Title: Veritas Volume Manager 3.0.x File Permission Vulnerability
Severity: MODERATE
Description:
A vulnerability exists in the Volume Manager product, versions 3.0.x, from Veritas Software. Volume Manager is a popular disk management package. Volume Manager running on Solaris platforms prior to Solaris 8 are vulnerable.
Upon startup, the /etc/rc2.d/S96vmsa-server script is executed. It never explicitly sets a umask, and therefore inherits the parent umask, which is unset. When the server starts, it creates a file named .server_pids, in the directory /var/opt/vmsa/logs. As no umask is set, its permissions are set to 666. (user, group and world readable and writable).
The control script used to control various aspects of the Storage Administrator server will, upon getting a request to stop the server, execute the contents of the .server_pids file. As any user can alter the contents of the .server_pids file, a would be attacker can execute arbitrary commands by placing them in the .server_pids file, and waiting for an administrator to call the stop routine of the control script (/opt/VRTSvmsa/bin/vmsa_server). This will cause the code in the .server_pids file to be executed as the user running the script. In most cases this will be root.
This vulnerability requires that the administrator run the vmsa_server script with the stop command. It will not be invoked upon a shutdown.
Solaris 8 machines are not susceptible to this vulnerability, as the umask of the system is set to 022 prior to the execution of the /etc/rc2.d/S96vmsa-server script. As a result, the .server_pids file is created non-world and non-group writable, and the contents of this file cannot be altered.
Affected Products:
- Veritas Software Volume Manager 3.0.2
- Veritas Software Volume Manager 3.0.3
- Veritas Software Volume Manager 3.0.4
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
