Sun Microsystems, Inc.  Sun System Handbook - ISO 3.4 June 2011 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-77-1018965.1
Update Date:2011-02-25
Keywords:

Solution Type  Sun Alert Sure

Solution  1018965.1 :   Some Sun SPARC Enterprise T5120 and T5220 Servers Shipped With an Incorrect Solaris 10 Image Containing an Insecure Configuration  


Related Items
  • Sun SPARC Enterprise T5220 Server
  •  
  • Sun SPARC Enterprise T5120 Server
  •  
Related Categories
  • GCS>Sun Microsystems>Sun Alert>Criteria Category>Availability
  •  
  • GCS>Sun Microsystems>Sun Alert>Release Phase>Resolved
  •  

PreviouslyPublishedAs
231244


Bug Id
None

Product
Sun SPARC Enterprise T5120 Server
Sun SPARC Enterprise T5220 Server

Date of Resolved Release
12-Feb-2008

Some Sun SPARC Enterprise T5120 and T5220 Servers Shipped With an Incorrect Solaris 10 Image Containing an Insecure Configuration

1. Impact

Sun SPARC Enterprise T5120 and T5220 servers with datecode prior to BEL07480000 have been mistakenly shipped with factory settings in the pre-installed Solaris 10 OS image. These settings may allow a local or remote user to be able to execute arbitrary commands with the privileges of the root (uid 0) user.

(To determine if your systems are affected by this issue please look for the changed parameters and extra files listed in the Contributing Factors section below).

2. Contributing Factors

This issue can occur on the following platforms:
  • Sun SPARC Enterprise T5120 and T5220 Servers with datecode prior to BEL07480000
Note: Systems are only impacted by this issue if they have an incorrect factory image installed.

To determine the datecode on the T5120 or T5220, use either "Lights Out Management" (LOM) or prtdiag(1M) commands:

    ILOM CLI:  > show /SYS/
    ALOM CLI:  sc> showplatform
    prtdiag -v

To determine if an incorrect factory image of Solaris 10 has been installed on a system and if the system is affected by this issue, the following items can be reviewed:

A. Remote logins are enabled for the root user which is indicated by the CONSOLE entry in /etc/default/login beginning with a hash sign (#):
    $ grep CONSOLE= /etc/default/login
#CONSOLE=/dev/console
B. The sshd(1M) daemon is configured to allow the root user to login using ssh(1) which is indicated by the 'PermitRootLogin' entry in sshd_config(4) being set to 'yes':
    $ grep PermitRootLogin /etc/ssh/sshd_config
PermitRootLogin yes
C. A profile(4) file for the root user will exist and have the 'PS1' environment variable set to a value of 'ROOT>' and the 'LOGDIR' environment variable will be set to '/export/home/utslog':
    $ egrep 'PS1|LOGDIR' /.profile
PS1='ROOT>'
LOGDIR='/export/home/utslog'
export LOGDIR
D.  Extra files and directories will exist on the system which are not part of a default install of Solaris 10:

    Files:
   /var/opt/SUNWvts/options/Huron_P2_PPA_VTS_6.4ps1_Excl_v1.1
/etc/opt/SUNWvts/sunvts.conf
/opt/SUNWvts/bin/conf/iobus.cfg
/export/home/bin/Huron_P2_PPA_VTS_6.4ps1_Func_v1.2
/export/home/bin/Huron_P2_PPA_VTS_6.4ps1_Excl_v1.1

    Directories:
   /opt/SUNWt1tsk
/export/Nebula

3. Symptoms

There are no predictable symptoms that would indicate the described issue has been exploited.

4. Workaround

Systems which are affected by this issue can modify the factory settings to no longer be insecure by performing the following steps as the root user:

For item A, modify the CONSOLE entry in the /etc/default/login file to no longer begin with a hash (#).

For item B, modify the PermitRootLogin entry in the /etc/sshd/sshd_config file from 'yes' to 'no' and then signal the sshd(1M) daemon to reread its configuration file using svcadm(1M):
    # svcadm restart svc:/network/ssh:default
For item C, the following lines can be removed from the /.profile file:
    PS1='ROOT>'
LOGDIR='/export/home/utslog'
export LOGDIR
For item D, the following files and directories can be removed using the rm(1) command:
    # /bin/rm /var/opt/SUNWvts/options/Huron_P2_PPA_VTS_6.4ps1_Excl_v1.1 /etc/opt/SUNWvts/sunvts.conf /opt/SUNWvts/bin/conf/iobus.cfg \
/export/home/bin/Huron_P2_PPA_VTS_6.4ps1_Func_v1.2 /export/home/bin/Huron_P2_PPA_VTS_6.4ps1_Excl_v1.1

# /bin/rm -f /opt/SUNWt1tsk /export/Nebula

5. Resolution

Sun SPARC Enterprise T5120 and T5220 servers with datecode BEL07480000 and later ship with the correct Solaris 10 image. The resolution for systems affected by this issue are to follow the steps outlined in the "Workaround" section above.

This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements.

Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.


Internal Comments
Please send technical questions to the following email:
[email protected]
and CC the following persons:
Internal Contributor/Submitter
Internal Eng Responsible Engineer
Internal Services Knowledge Engineer

Internal Contributor/submitter
[email protected]

Internal Eng Responsible Engineer
[email protected]

Internal Services Knowledge Engineer
[email protected]

Internal Eng Business Unit Group
SSG ES (Enterprise Systems)

Internal Sun Alert & FAB Admin Info
WF 12-Feb-2008, david m: signoff OK by Security, send to publish
WF 01-FEB-2008, David M: draft created, sent for 24hr review


Attachments
This solution has no attachment
  Copyright © 2011 Sun Microsystems, Inc.  All rights reserved.
 Feedback