Sun LDAP Name Service Buffer Overflow May Let Remote Users Gain Root Access
|
|
SecurityTracker Alert ID: 1006401
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Updated: Oct 24 2003
|
Original Entry Date: Mar 28 2003
|
Impact: Execution of arbitrary code via network, Root access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Description: A buffer overflow vulnerability was reported in the LDAP Name Service on certain versions of Sun Solaris. A remote user could gain root access.
Sun indicated that the buffer overflow resides in the "nss_ldap.so.1" library.
Solaris 8 and 9 are reportedly affected. Sun
reports that Solaris 2.6 and Solaris 7 are not affected.
If the LDAP name service is enabled in the "/etc/nsswitch.conf" file
for any of the following databases, the system may be vulnerable:
bootparams
ethers
hosts
ipnodes
netgroup
netmasks
networks
Sun credits void.at with reporting this flaw.
|
Impact: A remote user could gain root access on the system.
|
Solution: Sun has issued the following preliminary T-patches:
SPARC Platform
Solaris 8 T-patch T108993-29
Solaris 9 T-patch T112960-09
x86
Platform
Solaris 8 T-patch T108994-29
Solaris 9 T-patch T114328-02
As a workaround, Sun reports that you can edit the
"/etc/nsswitch.conf" file (as a root user) to remove the "ldap" keyword for those affected database entries (this will disable the
use of LDAP for those databases). The affected database entries are:
bootparams
ethers
hosts
ipnodes
netgroup
netmasks
networks
|
Vendor URL: sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F52222 (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: UNIX (Solaris - SunOS)
|
Underlying OS Comments: Solaris 8, 9
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Thu, 27 Mar 2003 15:36:40 -0500
Subject: Sun Alert (52222) - LDAP Name Service Buffer Overflow
|
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F52222
Sun issued an Alert (52222) warning of a buffer overflow in the LDAP Name Service that could allow a
remote user to gain root access on the system. The buffer overflow reportedly resides in the
"nss_ldap.so.1" library.
Solaris 8 and 9 are affected. Sun reports that Solaris 2.6 and Solaris 7 are not affected.
If the LDAP name service is enabled in the "/etc/nsswitch.conf" file for any of the followi
ng
databases, the system may be vulnerable:
bootparams
ethers
hosts
ipnodes
netgroup
netmasks
networks
As a workaround, Sun reports that you can edit the "/etc/nsswitch.conf" file (as a root use
r) to
remove the "ldap" keyword for those affected database entries (this will disable the use of
LDAP for
those databases.
Sun is reportedly working on a final fix.
-----
Sun Alert ID: 52222
Synopsis: In Solaris 8 and Solaris 9 a Buffer Overflow in the LDAP Name Service May Lead to
Unauthorized Root Access
Category: Security
Product: Solaris
BugIDs: 4830525
Avoidance: Workaround
State: Committed
Date Released: 26-Mar-2003
Date Closed:
Date Modified:
|
|
