Date Closed: * Date Modified: 29-Jun-2005 1. Impact Local unprivileged users may be able to gain unauthorized root access due to a security vulnerability in the Solaris runtime linker (ld.so.1(1)). 2. Contributing Factors This issue can occur in the following releases: SPARC Platform: * Solaris 8 with patches 109147-31 through 109147-36 * Solaris 9 with patches 112963-16 through 112963-19 * Solaris 10 x86 Platform * Solaris 8 with patches 109148-31 through 109148-36 * Solaris 9 with patches 113986-12 through 113986-15 * Solaris 10 Note: Solaris 7 is not affected by this issue. 3. Symptoms There are no reliable symptoms that would indicate the described issue had been exploited to gain elevated privileges. 4. Relief/Workaround To work around the described issue, sites running Solaris 8 or Solaris 9 can back out the relevant linker patch to a revision which is not affected using the patchrm(1M) command. If the patch cannot be backed out, the ld.so.1(1M) file from an earlier patch can be replaced on the system using the following steps as the root user: 1. Copy the ld.so.1 file from the patch onto the system as shown in the following example: # cp ./SUNWcsu/reloc/usr/lib/ld.so.1 /usr/lib/ld.so.1-patch 2. Create a directory entry (link) for the existing runtime linker to a new file using ln(1): # cd /usr/lib ; ln ld.so.1 ld.so.1.original 3. Create a directory entry (link) for the patched runtime linker copied earlier to the current runtime linker, again using ln(1): # cd /usr/lib ; ln ld.so.1-patch ld.so.1 4. For SPARC systems running in 64-bit mode, the runtime linker located in the patch at: ./SUNWcsxu/reloc/usr/lib/sparcv9/ld.so.1 will need to be copied to "/usr/lib/sparcv9". The above steps can then be repeated using the "/usr/lib/sparcv9" path instead of "/usr/lib". IDRs (Interim Diagnostic Relief) are available for this issue. An IDR is packaged binary relief in a form which can be installed and removed via patchdadd(1M) and patchrm(1M). The IDRs listed below address the security vulnerability in the runtime linker described in this Sun Alert. Important: Each IDR is bundled with a prerequisite T-Patch that must be applied to the system first. The following IDRs are available for download at: http://sunsolve.sun.com/point: SPARC * Solaris 8 IDR120355-01.tar.bz2 (contains IDR120355-01.zip and T109147-36.tar.Z) * Solaris 9 IDR120357-01.tar.bz2 (contains IDR120357-01.zip and T112963-20.tar.Z) * Solaris 10 IDR120359-01.tar.bz2 (contains IDR120359-01.zip and T117461-02.tar.Z x86 Platform * Solaris 8 IDR120356-01.tar.bz2 (contains IDR120356-01.zip and T109148-36.tar.Z) * Solaris 9 IDR120358-01.tar.bz2 (contains IDR120358-01.zip and T113986-17.tar.Z) * Solaris 10 IDR120360-01.tar.bz2 (contains IDR120360-01.zip and T118849-01.tar.Z) Note: The exact file name (e.g. IDR120360-01.tar.bz2) must be entered in order to download the desired IDR. 5. Resolution A final resolution is pending completion. Change History 29-Jun-2005: * Updated Relief/Workaround section This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2005 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================