Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.1106 -- [Linux][Solaris] Security Vulnerabilities in Sun Ray Server Software and Sun Ray Windows Connector May Compromise the Sun Ray Administration Password 9 December 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Sun Ray Server Software 3.x Sun Ray Server Software 4.0 Sun Ray Windows Connector 1.1 Sun Ray Windows Connector 2.0 Publisher: Sun Microsystems Operating System: Solaris Linux variants Impact: Inappropriate Access Access: Remote/Unauthenticated Original Bulletin: http://sunsolve.sun.com/search/document.do?assetkey=1-66-240506-1 - --------------------------BEGIN INCLUDED TEXT-------------------- Solution Type Sun Alert Solution 240506 : Security Vulnerabilities in Sun Ray Server Software and Sun Ray Windows Connector May Compromise the Sun Ray Administration Password Bug ID 6616994, 6617000 Product Sun Ray Server Software 3.x Sun Ray Server Software 4.0 Sun Ray Windows Connector 1.1 Sun Ray Windows Connector 2.0 Date of Resolved Release 05-Dec-2008 SA Document Body Security Vulnerabilities in Sun Ray Server Software and Sun Ray Windows Connector May Compromise the Sun Ray Administration Password 1. Impact Security vulnerabilities in Sun Ray Server Software and Sun Ray Windows Connector may allow a local unprivileged user to gain access to the Sun Ray administration password while the software products are being configured. This would in turn allow unauthorized remote access to the Sun Ray Data Store and unauthorized access to the Sun Ray Administration GUI as the built-in 'admin' user. 2. Contributing Factors This issue can occur in the following releases: SPARC Platform * Sun Ray Server Software 4.0 (for Solaris 10) without patch 127553-04 * Sun Ray Server Software 3.1 (for Solaris 8, 9, and 10) without patch 120879-08 * Sun Ray Server Software 3.0 (for Solaris 8 and 9) without patch 118979-04 * Sun Ray Windows Connector 2.0 (for SRSS 4.0) without patch 127556-03 * Sun Ray Windows Connector 1.1 (for SRSS 3.1) without patch 124847-04 x86 Platform * Sun Ray Server Software 4.0 (for Solaris 10) without patch 127554-04 * Sun Ray Server Software 3.1 (for Solaris 10) without patch 120880-08 * Sun Ray Windows Connector 2.0 (for SRSS 4.0) without patch 127557-03 * Sun Ray Windows Connector 1.1 (for SRSS 3.1) without patch 124848-04 Linux Platform * Sun Ray Server Software 4.0 (for RHEL AS 4, SLES 9) without patch 127555-04 * Sun Ray Server Software 3.1.1 (for RHEL AS 4, SLES 9) without patch 124388-03 * Sun Ray Server Software 3.1 (for RHEL AS 3, SLES 8, JDS 2) without patch 120881-08 * Sun Ray Server Software 3.0 (for RHEL AS 3, SLES 8, JDS 2) without patch 119836-04 * Sun Ray Windows Connector 2.0 (for SRSS 4.0) without patch 127558-03 * Sun Ray Windows Connector 1.1 (for SRSS 3.1.1) without patch 124849-04 Notes: 1. Sun Ray Server Software 2.0 and Sun Ray Windows Connector 1.0 will not be evaluated regarding the potential impact of the issue described in this Sun Alert. 2. This issue does not affect Sun Ray Server Software 3.0 and 3.1 on the Trusted Solaris 8 platform. Only Solaris 8, 9, and 10 and Linux platforms are affected. 3. The password is exposed only while the affected software products are being configured. In Sun Ray Server Software, the vulnerability occurs while the utconfig(1M) tool is being run or while the utinstall(1M) tool is being used to upgrade from a prior version of SRSS or from configuration data preserved using the utpreserve(1M) tool. In Sun Ray Windows Connector, the vulnerability occurs while the uttscadm(1M) tool is being run. To determine the version of Sun Ray Server software in use, the following command can be run: $ /opt/SUNWut/lib/utprodinfo -p SUNWuto VERSION 4.0_48 To determine the version of Sun Ray Windows Connector in use, the following command can be run: $ /opt/SUNWut/lib/utprodinfo -p SUNWuttsc VERSION 2.0_23 3. Symptoms There are no predictable symptoms that would indicate the described issue has been exploited. 4. Workaround To work around the described issue, it should be ensured that no other users have access to the server while Sun Ray Server Software and Sun Ray Windows Connector are being configured. If utconfig(1M), uttscadm(1M) or utinstall(1M) have been run while untrusted users may have had access to the server, the utpw(1M) tool or the Sun Ray web administration GUI should be used to change the Sun Ray administration password that may have been compromised. If this password has also been used for other purposes, passwords in affected software should be changed as well. Note: If this server is part of a failover configuration, utpw(1M) should also be run on the remaining servers. 5. Resolution This issue is addressed in the following releases: SPARC Platform * Sun Ray Server Software 4.0 (for Solaris 10) with patch 127553-04 or later * Sun Ray Server Software 3.1 (for Solaris 8, 9, and 10) with patch 120879-08 or later * Sun Ray Server Software 3.0 (for Solaris 8 and 9) with patch 118979-04 or later * Sun Ray Windows Connector 2.0 (for SRSS 4.0) with patch 127556-03 or later * Sun Ray Windows Connector 1.1 (for SRSS 3.1) with patch 124847-04 or later x86 Platform * Sun Ray Server Software 4.0 (for Solaris 10) with patch 127554-04 or later * Sun Ray Server Software 3.1 (for Solaris 10) with patch 120880-08 or later * Sun Ray Windows Connector 2.0 (for SRSS 4.0) with patch 127557-03 or later * Sun Ray Windows Connector 1.1 (for SRSS 3.1) with patch 124848-04 or later Linux Platform * Sun Ray Server Software 4.0 (for RHEL AS 4, SLES 9) with patch 127555-04 or later * Sun Ray Server Software 3.1.1 (for RHEL AS 4, SLES 9) with patch 124388-03 or later * Sun Ray Server Software 3.1 (for JDS 2, RHEL AS 3, SLES 8) with patch 120881-08 or later * Sun Ray Server Software 3.0 (for JDS 2, RHEL AS 3, SLES 8) with patch 119836-04 or later * Sun Ray Windows Connector 2.0 (for SRSS 4.0) with patch 127558-03 or later * Sun Ray Windows Connector 1.1 (for SRSS 3.1.1) with patch 124849-04 or later Note: After installation of the above listed patches to resolve this issue, use the utpw(1M) command or the Sun Ray web administration GUI to change the Sun Ray administration password on all servers in the replication group. If the Sun Ray administration password has also been used for other purposes, passwords in affected software should be changed as well. For more information on Security Sun Alerts, see Technical Instruction ID 213557. This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBST3vJSh9+71yA2DNAQIaSQP/eJUw8w0TkyXxXF5cFbE7tUxB8NNlO36e 8ULghEgMYFEJ3RmFMxTZWQtGYDtZSi9R+3F2QQuZIzwG5sPF24YQBBOH1dfbQiEF tdrJFxkTlYueemyA648ZcvR+Q8BNLZWHhYeEp0tkSo+dpLZ86METB8WSKi9kJXEg W5UC8tMQNVw= =fQ1n -----END PGP SIGNATURE-----