This is not a new vulnerability. Sun put out a patch for this in early January. It is a bug in the O/S, but given Sun's much more proactive response, perhaps Cisco is being a somewhat less responsive and a little too hard on Sun in their notification below. Specifically, one has to wonder why, Cisco does not refer to the patches from Sun rather than claim that, "This vulnerability can be mitigated in many cases (not all), by limiting interactive logins to trusted hosts using access control list (ACL) or other mechanisms such as firewalls." Has Cisco modified the Solaris /bin/login and is that why they are not recommending Sun's patch. Charles Richmond ************************************************************ Summary ======= This advisory describes a vulnerability that affects Cisco products and applications that are installed on the Solaris operating system, and is based on the vulnerabilty of an common service within the Solaris operating system, not due to a defect of the Cisco product or application. A vulnerability in the "/bin/login" program was discovered that enables an attacker to execute arbitrary code under Solaris OS. This vulnerability was discovered and publicly announced by Internet Security Systems Inc. All Cisco products and applications that are installed on Solaris OS are considered vulnerable to the underlying operating system vulnerability, unless steps have been taken to disable access services such as "bin/login". We are investigating other Solaris based products. This vulnerability can be mitigated in many cases (not all), by limiting interactive logins to trusted hosts using access control list (ACL) or other mechanisms such as firewalls. This advisory is available at the http://www.cisco.com/warp/public/707/Solaris-bin-login.shtml Products Affected ================= All products and all releases that are running on top of Solaris OS are vulnerable because the vulnerability is within Solaris and not within the other applications. ... ************************************************************ --- *********************************************************************** * Charles Richmond Integrated International Systems Corporation * * cmr@iisc.com cmr@acm.org cmr@shore.net http://www.iisc.com * * UNIX Internals, I18N, L10N, X, Realtime Imaging, and Custom S/W * * 131 Bishop's Forest Drive , Waltham , Ma. USA 02452 * * (781) 647 2269 FAX (781) 647 3665 Cellular (781) 389 9777 * ***********************************************************************
