vulnerability bulletin CVE-2009-2489 CVE-2009-2490 CVE-2009-2491

Sun Ray Server: access to a session

Synthesis of the vulnerability

Several vulnerabilities of Sun Ray Server can be used by a local attacker to access to sessions of another user.

Severity: 2/4. Creation date: 16/07/2009.

Description of the vulnerability

The Sun Ray Server (SRSS) product provides thin clients with a Solaris, Linux or Windows environment. When a user leaves a thin client, his session is saved on SRSS, and is then reimported when he connects again on a thin client. The utdmsession program informs the Device Manager when a session is created/destroyed. A local attacker can use utdmsession to access to sessions of other users. [severity:2/4; 252226, 6740687, BID-35711, CVE-2009-2489, >] The utaudiod daemon manages the Audio Service. When Trusted Extensions are enabled, a local attacker can generate a denial of service in utaudiod. [severity:1/4; 253889, 6672502, BID-35713, CVE-2009-2490, >] The utaudiod daemon manages the Audio Service. When Trusted Extensions are enabled, a local attacker can use utaudiod to access to the session of another user. [severity:2/4; 253889, 6672502, BID-35713, CVE-2009-2491, >] An attacker can therefore obtain privileges of another user.

Complete Vigil@nce bulletin

Access to the complete Vigil@nce bulletin

Characteristics

Title: Sun Ray Server: access to a session. Keywords: 252226 253889 6672502 6740687 Audio Device Extensions Linux Manager Ray SRSS Server Service Solaris Sun Trusted Windows access session. Identifiers: 252226, 253889, 6672502, 6740687, BID-35711, BID-35713, CVE-2009-2489, CVE-2009-2490, CVE-2009-2491, VIGILANCE-VUL-8868.

Solutions for this vulnerability

Patch or workaround

Supplements

Vulnerability : 252226 utdmsession The utdmsession program informs the Device Manager when a session is created/destroyed. A local attacker can use utdmsession to access to sessions of other users. Severity: 2/4. Identifiers: 252226, 6740687, BID-35711, CVE-2009-2489. Publications and announces Source example: A Security Vulnerability in Sun Ray Server Software may Allow Unauthorized Manipulation of Sessions

Vulnerability : 253889 utaudiod 1 The utaudiod daemon manages the Audio Service. When Trusted Extensions are enabled, a local attacker can generate a denial of service in utaudiod. Severity: 1/4. Identifiers: 253889, 6672502, BID-35713, CVE-2009-2490. Publications and announces Source example: Two Security Vulnerabilities in Sun Ray Server Software 4.0 on Systems with Trusted Extensions Enabled May Allow either a Denial of Service (DoS) of the Audio Service or Unauthorized Access to Other Users' Sessions

Vulnerability : 253889 utaudiod 2 The utaudiod daemon manages the Audio Service. When Trusted Extensions are enabled, a local attacker can use utaudiod to access to the session of another user. Severity: 2/4. Identifiers: 253889, 6672502, BID-35713, CVE-2009-2491. Publications and announces Source example: Two Security Vulnerabilities in Sun Ray Server Software 4.0 on Systems with Trusted Extensions Enabled May Allow either a Denial of Service (DoS) of the Audio Service or Unauthorized Access to Other Users' Sessions

Computer vulnerabilities tracking service

The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.
The Vigil@nce vulnerability database contains several thousand vulnerabilities.
This bulletin is published by the Vigil@nce team, which tracks computer vulnerabilities impacting systems and applications.
Technology watch team on vulnerabilities