Note: This is an archival copy of Security Sun Alert 200183 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000137.1.
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System
Date of Resolved Release
Security Vulnerability May Allow Firewall Compromise or Creation of Denial of Service (DoS) Condition
A security vulnerability in Solaris Internet Protocol (IP - see ip(7P)) implementation may allow a remote privileged user to send certain packets bypassing the security policies set by a firewall or to cause the system to panic, creating a Denial of Service (DoS) condition.Sun acknowledges, with thanks, Mark Dowd from IBM Internet Security Systems X-Force (http://xforce.iss.net) for bringing this issue to our attention.
2. Contributing Factors
This issue can occur in the following releases:
There are no predictable symptoms that would indicate the policies of a firewall have been circumvented. If the system panics due to this issue, the following stack trace may be seen:
icmp_pkt_v6+0xxxxx icmp_param_problem_v6+0xxxxx ip_fanout_sec_proto+0xxxxx ip_rput_local+0xxxxx ip_rput+0xxxxx putnext+0xxxxx
To work around the described issues:
As "root," set the ndd(1M) variable "ip_reass_queue_bytes" to 0 by using the following command:
# ndd -set /dev/ip ip_reass_queue_bytes 0
This workaround will stop the system from re-assembling IP fragments. Networks which send/receive fragmented IP packets to/from the system will become unreachable.
Note: This workaround is not persistent across reboot.
This issue is addressed in the following releases:
This solution has no attachment