Note: This is an archival copy of Security Sun Alert 200414 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000299.1.
Article ID : 1000299.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-01-29
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

A Security Vulnerability in Solaris 10 ICMP Handling May Allow a SystemPanic and Result in Denial of Service (DoS)



Category
Security

Release Phase
Resolved

Product
Solaris 10 Operating System

Bug Id
6443912

Date of Resolved Release
30-JAN-2007

Impact

A security vulnerability in the Solaris 10 ICMP handling process may allow a remote unprivileged user to panic the system, resulting in a Denial of Service (DoS) condition.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 10 without patch 118833-28

x86 Platform

  • Solaris 10 without patch 118855-28

Notes:

  1. Solaris 8 and 9 are not impacted by this issue.
  2. Systems are only impacted by this issue if they are configured to receive ICMP ping(1M) requests.

To determine if a system ("solaris1" in this example) is configured to receive ICMP ping requests, the following command can be run:

    $ ping solaris1
    solaris1 is alive

Symptoms

Should the described issue occur, the system may panic with a stack trace similar to the following:

    ip:ill_refrele+0x8(0x0, 0x0, 0x0, 0x1010)
    ip:ip_output+0x149c(0x0?, 0x6000864f2c0?, 0x60001bcede0?, , 0x2)
    ip:ip_wput(0x60001bcede0, 0x600053ac140) - frame recycled
    unix:put+0x1c0(0x60001bcede0?, 0x600053ac140)
    ip:icmp_inbound+0xb88(0x60001bcece8, 0x6000864f2c0, 0x0, 0x30000c31268, 0x0, 0x0, 0x0, 0x1, , 0x2)
    ip:ip_proto_input+0x56c(, 0x6000864f2c0, 0x600086e7500, 0x60003a24ed8, 0x30000c31268)
    ip:ip_input+0x7d0(0x30000c31268, 0x0, , , 0xffffffff)
    ip:ip_rput(0x60001bcece8, 0x6000864f300) - frame recycled

Workaround

To work around the described issue, ICMP packets can be blocked using packet filtering software such as ipfilter(5), which is shipped with Solaris 10.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 10 with patch 118833-28 or later

x86 Platform

  • Solaris 10 with patch 118855-28 or later


References

118833-28
118855-28




Attachments
This solution has no attachment