Note: This is an archival copy of Security Sun Alert 201098 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000819.1.
Solaris 10 Operating System
Date of Resolved Release
A security vulnerability resulting from incorrect and insufficient permission checks in the default Solaris 10 configuration may allow a local unprivileged user to create a raw socket on a Solaris link aggregation, resulting in unrestricted access to network packets.
This issue can occur in the following releases:
Note: This issue does not affect Solaris 8 or Solaris 9.
This issue only affects systems which have configured aggregations of network devices using dladm(1M) and enabled with ifconfig(1M). To determine if a system has configured one or more aggregations of network devices the following command can be run as the root user or a user with the sys_net_config privilege:
# /usr/sbin/dladm show-aggr key: 1 (0x0001) policy: L4 address: 0:1:2:3:4:5 (auto) device address speed duplex link state bge1 0:1:2:3:4:5 100 Mbps full up attached bge2 0:1:2:3:4:5 100 Mbps full up attached bge3 0:1:2:3:4:5 100 Mbps full up attached
# /usr/sbin/ifconfig aggr1 aggr1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 143 inet 18.104.22.168 netmask ffffff00 broadcast 22.214.171.124 ether 0:1:2:3:4:5
There are no reliable symptoms that would show if this issue has been exploited to access network traffic or send spoofed packets using a network link aggregation.
To create a policy for local users that would not allow them total access, add an entry into the /etc/security/device_policy file by running the update_drv(1M) command as superuser with the following arguments:
# /usr/sbin/update_drv -a -p 'read_priv_set=net_rawaccess write_priv_set=net_rawaccess' aggr
This issue is addressed in the following releases:
This solution has no attachment