A Security Vulnerability in Sun Virtual Desktop Infrastructure (VDI) Software 3.0 may Lead to Unauthorized Access to the VirtualBox Web Service
Category: Security Release Phase: Resolved Bug Id: 6880209 Product: Sun Virtual Desktop Infrastructure (VDI) Software 3.0 Date of Resolved Release: 03-Nov-2009 A security vulnerability in the Sun Virtual Infrastructure (VDI) 3.0 ... see below 1. Impact A security vulnerability in the Sun Virtual Infrastructure (VDI) 3.0 authentication mechanism may allow remote unprivileged users to gain unauthorized access to the VirtualBox web service. 2. Contributing Factors This issue can occur in the following releases: SPARC Platform Sun VDI Software 3.0 (for Solaris 10) without patch 141481-03 and using VirtualBox 2.0.8 or 2.0.10 x86 Platform Sun VDI Software 3.0 (for Solaris 10) without patch 141482-03 and using VirtualBox 2.0.8 or 2.0.10 Note 1: Sun VDI 2.0 does not provide integration with VirtualBox and therefore is not impacted by this issue. To determine the version of Sun VDI Software on a system, the following command can be run: $ pkgparam SUNWvda-service VERSION 3.0_71,REV=2009.03.11.11.27 Note 2: This issue is only present in Sun VDI 3.0 configurations using VirtualBox desktop providers. To determine the type of desktop providers configured for Sun VDI 3.0, the following command can be run: # /opt/SUNWvda/sbin/vda provider-list | grep -i VirtualBox <ProviderName> Sun VirtualBox 5 0 1% (155 MHz) 13% (2.2 GB) 0% (16.1 GB) Note 3: This issue is only present for VirtualBox version 2.0.8 and 2.0.10 for Sun VDI. To determine the version of VirtualBox on a system, the following command can be run: $ pkgparam SUNWvbox VERSION 2.0.10,REV=r50334.2009.07.21.16.12 3. Symptoms There are no predictable symptoms that would indicate the described issue has been exploited. Access from hosts/IPs other than Sun VDI 3.0 core servers in the Apache2 access log (/var/apache2/logs/access_log) may indicate an unauthorized user. 4. Workaround To work around the described issue, firewall rules may be configured on the VirtualBox hosts to allow connections only from the VDI core servers. See the firewall product documentation for more information on how to configure firewall rules. 5. Resolution This issue is addressed in the following releases: SPARC Platform Sun VDI Software 3.0 (for Solaris 10) with patch 141481-03 or later and with VirtualBox 2.0.12 or later x86 Platform Sun VDI Software 3.0 (for Solaris 10) with patch 141482-03 or later and with VirtualBox 2.0.12 or later. Note: VirtualBox 2.0.12 is required to address the issue described, and may be downloaded from the following URL: http://www.sun.com/software/vdi/get.jsp Click on the "Download" button in the "Download Sun VDI Software 3" section. VirtualBox 2.0.12 should be installed after applying the Sun VDI 3.0 patch (141481-03 or 141482-03). For more information on Security Sun Alerts, see Technical Instruction ID 213557 http://sunsolve.sun.com/search/document.do?assetkey=1-61-213557-1 This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved. document link at sun.com: http://sunsolve.sun.com/search/document.do?assetkey=1-66-268328-1 _______________________________________________ SGD-Users mailing list SGD-Users@filibeto.org http://www.filibeto.org/mailman/listinfo/sgd-users