14 DAY TRIAL // Sun has just confirmed that it has shipped batches of its SPARC Enterprise T5120 and T5220 servers pre-installed with disk images that pose security vulnerabilities. According to the security report published by the server vendor, the worst-case scenario would allow a remote attacker to hijack the machine and gain control over the server.
Despite the fact that the security alert is dated February 12, security vendors only revealed it late this week. According to Sun, the shipped servers were pre-installed with an "incorrect Solaris 10 image."
"Sun SPARC Enterprise T5120 and T5220 servers with datecode prior to BEL07480000 have been mistakenly shipped with factory settings in the pre-installed Solaris 10 OS image," Sun said in the advisory. "These settings may allow a local or remote user to be able to execute arbitrary commands with the privileges of the root (uid 0) user."
Once the remote hacker gets root-user privileges on the server, they can perform a broad range of tasks, including file editing, deletion or copying to a remote FTP server. More than that, once the server is hijacked, it can be used in order to spread malware, in order to steal users' confidential information.
According to Symantec analyst Anthony Roe, there are only a few details available about this issue. Sun only released essential information. Sun released the essential guidelines that allow users figure out whether their systems are affected by the issue, as well as the methods to lock the servers down if they are exposed.
"If you are running [one of these servers], you need to review the vulnerability alert and apply the configuration changes that the vendor recommends," advised Roe.
The Enterprise T5120 and T5220 servers are targeted at the enterprise segment, and come with price tags of $14,000 and $15,000, respectively. Built with Sun's UltraSPARC T2 chips, the systems are running Solaris 10 as the pre-installed operating system.
Sun refused to detail on how the buggy servers managed to pass the final quality control checks.