Solaris CDE/NIS+ screenlock Vulnerability

If a Solaris 2.6 host is a NIS+ client, and any user other than root is running CDE at the console, CDE's screen locking feature does not work. Any random string is sufficient to unlock to console. It is unclear as to whether versions of Solaris previous to 2.6 running as NIS+ clients are vulnerable to this attack. Version 7.0 is believed to be fixed.


 

Privacy Statement
Copyright 2010, SecurityFocus