A security vulnerability in the implementation of the RPCSEC_GSS API, which impacts applications utilizing this API (rpcsec_gss(3NSL)) such as the kadmind(1M) daemon, may allow execution of arbitrary commands. In the case of Kerberos Key Distribution Centers(KDC) (which run kadmind(1M)) an unprivileged and unauthenticated remote user may be able to execute arbitrary commands on the system with the privileges of the kadmind(1M) daemon (usually 'root').

In addition, on KDC systems this issue may allow the remote user to compromise the Kerberos key database or cause the affected program to crash, which is a form of Denial of Service (DoS).

This issue is referenced in the following documents:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-004.txt

CVE-2007-2442 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2442

This issue can occur in the following releases:

SPARC Platform

• Solaris 8 without patch 126928-01
• Solaris 9 without patch 113318-31
• Solaris 10 without patch 123809-02

x86 Platform

• Solaris 8 without patch 126929-01
• Solaris 9 without patch 117468-17
• Solaris 10 without patch 126837-01

Note: This issue can only occur if a system is configured as a Kerberos Key Distribution Center (KDC).

To determine if a system is configured as a Kerberos Key Distribution Center (KDC) the following command can be run:

    % ps -ef | grep kadmin
    root   321     1  0   Dec 10        0:00 /usr/krb5/lib/kadmind

If (as in the above example) the kadmind(1M) daemon is running, then the machine is configured as a Kerberos Key Distribution Center (KDC) and may be vulnerable to this issue.

Note: The vulnerability described in CVE-2007-2443 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2443) does not affect the Solaris implementation of the RPCSEC_GSS API.

There are no reliable symptoms that would indicate this issue has been exploited to execute arbitrary code with elevated privileges on a system.

There is no workaround for this issue. Please see the Resolution section below.

This issue is addressed in the following releases:

SPARC Platform

• Solaris 8 with patch 126928-01 or later
• Solaris 9 with patch 113318-31 or later
• Solaris 10 with patch 123809-02 or later

x86 Platform

• Solaris 8 without patch 126929-01 or later
• Solaris 9 with patch 117468-17 or later
• Solaris 10 with patch 126837-01 or later

• Updated Contributing Factors and Resolution sections
• State: Resolved

This solution has no attachment