__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Sun StorEdge Enterprise Storage Manager (ESM) 2.1 Vulnerability [Sun Alert ID: 57581] June 22, 2004 17:00 GMT Number O-166 ______________________________________________________________________________ PROBLEM: A vulnerability allowing local users to gain unauthorized root access has been identified in the StorEdge Enterprise Storage Manager (ESM) v2.1 products. PLATFORM: Solaris 8 Solaris 9 * Note: ESM versions 1.2 and 2.0 are not affected. ESM is not supported on the x86 platform. DAMAGE: If successfully exploited, a local user could gain unauthorized root access. SOLUTION: Remove the "ESMUser" role from all non-root users on the management station until the patch can be applied, or ... Apply patch 117367-01 or later to the StorEdge Enterprise Storage Manager version 2.1 ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. If the "ESMUser" role has not been assigned ASSESSMENT: to a non-root user, the user cannot successfully exploit this vulnerability and gain unauthorized root access. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-166.shtml ORIGINAL BULLETIN: http://sunsolve.sun.com/search/document.do?assetkey= 1-26-57581-1 ______________________________________________________________________________ [***** Start Sun Alert ID: 57581 *****] Sun(sm) Alert Notification Sun Alert ID: 57581 Synopsis: Systems With Sun StorEdge Enterprise Storage Manager 2.1 Installed May Allow an Unprivileged Local User to Gain Root Access Category: Security Product: Sun StorEdge Enterprise Storage Manager (ESM) BugIDs: 5033990 Avoidance: Workaround, Patch State: Resolved Date Released: 18-Jun-2004 Date Closed: 18-Jun-2004 Date Modified: 1. Impact A local unprivileged user may be able to gain unauthorized root access on systems with Sun StorEdge Enterprise Storage Manager (ESM) 2.1 installed. 2. Contributing Factors This issue can occur in the following releases: SPARC Platform Sun StorEdge Enterprise Storage Manager (ESM) 2.1 (for Solaris 8 and Solaris 9) without patch 117367-01. This issue only occurs when a non-root user has been assigned the "ESMUser" role on the management station. (See the "Relief/Workaround" section below for information on how to determine if a user has been assigned the "ESMUser" role.) Note 1: ESM versions 1.2 and 2.0 are not affected by this issue. Note 2: ESM is not supported on the x86 platform. 3. Symptoms There are no predictable symptoms that would indicate the described issue has been exploited to gain unauthorized root access to the system. Solution Summary 4. Relief/Workaround Until patches can be applied, sites may want to remove the "ESMUser" role from all non-root users. To determine if a user has been assigned the "ESMUser" role, use the following command: # roles `logins -o | cut -f1 -d:` | grep ESMUser This command will list the output in the form of: : For example: # roles `logins -o | cut -f1 -d:` | grep ESMUser root : ESMUser ESMUser : No roles demo : ESMUser perf : ESMUser If "ESMUser" does not appear in the role list for any non-root username, then no further action is needed. However, if "ESMUser" does appear on the role list for a non-root username, remove it by running the following command: # /opt/SUNWstm/bin/esm_user -r Given the example above, the corresponding commands to run would be: # /opt/SUNWstm/bin/esm_user -r demo Removing ESMUser role from local user: demo ... Restarting name service cache daemon and smcwebserver... Restarting smcwebserver... Shutting down Sun(TM) Web Console Version 2.0.2... Starting Sun(TM) Web Console Version 2.0.2... See /var/log/webconsole/console_debug_log for server logging information # /opt/SUNWstm/bin/esm_user -r perf Removing ESMUser role from local user: perf ... Restarting name service cache daemon and smcwebserver... Restarting smcwebserver... Shutting down Sun(TM) Web Console Version 2.0.2... Starting Sun(TM) Web Console Version 2.0.2... See /var/log/webconsole/console_debug_log for server logging information Note: There is no need to run the "esm_user -r" command against the "ESMUser" username; only run it against other non-root usernames with "ESMUser" in their role list. 5. Resolution This issue is addressed in the following releases: SPARC Platform Sun StorEdge Enterprise Storage Manager 2.1 (for Solaris 8 and Solaris 9) with patch 117367-01 or later. This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2004 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved. [***** End Sun Alert ID: 57581 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Sun Microsystems, Inc. for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-156: Multiple Vulnerabilities in CVS O-157: Cisco CatOS Telnet, HTTP and SSH Vulnerability O-158: FTP Client Improperly handles Pipe Character in File Names O-159: NETGEAR WG602 Wireless Access Point Default Backdoor Account Vulnerability O-160: Microsoft Windows 2000 Advanced Server Security Bypass O-161: RealPlayer Security Vulnerabilities O-162: Red Hat Updated Tripwire Packages Fix Security Flaw O-163: Cisco IOS Malformed BGP Packet Causes Reload O-164: Red Hat Updated Kernel Packages Fix Security Vulnerabilities O-165: Red Hat Updated libpng Packages Fix Security Issue