CERT-In Vulnerability Note CIVN-2008-60
Print Service Vulnerability in Solaris

Original Issue Date: May 15, 2008

Severity Rating: High

System Affected

• Solaris 8
• Solaris 9
• Solaris 10

Overview

The print service vulnerability in Solaris has been reported by sun.
An unprivileged user may able to run arbitrary code as root or can create a Denial of Service (DoS) condition.

Description

A vulnerability has been reported in print service of Sun and x86 Solaris. Due to a problem in insecure file creation, lp print service
can be forced to create, or overwrite arbitrary files with privileges
of the lp user. This may allow a remote attacker to execute unspecified arbitrary code with root privilege. Repeated failed exploit attempts will result in Denial of Service Conditions.

Workaround

• Disable the print service

Solutions

Apply appropriate patches as recommended by Vendor:

• SPARC Platform
  • Solaris 8 with patch 109320-20 or later
  • Solaris 9 with patch 113329-19 or later
  • Solaris 10 with patch 126672-02 or later
    
    
• x86 Platform
• Solaris 8 with patch 109321-20 or later
• Solaris 9 with patch 114980-20 or later
• Solaris 10 with patch 126673-02  or later

Vendor Information

SUN
http://sunsolve.sun.com/search/document.do?assetkey
=1-66-236884-1

References

SUN
http://sunsolve.sun.com/search/document.do?assetkey
=1-66-236884-1

SecurityFocus
http://www.securityfocus.com/bid/29135
http://www.securityfocus.com/bid/29135/discuss

Secunia
http://secunia.com/advisories/30184/

CIAC
http://www.ciac.org/ciac/bulletins/h-56.shtml

FrSIRT
http://www.frsirt.com/english/advisories/2008/1473/references

CVE-Name
CVE-2008-2144

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003