Article ID: 268228
Article Type: Sun Alert
Last reviewed: 2009-12-10
Audience: PUBLIC
Keywords:
Copyright Notice: Copyright © 2009 Sun Microsystems, Inc. All Rights
Reserved
Vulnerability in Sun Ray Server Software due to Logout Failure
Category: Security
Release Phase: Resolved
Bug Id: 6853222
Product: Sun Ray Server Software 4.1
Date of Resolved Release: 10-Dec-2009
Vulnerability in Sun Ray Server Software due to Logout Failure, see below:
1. Impact
When a local user logs out of a Sun Ray desktop session, the session
may log the user back in again. The user may be unaware that the
session has logged in again and is unlocked, which may allow another
user to access to the desktop session.
The issue does not occur when one locks the screen or when the
smartcard used to access a session is removed from the Sun Ray DTU.
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform
* Sun Ray Server Software 4.1 (for Solaris 10) without patch 139548-03
x86 Platform
* Sun Ray Server Software 4.1 (for Solaris 10) without patch 139549-03
Note 1: Sun Ray Server Software 4.0 and Sun Ray Server Software 4.1 on the
Linux platform are not impacted by this issue.
Note 2: For the issue to occur, Sun Ray "Automatic Multi-Group
Hotdesking" (AMGH) feature must be enabled and supplying usernames
and one of the following must also apply:
a) "Non Smartcard Mobility" (NSCM) is not configured (i.e. non-mobile
pseudo sessions are used) and another user has physical access to the
Sun Ray DTU where the user had previously logged out.
b) Smartcards are used to access a session, and another user has
physical access to that smartcard and physical access to any Sun Ray DTU.
3. Symptoms
Upon logout, a local user is automatically logged in again.
4. Workaround
If smartcards are not used for Sun Ray session authentication, then
enable NSCM
policy and do not use smartcards. If that is not feasible, then disable
Remote Hotdesk
Authentication (RHA).
To disable RHA, use the Admin GUI or the -D option of utpolicy(1M).
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
* Sun Ray Server Software 4.1 (for Solaris 10) with patch 139548-03
x86 Platform
* Sun Ray Server Software 4.1 (for Solaris 10) with patch 139549-03
For more information on Security Sun Alerts, see Technical Instruction
ID 213557:
http://sunsolve.sun.com/search/document.do?assetkey=1-61-213557-1
This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun
Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert notification
may only be used for the purposes contemplated by these agreements.
Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.
document link at sun.com:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-268228-1
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
