Document fins/I0869-1
FIN #: I0869-1
SYNOPSIS: Security issue with Sun Fire 280R/V880/V480 allows non-root users to
change LED state or fan speed
DATE: Sep/03/02
KEYWORDS: Security issue with Sun Fire 280R/V880/V480 allows non-root users to
change LED state or fan speed
---------------------------------------------------------------------
- Sun Proprietary/Confidential: Internal Use Only -
---------------------------------------------------------------------
FIELD INFORMATION NOTICE
(For Authorized Distribution by SunService)
SYNOPSIS: Security issue with Sun Fire 280R/V880/V480 allows non-root
users to change LED state or fan speed.
SunAlert: No
TOP FIN/FCO REPORT: No
PRODUCT_REFERENCE: The PICL* framework
PRODUCT CATEGORY: Software / Service
PRODUCTS AFFECTED:
Systems Affected:
-----------------
Mkt_ID Platform Model Description Serial Number
------ -------- ----- ----------- -------------
- A35 ALL Sun Fire 280R -
- A37 ALL Sun Fire V880 -
- A30 ALL Sun Fire V480 -
X-Options Affected:
-------------------
Mkt_ID Platform Model Description Serial Number
------ -------- ----- ----------- -------------
- - - - -
PART NUMBERS AFFECTED:
Part Number Description Model
----------- ----------- -----
- - -
REFERENCES:
BugId: 4625162 - Non root users can set volatile properties in psvc.
Patch: 110460: SunOS 5.8: fruid/PICL plug-ins patch.
URL: http://dtsw.eng.sun.com/dtos/proj/picl.html
PROBLEM DESCRIPTION:
A security issue exists for Sun Fire 280R, V480 and V880 servers where
a non-root user could change component LED states or control fan
speeds. By using a client PICL (Platform Information and Control
Library) program, a user could stop the fans on a server which would
result in system overheating and shutdown.
Affected systems include any Sun Fire 280R, V480 or V880 system running
Solaris 8 without patch 110460 or later. Solaris 9 is not
affected.
A knowledgeable user could write a PICL client program which would
control LEDs on all three of the above platforms. On the Sun Fire
V880, he could also control the fans. If the user were to keep the
fans in a stopped state, the system temperature would rise, leading to
system shutdown.
PICL is a framework that allows PICL clients to access system
information. The PICL daemon (picld) is a program that requires root
privileges to start. However, PICL client programs do not need root
privileges to run. PICL clients connect to the PICL daemon and can
request information as well as send requests. The PICL plugin, in this
case PSVC, should check the incoming request for appropriate
permissions, but this checking is not being done on the affected
platforms.
The solution for this issue is to check the EUID (Effective User ID) of
the PICL request and reject it if it is not root. This solution is
available in patch 110460 or later for Solaris 8. The fix has been
integrated into Solaris 9.
IMPLEMENTATION:
---
| | MANDATORY (Fully Proactive)
---
---
| | CONTROLLED PROACTIVE (per Sun Geo Plan)
---
---
| X | REACTIVE (As Required)
---
CORRECTIVE ACTION:
The following recommendation is provided as a guideline for authorized
Sun Services Field Representatives who may encounter the above
mentioned problem.
1) As root, stop the PICL daemon on the affected system:
# /etc/init.d/picld stop
Note that stopping the PICL daemon results in the system operating
without the aid of the Environmental Monitoring software. It is safe
to do this for a short period of time.
2) Install Solaris 8 patch 110460 or later using the 'patchadd'
utility.
3) Start the PICL daemon:
# /etc/init.d/picld start
COMMENTS:
None.
============================================================================
Implementation Footnote:
i) In case of MANDATORY FINs, Enterprise Services will attempt to
contact all affected customers to recommend implementation of
the FIN.
ii) For CONTROLLED PROACTIVE FINs, Enterprise Services mission critical
support teams will recommend implementation of the FIN (to their
respective accounts), at the convenience of the customer.
iii) For REACTIVE FINs, Enterprise Services will implement the FIN as the
need arises.
----------------------------------------------------------------------------
All released FINs and FCOs can be accessed using your favorite network
browser as follows:
SunWeb Access:
--------------
* Access the top level URL of http://sdpsweb.ebay/FIN_FCO/
* From there, select the appropriate link to query or browse the FIN and
FCO Homepage collections.
SunSolve Online Access:
-----------------------
* Access the SunSolve Online URL at http://sunsolve.Corp/
* From there, select the appropriate link to browse the FIN or FCO index.
Internet Access:
----------------
* Access the top level URL of https://infoserver.Sun.COM
--------------------------------------------------------------------------
General:
--------
* Send questions or comments to finfco-manager@sdpsweb.EBay
--------------------------------------------------------------------------
Copyright (c) 1997-2003 Sun Microsystems, Inc.