RPC Solaris sadmind Weak Auth Req

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects queries to the RPC sadmind using an action request with weak (AUTH_UNIX) credentials.

Additional Information

Solaris is the Unix operating system variant maintained and distributed by Sun Microsystems.

A problem has been discovered in the Sun Solaris sadmin service. Because of this issue, it may be possible for a remote user to gain unauthorized administrative access.

The problem is in the handling authentication credentials. sadmin does not properly validate credentials supplied by the sadmin client. Because of this, an attacker could supply a spoofed hostname and domain while accessing the service, circumventing any access restrictions the service may have in place.

It should be noted that the sadmin service is enabled by default.

Affected

Sun Solaris 2.6, 2.6_x86, 7.0, 7.0_x86, 8.0, 8.0_x86, 9.0, 9.0_x86
Sun Trusted Solaris 7.0, 7.0 x86, 8.0, 8.0 x86

Response

Sun recommends the following workaround in the Alert:

To workaround this issue, either disable the sadmind(1M) on the systems or enable strong (AUTH_DES) authentication by adding "-S 2" to the sadmind(1M) entry of the inetd.conf(4) file.

To disable sadmind(1M) on a Solaris system, do the following:

1. Edit the "/etc/inetd.conf" file and comment out the following line by adding the "#" symbol to the beginning of the line as follows:

#100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind

2. Tell the inetd(1M) process to reread the newly modified "/etc/inetd.conf" file by sending it a hangup signal, SIGHUP:

# /usr/bin/pkill -HUP inetd

To enable strong (AUTH_DES) authentication for sadmind(1M) on a Solaris system, do the following:

1. Edit the "/etc/inetd.conf" file and append "-S 2" to the end of the sadmind line as follows:

100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind -S 2

2. Tell the inetd(1M) process to reread the newly modified "/etc/inetd.conf" file by sending it a hangup signal, SIGHUP:

# /usr/bin/pkill -HUP inetd

Possible False Positives

In environments where the default security level for the sadmin daemon is used, this signature will trigger events. However, this event indicates the system is vulnerable to the Solaris sadmind Spoofed Credentials attack.