Document fins/I0869-1


FIN #: I0869-1

SYNOPSIS: Security issue with Sun Fire 280R/V880/V480 allows non-root users to
          change LED state or fan speed

DATE: Sep/03/02

KEYWORDS: Security issue with Sun Fire 280R/V880/V480 allows non-root users to
          change LED state or fan speed


---------------------------------------------------------------------
- Sun Proprietary/Confidential: Internal Use Only -
---------------------------------------------------------------------  
                            FIELD INFORMATION NOTICE
                  (For Authorized Distribution by SunService)

           

SYNOPSIS: Security issue with Sun Fire 280R/V880/V480 allows non-root
          users to change LED state or fan speed.
      

SunAlert:           No

TOP FIN/FCO REPORT: No 
  
PRODUCT_REFERENCE:  The PICL* framework 
 
PRODUCT CATEGORY:   Software / Service


PRODUCTS AFFECTED:  

Systems Affected:
-----------------  
Mkt_ID      Platform   Model   Description          Serial Number
------      --------   -----   -----------          -------------
  -           A35       ALL    Sun Fire 280R              -
  -           A37       ALL    Sun Fire V880              -
  -           A30       ALL    Sun Fire V480              -


X-Options Affected:
-------------------
Mkt_ID        Platform   Model   Description        Serial Number
------        --------   -----   -----------        -------------
  -              -         -          -                   -


PART NUMBERS AFFECTED: 

Part Number   Description           Model
-----------   -----------           -----
     -             -                  -


REFERENCES:

BugId: 4625162 - Non root users can set volatile properties in psvc.

Patch: 110460: SunOS 5.8: fruid/PICL plug-ins patch.

URL:   http://dtsw.eng.sun.com/dtos/proj/picl.html
 
     
PROBLEM DESCRIPTION:

A security issue exists for Sun Fire 280R, V480 and V880 servers where
a non-root user could change component LED states or control fan
speeds.  By using a client PICL (Platform Information and Control
Library) program, a user could stop the fans on a server which would
result in system overheating and shutdown.

Affected systems include any Sun Fire 280R, V480 or V880 system running
Solaris 8 without patch 110460 or later.  Solaris 9 is not
affected.

A knowledgeable user could write a PICL client program which would
control LEDs on all three of the above platforms.   On the Sun Fire
V880, he could also control the fans.  If the user were to keep the
fans in a stopped state, the system temperature would rise, leading to
system shutdown.

PICL is a framework that allows PICL clients to access system
information.  The PICL daemon (picld) is a program that requires root
privileges to start.  However, PICL client programs do not need root
privileges to run.  PICL clients connect to the PICL daemon and can
request information as well as send requests.  The PICL plugin, in this
case PSVC, should check the incoming request for appropriate
permissions, but this checking is not being done on the affected
platforms.

The solution for this issue is to check the EUID (Effective User ID) of
the PICL request and reject it if it is not root.  This solution is
available in patch 110460 or later for Solaris 8.  The fix has been
integrated into Solaris 9.


IMPLEMENTATION: 

         ---
        |   |   MANDATORY (Fully Proactive)
         ---    
         
  
         ---
        |   |   CONTROLLED PROACTIVE (per Sun Geo Plan) 
         --- 
         
                                
         ---
        | X |   REACTIVE (As Required)
         ---


CORRECTIVE ACTION:

The following recommendation is provided as a guideline for authorized
Sun Services Field Representatives who may encounter the above
mentioned problem.

   1) As root, stop the PICL daemon on the affected system:

      # /etc/init.d/picld stop
         
      Note that stopping the PICL daemon results in the system operating 
      without the aid of the Environmental Monitoring software.  It is safe
      to do this for a short period of time.
   
   2) Install Solaris 8 patch 110460 or later using the 'patchadd'
      utility.

   3) Start the PICL daemon:

      # /etc/init.d/picld start


COMMENTS:  

None.

============================================================================

Implementation Footnote:

i)   In case of MANDATORY FINs, Enterprise Services will attempt to    
     contact all affected customers to recommend implementation of 
     the FIN. 
   
ii)  For CONTROLLED PROACTIVE FINs, Enterprise Services mission critical    
     support teams will recommend implementation of the FIN  (to their  
     respective accounts), at the convenience of the customer. 

iii) For REACTIVE FINs, Enterprise Services will implement the FIN as the   
     need arises.
----------------------------------------------------------------------------
All released FINs and FCOs can be accessed using your favorite network 
browser as follows:
 
SunWeb Access:
-------------- 
* Access the top level URL of http://sdpsweb.ebay/FIN_FCO/

* From there, select the appropriate link to query or browse the FIN and
  FCO Homepage collections.
 
SunSolve Online Access:
-----------------------
* Access the SunSolve Online URL at http://sunsolve.Corp/

* From there, select the appropriate link to browse the FIN or FCO index.

Internet Access:
----------------
* Access the top level URL of https://infoserver.Sun.COM
--------------------------------------------------------------------------
General:
--------
* Send questions or comments to finfco-manager@sdpsweb.EBay
--------------------------------------------------------------------------


Copyright (c) 1997-2003 Sun Microsystems, Inc.