WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec

Sun Solaris SAdmin Client Credentials Remote Administrative Access Vulnerability

Risk
High

Date Discovered
09-16-2003

Description
A problem has been discovered in the Sun Solaris sadmin service. Because of this issue, it may be possible for a remote user to gain unauthorized administrative access.

The problem is in the handling authentication credentials. sadmin does not properly validate credentials supplied by the sadmin client. Because of this, an attacker could supply a spoofed hostname and domain while accessing the service, circumventing any access restrictions the service may have in place.

It should be noted that the sadmin service is enabled by default.

It has been reported that an exploit for this vulnerability exists in the wild.

Symantec Gateway Security
An update for Symantec Gateway Security to detect attempts to exploit this vulnerability is available. Symantec Gateway Security users should run LiveUpdate to ensure protection against this threat.

Symantec Vulnerability Assessment
Symantec Vulnerability Assessment detects and reports this vulnerability. Click here for more information.

Symantec Managed Security Services
Symantec customers are not affected (this service has been disabled as a part of baseline). As our 24x7 monitoring continues, we will be paying close attention to this issue, and providing signature support.

Symantec ManHunt 3.0
Users of Symantec Manhunt 3.0 can update to the latest Security Update to detect attempts to exploit this vulnerability. Click here for more information.

Symantec Enterprise Security Manager
Symantec Enterprise Security Manager™ posted a Response Policy that detects and reports this vulnerability. Click here for the advisory released September 17, 2003.

Components Affected
Sun Solaris 2.6.0
Sun Solaris 2.6.0 _x86
Sun Solaris 7.0.0
Sun Solaris 7.0.0 _x86
Sun Solaris 8.0.0
Sun Solaris 8.0.0 _x86
Sun Solaris 9.0.0
Sun Solaris 9.0.0 _x86

Recommendations
Block external access at the network boundary, unless service is required by external parties. Network traffic of questionable integrity should be filtered at border routers and network firewalls. Traffic not implicitly authorized to specific services should be filtered by default.

Deploy network intrusion detection systems to monitor network traffic for malicious activity. Use network intrusion detection systems to monitor and identify anomalous network activity. Investigate reports of attempted attacks.

A temporary workaround is to disable the sadmin service if it is not required. The sadmin service may be disabled by commenting the service out of the inetd.conf configuration file, and restarting inetd.

Sun has released an advisory regarding this issue, and supplied specific details in securing a vulnerable system until a fix is released. See referenced advisory for additional details.

Resources
iDEFENSE Security Advisory 09.16.03 (iDefense)
http://www.idefense.com/advisory/09.16.03.txt

Sun Alert ID: 56740 (Sun Microsystems)
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56740

Credit
Discovery credited to Mark Zielinski.

Site Map · Legal Notices · Privacy Policy · · Contact Us · Global Sites · License Agreements
©1995 - 2008 Symantec Corporation