Note to Sun Solaris users: Do you know who's been in your directory?
Two new vulnerabilities have been discovered in Sun Solaris since last Wednesday that could enable unauthorized users to play in the operating system's directory.
Last Thursday, Sun quietly published an alert that a flaw in the Solaris 9 in.ftpd server may allow unprivileged users access to directories outside of their home directory or to log in with their home directory set to "/". Sun offered a workaround to disable the affected application process, but a final patch has not yet been developed.
Sun's reported vulnerability applies only to Solaris 9 -- Solaris 8 and 10 are not affected. But on the day before Sun issued its alert, the U.S. Department of Energy's Computer Incident Advisory Capability (CIAC) reported a flaw in directory security that applies to all three versions of the Sun OS.
The CIAC report states that a user might be able to gain unauthorized administrative access to Sun's Java System Directory Server 5.2 by simply logging in to the Directory Server console. The problem is considered to be low danger, because it can be quickly resolved by quickly changing administrative passwords on the directory server.
Experts say the vulnerabilities shouldn't be taken lightly, especially because Solaris is often seen as a "safe" OS and is frequently used in financial and other mission-critical systems. "This showcases that even the most secure platforms have exposures -- and often, it takes some time to discover them," says Rob Enderle, principal analyst at Enderle Group, an IT consultancy.
Sun also is taking a chance by issuing an alert on a vulnerability that hasn't yet been permanently patched, Enderle observes. An alert such as Sun's "makes it a race between those who need to correct the problem and those who want to take advantage of it. Firms like Sun have no real choice right now but to disclose problems in this way, but, in the future, we need a better way to do the notification so that it doesn't become a catalyst for successful exploits."
The directory vulnerabilities aren't the only flaws that have been discovered in Solaris this month. On May 9, the Australian Computer Emergency Response Team reported that a problem in the "libike" library of Solaris 9 and Solaris 10 could allow a remote user to make a denial-of-service attack on Sun servers by crashing the in.iked daemon. Sun released patches for both operating systems to close the hole.
Tim Wilson, Site Editor, Dark Reading
Organizations mentioned in this story