-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                  ESB-2009.0533 -- [Solaris][OpenSolaris]
       Solaris Kerberos Credential Management: Inappropriate Access
                                9 June 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Solaris Kerberos Credential Management
Publisher:            Sun Microsystems
Operating System:     Solaris
                      OpenSolaris
Impact:               Inappropriate Access
Access:               Existing Account
CVE Names:            CVE-2009-1933

Original Bulletin:    
  http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-66-252787-1

Revision History:     June 9 2009: Added CVE Reference
                      June 5 2009: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Solution Type: Sun Alert
Solution  252787 :   A Security Vulnerability in Solaris Kerberos Credential 
                     Management May Lead to Unauthorized Access of 
                     Kerberized NFS Mount Points          
Bug ID: 6802931

Product

Solaris 8 Operating System
Solaris 9 Operating System
Solaris 10 Operating System
OpenSolaris

Date of Resolved Release: 03-Jun-2009

SA Document Body

A Security Vulnerability in Solaris Kerberos Credential Management May Lead 
to Unauthorized Access of Kerberized NFS Mount Points

1. Impact

A security vulnerability in the Solaris Kerberos (see kerberos(5))
credential cache management may allow a local unprivileged user to
access Kerberized mount points without authorization.
Sun acknowledges with thanks, Anton Lundin for bringing this issue to
our attention.

2. Contributing Factors

This issue can occur in the following releases:
   SPARC Platform
     * Solaris 8 without patch 140841-01
     * Solaris 9 without patch 112908-34
     * Solaris 10 without patch 140074-05
     * OpenSolaris based upon build snv_01 through snv_116

   x86 Platform
     * Solaris 8 without patch 140842-01
     * Solaris 9 without patch 115168-19
     * Solaris 10 without patch 140130-06
     * OpenSolaris based upon build snv_01 through snv_116

Notes:
   1. Solaris 8 entered EOSL Phase 2 on 1 April 2009. Entitlement to
   patches developed on or after 1 April 2009 requires the purchase of
   the Solaris 8 Vintage Patch Service. See note in section 5 for more
   details.
   2. OpenSolaris distributions may include additional bug fixes above
   and beyond the build from which it was derived. The base build can be
   derived as follows:
$ uname -v
snv_101

   3. This issue could affect all systems utilizing Kerberized NFS mount
   points as an NFS client.  To determine if a system could be exposed to
   this issue, the following command can be run:
$ nfsstat -m | grep sec=krb

   If any data is returned, the system may be vulnerable to this issue.

3. Symptoms

This issue exists on all systems utilizing Kerberized NFS mount
points.  There are no predictable symptoms that would indicate this
issue has been exploited to gain unauthorized access to Kerberized NFS
shares.

4. Workaround

There is no workaround that would prevent unauthorized access to
affected shares. It may be desirable therefore to modify the share and
mount options so that they no longer utilize Kerberos. This can be
done by editing of the dfstab(4) file on the NFS server and removing
the 'sec=' option.
Alternatively, the unshare(1) command can be used to unshare the
filesystem, and the share(1) command to share the filesystem, not
specifying the 'sec=' option.  The client systems could then umount(1)
the filesystem and then mount(1) with no 'sec=' option.  This will
allow UNIX system permissions to  safeguard against unauthorized
access.
   Note: As this workaround disables Kerberos for the affected NFS
   shares, the security of those shares may be impacted in various ways
   depending on the configuration. For example, network traffic
   associated with those shares may no longer be encrypted during
   transfer, and the access permissions will revert to those supported by
   the standard UNIX permissions implementation.

5. Resolution

This issue is addressed in the following releases:
   SPARC Platform
     * Solaris 8 with patch 140841-01 or later
     * Solaris 9 with patch 112908-34 or later
     * Solaris 10 with patch 140074-05 or later
     * OpenSolaris based upon build snv_117 or later

   x86 Platform
     * Solaris 8 with patch 140842-01 or later
     * Solaris 9 with patch 115168-19 or later
     * Solaris 10 with patch 140130-06 or later
     * OpenSolaris based upon build snv_117 or later

   Note: The READMEs of Solaris 8 patches developed on or after 1 April
   2009 are available to all customers. However, Solaris 8 entered EOSL
   Phase 2 on April 1, 2009 and thus entitlement for these patches,
   including those that fix security vulnerabilities, requires the
   purchase of the Solaris 8 Vintage Patch Service. More information
   about the Solaris 8 Vintage Patch Service is available at:

     http://www.sun.com/service/eosl/Solaris8.html

For more information on Security Sun Alerts, see Technical
Instruction ID 213557.
This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFKLalLNVH5XJJInbgRAoiyAJ9n4RbOvUlGLs9UdxR1KoUR74xi9gCeJlqf
M5sKUAw8kb9k9HYaLEaiKJk=
=Vw5f
-----END PGP SIGNATURE-----