[Sun] Schwachstelle bei Benutzung von LDAP mit RBAC - Sun Alert ID 57657

win-sec-ssc at dfn-cert.de win-sec-ssc at dfn-cert.de
Wed Oct 20 14:36:14 CEST 2004


-----BEGIN PGP SIGNED MESSAGE-----

Liebe Kolleginnen und Kollegen,

soeben erreichte uns das nachfolgende Bulletin des SUN Customer Warning
System. Wir geben diese Informationen unveraendert an Sie weiter.

Das Lightweight Database Access Protocol (LDAP) wird benutzt um auf
zentrale Verzeichnisse zuzugreifen, die z.B. Informationen zu Accounts,
Benutzern oder Hosts vorhalten.

Role Based Access Control (RBAC) erlaubt eine feinere Rechteverteilung als 
normalerweise unter UNIX ueblich ist. Privilegierte Funktionen koennen 
z.B. einzelnen Accounts zugewiesen werden anstatt dass nur der User root 
alle Funktionen ausfuellen darf.

   Schwachstelle bei Benutzung von LDAP mit RBAC

   Es besteht ein Fehler in Solaris wenn die Role Based Access Control
   (RBAC) ueber LDAP verwaltet wird. Ein lokaler Angreifer kann dadurch
   Befehle mit den Rechten von root ausfuehren.

Woher die Regeln fuer RBAC bezogen werden, kann ueber die Name Service
Switches (NSS) festgelegt werden. Sind in der Datei /etc/nsswitch.conf
folgende Eintraege zu finden, wird LDAP benutzt:

   auth_attr: ldap files
   prof_attr: ldap files
   user_attr: ldap files

Betroffen sind die folgenden Plattformen:

   SPARC Solaris 8 ohne Patch 108993-38
   SPARC Solaris 9 ohne Patch 112960-17
   x86 Solaris 8 ohne Patch 108994-38
   x86 Solaris 9 ohne Patch 114328-04

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

Als Workaround kann die Konfiguration von RBAC auch nur ueber lokale
Dateien erfolgen. In der Datei /etc/nsswitch.conf sollte dafuer nicht
auf LDAP verwiesen werden:

   auth_attr: files
   prof_attr: files
   user_attr: files

(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
    Andreas Bunten, DFN-CERT

- -- 
Andreas Bunten (CSIRT), DFN-CERT Services GmbH
https://www.dfn-cert.de/, +49 40 808077-617


      _________________________________________________________________

    Document Audience:   PUBLIC
    Document ID: 57657
    Title: Document ID 57657
    Synopsis: Security Vulnerability When Using LDAP In Conjunction With
    RBAC
    Update Date: 2004-10-18
      _________________________________________________________________

    Description Top
    Sun(sm) Alert Notification
      * Sun Alert ID: 57657
      * Synopsis: Security Vulnerability When Using LDAP In Conjunction
        With RBAC
      * Category: Security
      * Product: Solaris
      * BugIDs: 4966423
      * Avoidance: Patch, Workaround
      * State: Resolved
      * Date Released: 18-Oct-2004
      * Date Closed: 18-Oct-2004
      * Date Modified:

    1. Impact On systems where Lightweight Directory Access Protocol
    (LDAP, see ldap(1)) is used in conjunction with Role Based Access
    Control (RBAC, see rbac(5)), unprivileged local users may have the
    ability to execute certain commands with "superuser" (root)
    privileges.

    2. Contributing Factors This issue can occur in the following
    releases:

    SPARC Platform

      * Solaris 8 without patch 108993-38
      * Solaris 9 without patch 112960-17

    x86 Platform

      * Solaris 8 without patch 108994-38
      * Solaris 9 without patch 114328-04

    Notes:

     1. Systems are only impacted when using LDAP in conjunction with RBAC
        .
     2. Solaris 7 is not affected by this issue.

    This configuration can be determined by the RBAC related entries in
    the "/etc/nsswitch.conf" file, which will contain lines with one or
    more of the following type of entries:

     auth_attr: ldap files
     prof_attr: ldap files
     user_attr: ldap files

    3. Symptoms There are no predictable symptoms that would indicate the
    described issue has been exploited.

    Solution Summary Top
    4. Relief/Workaround To work around the described issue, configure the
    system to use "local" files instead of LDAP for RBAC configuration.
    RBAC related entries in the "/etc/nsswitch.conf" file should be
    modified as follows:

     auth_attr: files
     prof_attr: files
     user_attr: files

    Note: With this workaround, LDAP functionality will be disabled for
    the RBAC database and all RBAC related data will be queried from
    "local" files instead of through LDAP.

    5. Resolution This issue is addressed in the following releases:

    SPARC Platform

      * Solaris 8 with patch 108993-38 or later
      * Solaris 9 with patch 112960-17 or later

    x86 Platform

      * Solaris 8 with patch 108994-38 or later
      * Solaris 9 with patch 114328-04 or later

    This Sun Alert notification is being provided to you on an "AS IS"
    basis. This Sun Alert notification may contain information provided by
    third parties. The issues described in this Sun Alert notification may
    or may not impact your system(s). Sun makes no representations,
    warranties, or guarantees as to the information contained herein. ANY
    AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
    WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
    NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
    YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
    INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
    OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
    This Sun Alert notification contains Sun proprietary and confidential
    information. It is being provided to you pursuant to the provisions of
    your agreement to purchase services from Sun, or, if you do not have
    such an agreement, the Sun.com Terms of Use. This Sun Alert
    notification may only be used for the purposes contemplated by these
    agreements.

    Copyright 2000-2004 Sun Microsystems, Inc., 4150 Network Circle, Santa
    Clara, CA 95054 U.S.A. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQEVAgUBQXZa+SgU04YpslABAQGqhQgAgX8TxEjOvXJFFGKup8cS1HPjHQSPUBiK
weYxuyTz6++Ug5Jsa1j07u9FbjFLqSZuRYR+sCVfaUAy1TZ+XEwyw9f0XjLYtYDm
sa8NTGwDc81g9X5vpVK7BPoaDMfDOZarLI5fO6qiFNcEKr1lxnnujyxqUUlCfHMT
2hEZm1qLfybFokiWdfPpzPudvCvSi5/7ls6XJDeut+FX9N4vSLAQdGrjxNga0M6U
ev4+nveGFnmqqvKwmpbj975gqA3G/Sd71+79mwtAvGZxgPfxL6w4Iumi+4XUZBR3
uh0JhCR295XmBDwXlqjRdb7DHVE9dqBHNnM/nhzH1S045MmLwCGtnw==
=8xX3
-----END PGP SIGNATURE-----






More information about the Security-Announce mailing list