A security vulnerability in the TLS protocol (TLS 1.0 or later and SSLv3) may allow an unauthenticated, remote attacker to conduct man-in-the-middle (MITM) type of attacks where chosen plain text may be injected as a prefix in an user's TLS session. This vulnerability does not allow one to decrypt the intercepted network communication.

This issue is referenced in CVE-2009-3555 and US-CERT VU#120541

Exact nature of the impact depends on the application making use of the TLS facility. Applications which use Network Security Services (NSS), Java Secure Socket Extensions (JSSE), OpenSSL or GnuTLS libraries may be affected.

Sun is evaluating the impact of the issue on various products which make use of the TLS libraries. We are working to fix the TLS implementations according to the TLS protocol standard extensions currently being developed.

Solaris Kernel SSL proxy module KSSL does not support client renegotiation or rehandshake. It ignores the rehandshake message which is an allowed behavior by the SSL/TLS specification. Hence it is not vulnerable to this issue. KSSL (see ksslcfg(1M)) is available in Solaris 10 and OpenSolaris. It may be used to workaround the described issue in server applications.

The issue does not affect any server applications distributed with Solaris which use the GnuTLS library. At this time we do not plan to issue any interim fixes to GnuTLS libraries. Fixes to GnuTLS distributed with Solaris would be provided when the proposed TLS extensions become a standard.

Following Sun Alerts provide more information about this issue:

• 273029 Describes the issue in OpenSSL libraries provided with Solaris.
• 273350 Describes the issue in NSS libraries provided with Solaris and Sun Java Enterprise System.

tags: gnutls jsse nss openssl security tls vulnerability

Permalink | Comments [0]

A security vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer 3.0 (SSLv3) protocols in the handling of session renegotiations affects Network Security Services (NSS). This issue may allow a remote unauthenticated user with the ability to intercept and control network traffic to perform a man-in-the-middle (MITM) attack to inject arbitrary plain text at the beginning of the application protocol stream, thus compromising the integrity of the communication. This vulnerability does not allow one to decrypt the intercepted network communication.

Sun acknowledges with thanks, Marsh Ray and Steve Dispensa of PhoneFactor for bringing this issue to our attention.

This issue is also referenced in the following documents:

Permalink | Comments [2]

Security vulnerabilities in thunderbird(1) related to handling of SSL server certificates
may allow remote SSL servers with crafted server certificates to compromise an encrypted
communication or cause arbitrary code execution with the privileges of a Thunderbird user.

The following Mozilla advisories describe the vulnerabilities:
http://www.mozilla.org/security/announce/2009/mfsa2009-42.html

http://www.mozilla.org/security/announce/2009/mfsa2009-43.html

Additional references:

CVE-2009-2404 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2404

CVE-2009-2408 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408

Permalink | Comments [0]

Multiple Cross-Site Scripting (XSS) security vulnerabilities exist in Sun Java System Portal Server's Gateway that may allow remote users to execute arbitrary JavaScript code in a user's web browser.

Permalink | Comments [0]

Multiple security vulnerabilities in Adobe Reader versions 9.x before 9.1.4, 8.x before 8.1.7 and 7.x before 7.1.4 may allow remote unprivileged users to execute arbitrary code or crash the Adobe Reader application, thereby causing a Denial of Service (DoS) condition. These vulnerabilities may be exploited via specially crafted PDF files.

The following resources document these issues in more detail:

Permalink | Comments [0]

A security vulnerability in the BIND DNS software shipped with Solaris may allow a remote user who is able to perform recursive queries to cause a server that is configured to support DNSSEC validation and recursive client queries to return incorrect addresses for Internet hosts, thereby redirecting end users to unintended hosts or services.

This issue is also mentioned in the following document:

• https://www.isc.org/node/504
  

Permalink | Comments [0]

A command execution vulnerability in the Java Runtime Environment Deployment Toolkit may be leveraged to execute arbitrary code. This may occur as the result of a user of the Java Runtime Environment viewing a specially crafted web page that exploits this vulnerability.

Sun acknowledges with thanks, an anonymous researcher working with iDefense for bringing this issue to our attention.

Permalink |

Multiple security vulnerabilities in the LDAP client configuration cache daemon (ldap_cachemgr(1M)) may allow a local unprivileged user to terminate the ldap_cachemgr daemon. On Solaris 9 and 10 systems this will prevent LDAP name service requests from succeeding. This is a type of Denial of Service (DoS) as LDAP name service requests will hang and users may no longer be able to login to LDAP client systems. On Solaris 8 systems, LDAP name service requests will be slower, as caching will not occur which is also a type of Denial of Service (DoS).

Permalink |

Multiple security vulnerabilities with varying impacts affect Firefox (see firefox(1)) versions prior to 3.5.3 as shipped with OpenSolaris. These vulnerabilities may allow an unprivileged remote user to steal content from the "History" or "Smart Location" bar, or to possibly execute arbitrary code on the system where Firefox is being run. Further vulnerabilities may allow a remote user to run malicious JavaScript at Chrome privileges or perform a cross-origin data theft.

The following Mozilla advisories describe the vulnerabilities:

The following are the CVE identifiers that pertain to these security issues:

Permalink |

A security vulnerability in the timeout mechanism of Solaris sshd(1M) may allow a remote unprivileged user to cause a Denial of Service (DoS) condition. If this issue is exploited, the sshd(1M) daemon will stop accepting new ssh(1) connections.

Permalink | Comments [1]

Two security vulnerabilities in SAMBA(7) may result in one or both of the following issues:

1. A remote unprivileged user with a valid SAMBA account may gain unauthorized access to the remote root file system. This issue is referenced in the following CVE document:

2. A remote unprivileged user on an authenticated SAMBA connection may cause a Denial of Service (DoS) condition via specially crafted SMB requests. This issue is referenced in the following CVE document:

Permalink |

A security vulnerability in the optional Sun VirtualBox Guest Additions may allow local unprivileged
users to exhaust the kernel memory of the guest operating system, leading to a Denial of Service
against the guest operating system running in a virtual machine.

Since the Guest Additions are installed in the guest operating system only, this vulnerability is limited
to local users of the guest operating system running in a virtual machine where the Guest Additions
have been installed. The host operating system is not affected.

Sun would like to acknowledge with thanks, Thomas Biege of SUSE Linux for bringing this issue to our attention.

Permalink | Comments [1]

Security vulnerabilities in the Solaris IP(7P) module and STREAMS Framework may allow an unprivileged local user to leak kernel memory, eventually causing the system to hang. This is a type of Denial of Service (DoS).

Permalink |

A  security vulnerability in the the OSCAR protocol plugin library, the shared library that adds support for various instant messaging networks to the pidgin(1) Instant Messaging client (previously known as Gaim), may allow remote unprivileged users to cause a Denial of Service (DoS) through an application crash via crafted contact-list data for (1) ICQ and possibly (2) AIM.

This issue is also referenced in the following document:

CVE-2009-3615 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3615

Permalink |

The web interface of the Common Unix Printing System (CUPS) in versions 1.4.1 and earlier is impacted by multiple security vulnerabilities which may lead to Cross-Site Scripting (XSS) and HTTP Response Splitting Attacks. These vulnerabilities could allow an unprivileged local or remote user (depending on the CUPS configuration), to inject malicious client-side scripts or HTML into the CUPS web interface page.

These issues are also described in the following document:

Permalink |