Document Audience: PUBLIC
Document ID: 102657
Title: Security Vulnerability With RSA Signature Affects the Sun Secure
Global Desktop Software
Copyright Notice: Copyright © 2006 Sun Microsystems, Inc. All Rights
Reserved
Update Date: Fri Oct 06 00:00:00 MDT 2006
Status: Issued
Preliminary Sun(sm) Alert Notification
This is a preliminary Sun Alert notification. Sun provides these notices
in an effort to allow customers to implement mitigation strategies while
these issues are being investigated. The information contained in these
documents is likely to change as more is learned about the applicable
issues. At the time of publication, workarounds and/or final resolutions
are not available for the issues. Preliminary Sun Alert notifications
will be updated as more information becomes available.
* Sun Alert ID: 102657
* Synopsis: Security Vulnerability With RSA Signature Affects the
Sun Secure Global Desktop Software
* Category: Security
* Product: Sun Secure Global Desktop Software 4.2
* BugIDs: 6469123
* Avoidance: None
* State: Preliminary
* Date Released: 06-Oct-2006
* Date Closed:
* Date Modified:
1. Impact
The Sun Secure Global Desktop (SSGD) software is impacted by an RSA
signature forgery vulnerability. This vulnerability may allow an
untrusted server to present a forged identity to clients connecting to
that server when secure connections are in use.
This vulnerability may also affect SSGD servers which are configured to
use web server authentication and client certificates. Under these
circumstances, it may be possible for a local or remote unprivileged
user to forge a valid identity and log in to an SSGD server, allowing
unauthorized access to the applications available for that identity.
This issue is also described in the following documents:
CERT VU#845620 at http://www.kb.cert.org/vuls/id/845620
CVE-2006-4339 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339
Note: The issue described in this Sun Alert is specific to Sun Secure
Global Desktop Software. Multiple Sun products are affected by this
issue; for more details please see Sun Alert 102648 at
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform
* Sun Secure Global Desktop Software 4.2 (for Solaris 8, 9, and 10)
x86 Platform
* Sun Secure Global Desktop Software 4.2 (for Solaris 10)
Linux Platform
* Sun Secure Global Desktop Software 4.2
Note: Sun Secure Global Desktop Software 4.2 is not supported on Solaris
8 or Solaris 9 for the x86 platform.
To determine the version of the Sun Secure Global Desktop Software
running on a system, the following command can be executed on the Sun
Secure Global Desktop server:
$ <INSTALL_DIR>/bin/tarantella version
Sun Secure Global Desktop Software for SPARC Solaris 2.8+ (4.20.983)
Architecture code: spso0510
This host: SunOS <SERVER NAME> 5.10 Generic_118822-25 sun4v sparc
SUNW,Sun-Fire-T2000
3. Symptoms
There are no predictable symptoms that would indicate the described
issue has been exploited to gain unauthorized access to a system.
4. Relief/Workaround
There is currently no workaround for this issue.
5. Resolution
A final resolution is pending completion.
This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun
Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert notification
may only be used for the purposes contemplated by these agreements.
Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-102657-1
_______________________________________________
SGD-Users mailing list
SGD-Users@filibeto.org
http://www.filibeto.org/mailman/listinfo/sgd-users
