Source: cve@mitre.org
Solaris Solstice AdminSuite (AdminSuite) 2.1 uses unsafe permissions when adding new users to the NIS+ password table, which allows local users to gain root access by modifying their password table entries.
Solaris Solstice AdminSuite 2.1 suffers from a critical vulnerability allowing local users to escalate privileges to root. This is achieved through insecure permissions when adding new users to the NIS+ password table, enabling unauthorized modification and complete system compromise.
Step 1: User Account Creation: A local user account is created using AdminSuite or a related utility.
Step 2: NIS+ Table Entry: AdminSuite adds the new user's information to the NIS+ password table.
Step 3: Permission Flaw: The permissions set on the new user's entry in the NIS+ password table are insecure, allowing modification by the user.
Step 4: Password Modification: The local user modifies their entry in the NIS+ password table, typically by replacing their password hash with a known root password hash or by injecting malicious code.
Step 5: Root Access: The user attempts to authenticate using the modified password, gaining root privileges.
The root cause lies in AdminSuite's flawed implementation of user account creation within the NIS+ environment. Specifically, the software fails to properly secure the permissions associated with the newly created user's password table entry. This allows a local user to modify their entry in the NIS+ password table, potentially injecting a malicious password hash or other data that grants them root access. The lack of proper input validation and access control on the NIS+ password table entries is the core vulnerability.
Due to the age of the vulnerability, specific APT groups are unlikely to be directly associated with its exploitation in current campaigns. However, any threat actor targeting legacy Solaris systems would likely be aware of and potentially exploit this vulnerability. This vulnerability is not listed on the CISA KEV.
Monitor NIS+ password table modifications for unexpected changes, especially to user entries.
Analyze system logs for suspicious activity related to user account creation and modification, particularly those involving AdminSuite or related tools.
Implement file integrity monitoring to detect changes to critical system files and NIS+ table entries.
Network monitoring for unusual authentication attempts or traffic patterns associated with root access.
Upgrade to a patched version of Solaris or AdminSuite that addresses the permission issue. If upgrading is not possible, consider disabling AdminSuite and using alternative user management tools.
Implement strong access controls on the NIS+ password table, ensuring that only authorized users and processes can modify entries.
Review and harden the permissions on all NIS+ tables, not just the password table.
Regularly audit user accounts and their associated permissions.
Consider migrating away from NIS+ to a more secure directory service like LDAP or Active Directory.