Lucene search

CERTVU:41870

HistorySep 19, 2003 - 12:00 a.m.

Sun Solstice AdminSuite ships with insecure default configuration

2003-09-1900:00:00

www.kb.cert.org

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

EPSS

0.969

Percentile

99.7%

JSON

Overview

The sadmind service provided on many Solaris and SunOS systems ships with an insecure default configuration that allows remote users to execute arbitrary commands with superuser (root) privileges.

Description

The Sun Microsystems Solstice AdminSuite is a graphical tool that allows Solaris and SunOS hosts to be administered by a remote host. The daemon portion of the program (sadmind) is a setuid root application that listens for requests from a remote administration client. In its default configuration, sadmind accepts requests using “AUTH_SYS” authentication, which uses plaintext authentication in a format that can be easily manipulated by an attacker. Since sadmind is designed to allow the remote execution of arbitrary commands, an attacker who is able to spoof the authentication portion of a packet can execute commands with little difficulty.

The daemon can be configured to operate securely by specifying a security level of 2, which causes sadmind to require “AUTH_DES” authentication. This capability has existed since at least April 1999, when the sadmind man page was updated for SunOS 5.9. The recommendation to use security level 2 was provided in Sun Security Bulletin #00191 and CERT Advisory CA-1999-16, so it is likely that many Solaris systems have been configured to disable this service. However, the insecure default configuration is still shipped with modern releases of Solaris, so system administrators are encouraged to review their configurations.

Impact

Affected systems allow remote users to execute arbitrary commands with the privileges of the sadmind daemon, typically superuser (root).

Solution

The CERT/CC is not aware of a permanent solution that addresses this vulnerability.

Configure sadmind to use AUTH_DES authentication

As recommended by _Sun Alert _56740, users can take the following steps to enable AUTH_DES authentication:

1. Edit the “/etc/inetd.conf” file and append “-S 2” to the end of the sadmind line as follows:

100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind -S 2

2. Tell the inetd(1M) process to reread the newly modified “/etc/inetd.conf” file by sending it a hangup signal, SIGHUP:

/usr/bin/pkill -HUP inetd

Disable the sadmind daemon

As recommended by _Sun Alert _56740, users can take the following steps to disable sadmind:

1. Edit the “/etc/inetd.conf” file and comment out the following line by adding the “#” symbol to the beginning of the line as follows:

#100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind

2. Tell the inetd(1M) process to reread the newly modified “/etc/inetd.conf” file by sending it a hangup signal, SIGHUP:

/usr/bin/pkill -HUP inetd

Vendor Information

41870

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Sun Microsystems Inc. __ Affected

Notified: April 03, 1999 Updated: September 19, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Sun Microsystems has published Alert Notification 56740 to document this vulnerability. For more information, please see:

http://sunsolve.sun.com/pub-cgi/retrieve.pl?type=0&doc=fsalert%2F56740&display=plain

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%2341870 Feedback>).