INFORMATION BULLETIN
INFORMATION BULLETIN
PROBLEM: Vulnerability in Solaris 2.3 "automountd". PLATFORM: Sun Solaris 2.3 only. No other Sun OSs are affected. DAMAGE: The vulnerability allows a user with an unprivileged account to get root access on a Solaris 2.3 system. SOLUTION: Retrieve and install the indicated patch.
VULNERABILITY As of the date of this bulletin, Sun has had no reports of ASSESSMENT: this hole being exploited, but the hole is serious, and CIAC strongly recommends that this patch be installed.
CIAC has received information from Sun Microsystems regarding the availability of Sun patch 101329-15 which will fix the automountd vulnerability. The following text is from the Sun Microsystems Security Bulletin #00127a, which supersedes bulletin #00127 issued on 5/4/94.
Patch 101329-15 fixes a bug in the Solaris 2.3 version of automountd which allows a user with an unprivileged account on a 2.3 system to gain root access.
No reports of this vulnerability being exploited have yet come to the attention of this office. We nevertheless recommend that all affected customers close this very serious security hole.
The automountd fix is bundled into the Solaris 2.3 jumbo NIS+ patch. The first version of the patch to contain the security fix was 101329-10; but we recommend the installation of the latest version (currently 101329-15).
This bug is not found in any other SunOS version, including Solaris x86. The fix has been integrated into the upcoming Solaris 2.4 release.
NOTE: The original version of this bulletin, issued yesterday, referred to version -13 of the patch as the latest. Shortly after the bulletin was issued, however, version -15 (skipping -14) was released, superseding the earlier version on SunSolve. For that reason--and also to correct a last-minute typographical error--we are issuing this revised bulletin. We apologize for the error and regret any inconvenience.
To assist those who have already installed version -13 in deciding whether to install -15 as well, we provide here a summary of the bugs first fixed in the newer version. None specifically relate to security.
1163847 automountd doesn't work with Apollo pathnames which start with //
1153274 machine panics with recursive mutex_enter while using automounter 1156518 Cannot mount mvs/nfs mounts using autofs under Solaris 2.2 & 2.3.
The following table contains the checksums for the NIS+ patch (#101329-15).
File Name BSD Checksum SVR4 Checksum MD5 Digital Signature 101329-15.tar.Z 55492 843 46189 1685 19AA042484727A5DE9CB21199858071AThe checksums shown in the table are from the BSD-based checksum program distributed with the system software (on 4.1.x, /bin/sum; on Solaris 2.x, /usr/ucb/sum) and from the SVR4 version checksum program distributed with Solaris 2.x (/usr/bin/sum). MD5 software can be retrieved via anonymous FTP from ciac.llnl.gov in the file /pub/util/crypto/md5.tar
(MD5 checksum of md5.tar: B6B90CC7C56353FC643DF25B6F730D21).
Individuals with Sun support contracts may obtain these patches from their local Sun Answer Center or from SunSolve Online. Security patches are also available without a support contract via anonymous FTP from ftp.uu.net (IP address 192.48.96.9) in the directory /systems/sun/sun-dist.
Voice: +1 925-422-8193 (7 x 24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org