Sun ships servers open to attack

Sun confirmed that it has shipped some servers in its SPARC Enterprise T5120 and T5220 lines with disk images that contain unsafe configurations that could allow remote attackers to hijack the machines.

In a security alert dated Feb. 12 but picked up by third-party security vendors only yesterday, Sun acknowledged that it sent servers out the door armed with what it called an "incorrect Solaris 10 image."

"Sun SPARC Enterprise T5120 and T5220 servers with datecode prior to BEL07480000 have been mistakenly shipped with factory settings in the pre-installed Solaris 10 OS image," Sun said in the advisory. "These settings may allow a local or remote user to be able to execute arbitrary commands with the privileges of the root (uid 0) user."

If an attacker gains root privileges on a server, he or she could modify or delete files, or introduce additional malware to pillage user account passwords or steal other confidential information.

As Symantec analyst Anthony Roe noted in a short advisory to customers of the company's DeepSight threat network, "very few details have been released for this issue." Sun's advisory only spelled out how users were to figure out whether their T5210 or T5220 servers are affected, and if so, what they should do next to lock down the machines.

Sun did not elaborate on how the improperly-configured servers slipped through final checks or quality control. The company did not return a call for comment.

The Enterprise T5120 and T5220 servers are priced starting at $14,000 and $15,000, respectively, and are powered by Sun's UltraSPARC T2 processors. Both lines come with Solaris 10 as the pre-installed operating system.

"If you are running [one of these servers], you need to review the vulnerability alert and apply the configuration changes that the vendor recommends," advised Roe.