=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2007/VULN520
_____________________________________________________________________

DATE                      : 17/12/2007

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Solaris 10 running NFS.

======================================================================

Sun(sm) Alert Notification
      * Sun Alert ID: 103162
      * Synopsis: Solaris 10 Kernel Patches May Allow Privileged Remote
        Users to Gain Root Access to Files Shared by NFS Servers
      * Category: Security, Availability
      * Product: Solaris 10 Operating System
      * BugIDs: 6602070
      * Avoidance: Patch, Workaround
      * State: Resolved
      * Date Released: 13-Dec-2007
      * Date Closed: 13-Dec-2007
      * Date Modified: 14-Dec-2007

1. Impact

    A security vulnerability exists for Solaris 10 systems with kernel
    patches 120011-04 or later (SPARC) and 120012-04 or later (x86) which
    are configured as NFS servers and grant root user access to one or
    more netgroups. This vulnerability may allow remote root users on
    systems which are not part of the configured netgroup(s) to also have
    root access to files shared by the NFS server.

2. Contributing Factors

    This issue can occur in the following releases:

    SPARC Platform:
      * Solaris 10 with patch 120011-04 or later and without patch
        127111-05

    x86 Platform:
      * Solaris 10 with patch 120012-04 or later and without patch
        127954-03

    NOTE: Solaris 8 and 9 are not impacted by this issue.

    A system is only impacted by this issue if both the following are
    true:

    a) The system is acting as a NFS server and is sharing root access to
    a netgroup or to other clients using the "rw=" option (see
    share_nfs(1M)). This can be determined using the '/usr/sbin/share'
    command as in the following example:
     $ share
     /NFSTEST   root=hostname   ""

    b) Either the 'ipnodes' OR the 'hosts' entry (OR both these entries)
    in /etc/nsswitch.conf have only "files" used to define the source. The
    following command may be executed to check these entries in
    /etc/nsswitch.conf:
     $ egrep '^ipnodes|^hosts' /etc/nsswitch.conf
     hosts:      files nisplus dns [NOTFOUND=return] files
     ipnodes:    nisplus [NOTFOUND=return] files

3. Symptoms

    There are no predictable symptoms that would indicate the described
    vulnerability has been exploited.

4. Relief/Workaround

    A) To work around this issue, patch 120011-04 or later (SPARC) or
    patch 120012-04 or later (x86) may be removed using the patchrm(1M)
    command.

    Note however that these patches cannot be removed on Solaris 10 8/07
    systems, as they are part of the initial installation of Solaris 10
    8/07.

    B) Alternatively, this issue can be avoided by adding another name
    service for hosts and ipnodes in /etc/nsswitch.conf. For example:
     $ egrep '^ipnodes|^hosts' /etc/nsswitch.conf
     hosts:      files nis
     ipnodes:    files nis

    C) This issue can also be avoided by disabling the nscd(1M) daemon on
    the NFS server. Disabling the nscd daemon may slow responses to name
    service requests on the NFS server. The nscd daemon may be disabled by
    running the following command (as 'root' user):
     # svcadm disable svc:/system/name-service-cache:default

5. Resolution

    This issue is addressed in the following releases:

    SPARC Platform
      * Solaris 10 with patch 127111-05 or later

    x86 Platform
      * Solaris 10 with patch 127954-03 or later

Change History

    14-Dec-2007:
      * Updated Contributing Factors section

    This Sun Alert notification is being provided to you on an "AS IS"
    basis. This Sun Alert notification may contain information provided by
    third parties. The issues described in this Sun Alert notification may
    or may not impact your system(s). Sun makes no representations,
    warranties, or guarantees as to the information contained herein. ANY
    AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
    WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
    NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
    YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
    INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
    OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
    This Sun Alert notification contains Sun proprietary and confidential
    information. It is being provided to you pursuant to the provisions of
    your agreement to purchase services from Sun, or, if you do not have
    such an agreement, the Sun.com Terms of Use. This Sun Alert
    notification may only be used for the purposes contemplated by these
    agreements.

    Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
    Clara, CA 95054 U.S.A. All rights reserved

======================================================================

           =========================================================
           Les serveurs de re'fe'rence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================