search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Sun Ray Smartcard reader may leave desktop session open when card is quickly removed

Vulnerability Note VU#100780

Original Release Date: 2003-06-04 | Last Revised: 2012-03-14

Overview

The Sun Ray Smartcard reader fails to properly detect a "quick removal, reinsertion and removal of a Smartcard."

Description

The Sun Ray is a thin client computing device designed to process user input and output, and provide access to computing services hosted by a server. Authentication can be accomplished through a smartcard. By design, the smartcard must remain inserted during the user's session. Quoting from sun documentation about smart cards and the Sun Ray:

When the user is finished (that is, the smart card is removed), the Authentication Manager is notified. If the user has not logged out, the session is kept alive with all services disconnected from the display. No files are left on the device, as all state is kept on the server, and the screen is cleared. When the user removes the smart card, there are no traces that he or she had been there. There is no risk that the next user to walk up will discover files or see the contents of windows that he or she shouldn't see.
A "quick removal, reinsertion and removal of a Smartcard" into the smartcard reader is not detected properly under some circumstances. If this occurs, the login session remains connected to the Desk Top Unit (DTU) inappropriately.

Impact

Under some circumstances, a user session may remain available even if the smartcard has been removed, in violation of the security architecture of the system.

Solution

A fix is pending from the vendor.

Until a fix is available, ensure that all sessions have been disconnected when removing a smartcard from the Sun Ray Smartcard reader.

Vendor Information

100780
 

Sun Microsystems, Inc. Affected

Updated:  June 04, 2003

Status

Affected

Vendor Statement

See http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F53922&zone_32=category%3Asecurity

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P
Temporal 3.6 E:F/RL:OF/RC:C
Environmental 0.9 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Sun Microsystems for reporting this vulnerability.

This document was written by Shawn V Hernan.

Other Information

CVE IDs: None
Severity Metric: 0.13
Date Public: 2003-04-28
Date First Published: 2003-06-04
Date Last Updated: 2012-03-14 15:52 UTC
Document Revision: 9

Sponsored by CISA.