Sun Microsystems, Inc.  Sun System Handbook - ISO 4.1 October 2012 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-77-1018965.1
Update Date:2012-07-26
Keywords:

Solution Type  Sun Alert Sure

Solution  1018965.1 :   Some Sun SPARC Enterprise T5120 and T5220 Servers Shipped With an Incorrect Solaris 10 Image Containing an Insecure Configuration  


Related Items
  • Sun SPARC Enterprise T5220 Server
  •  
  • Sun SPARC Enterprise T5120 Server
  •  
Related Categories
  • PLA-Support>Sun Systems>Sun_Other>Sun Collections>SN-OTH: Sun Alert
  •  
  • .Old GCS Categories>Sun Microsystems>Sun Alert>Release Phase>Resolved
  •  

PreviouslyPublishedAs
231244


Product
Sun SPARC Enterprise T5120 Server
Sun SPARC Enterprise T5220 Server

Date of Resolved Release
12-Feb-2008

***Checked for relevance on 26-Jul-2012***

1. Impact

Sun SPARC Enterprise T5120 and T5220 servers with datecode prior to BEL07480000 have been mistakenly shipped with factory settings in the pre-installed Solaris 10 OS image. These settings may allow a local or remote user to be able to execute arbitrary commands with the privileges of the root (uid 0) user.

(To determine if your systems are affected by this issue please look for the changed parameters and extra files listed in the Contributing Factors section below).

2. Contributing Factors

This issue can occur on the following platforms:
  • Sun SPARC Enterprise T5120 and T5220 Servers with datecode prior to BEL07480000
Note: Systems are only impacted by this issue if they have an incorrect factory image installed.

To determine the datecode on the T5120 or T5220, use either "Lights Out Management" (LOM) or prtdiag(1M) commands:

    ILOM CLI:  > show /SYS/
    ALOM CLI:  sc> showplatform
    prtdiag -v

To determine if an incorrect factory image of Solaris 10 has been installed on a system and if the system is affected by this issue, the following items can be reviewed:

A. Remote logins are enabled for the root user which is indicated by the CONSOLE entry in /etc/default/login beginning with a hash sign (#):
    $ grep CONSOLE= /etc/default/login
#CONSOLE=/dev/console
B. The sshd(1M) daemon is configured to allow the root user to login using ssh(1) which is indicated by the 'PermitRootLogin' entry in sshd_config(4) being set to 'yes':
    $ grep PermitRootLogin /etc/ssh/sshd_config
PermitRootLogin yes
C. A profile(4) file for the root user will exist and have the 'PS1' environment variable set to a value of 'ROOT>' and the 'LOGDIR' environment variable will be set to '/export/home/utslog':
    $ egrep 'PS1|LOGDIR' /.profile
PS1='ROOT>'
LOGDIR='/export/home/utslog'
export LOGDIR
D.  Extra files and directories will exist on the system which are not part of a default install of Solaris 10:

    Files:
   /var/opt/SUNWvts/options/Huron_P2_PPA_VTS_6.4ps1_Excl_v1.1
/etc/opt/SUNWvts/sunvts.conf
/opt/SUNWvts/bin/conf/iobus.cfg
/export/home/bin/Huron_P2_PPA_VTS_6.4ps1_Func_v1.2
/export/home/bin/Huron_P2_PPA_VTS_6.4ps1_Excl_v1.1

    Directories:
   /opt/SUNWt1tsk
/export/Nebula

3. Symptoms

There are no predictable symptoms that would indicate the described issue has been exploited.

4. Workaround

Systems which are affected by this issue can modify the factory settings to no longer be insecure by performing the following steps as the root user:

For item A, modify the CONSOLE entry in the /etc/default/login file to no longer begin with a hash (#).

For item B, modify the PermitRootLogin entry in the /etc/sshd/sshd_config file from 'yes' to 'no' and then signal the sshd(1M) daemon to reread its configuration file using svcadm(1M):
    # svcadm restart svc:/network/ssh:default
For item C, the following lines can be removed from the /.profile file:
    PS1='ROOT>'
LOGDIR='/export/home/utslog'
export LOGDIR
For item D, the following files and directories can be removed using the rm(1) command:
    # /bin/rm /var/opt/SUNWvts/options/Huron_P2_PPA_VTS_6.4ps1_Excl_v1.1 /etc/opt/SUNWvts/sunvts.conf /opt/SUNWvts/bin/conf/iobus.cfg \
/export/home/bin/Huron_P2_PPA_VTS_6.4ps1_Func_v1.2 /export/home/bin/Huron_P2_PPA_VTS_6.4ps1_Excl_v1.1

# /bin/rm -f /opt/SUNWt1tsk /export/Nebula

5. Resolution

Sun SPARC Enterprise T5120 and T5220 servers with datecode BEL07480000 and later ship with the correct Solaris 10 image. The resolution for systems affected by this issue are to follow the steps outlined in the "Workaround" section above.

Modification History:
12-Feb-2008: Document released
26-Jul-2012: Maintenance check for relevance/currency, no change in content


Attachments
This solution has no attachment
  Copyright © 2012 Sun Microsystems, Inc.  All rights reserved.
 Feedback