Info

Disclosure

Sep 18, 2001

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Sun Cluster contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a user removes the status file, creates a symlink in the /var/opt/SUNWcluster/fm/fmstatus/nfs/<logicalhostname> directory, then telnets into localhost on port 1200 which will disclose all files on the system resulting in a loss of confidentiality.

Classification

Location: Local Access Required
Attack Type: Information Disclosure, Misconfiguration, Race Condition
Impact: Loss of Confidentiality
Exploit: Exploit Public

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, Sun has released a patch to address this vulnerability.

Products

Sun Microsystems, Inc.	Cluster	2.1
		2.2

References

CVE ID: 2001-0078 (see also: NVD)
ISS X-Force ID: 6125
Generic Informational URL: http://archives.neohapsis.com/archives/bugtraq/2000-12/0180.html
Vendor Specific Solution URL: http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=105458&rev=21
http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=109208&rev=15
http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=109209&rev=14
http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=109210&rev=13
Vendor Specific Advisory URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F25252
Vendor URL: http://www.sun.com/software/cluster/

Credit

Dixie Flatline - echo8firest0rm.org -

Direct URL: http://osvdb.org/6437

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Sun Microsystems, Inc.

Cluster

References

Credit