Note: This is an archival copy of Security Sun Alert 201098 as previously published on
Latest version of this security advisory is available from as Sun Alert 1000819.1.
Article ID : 1000819.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2006-10-05
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in Solaris 10 Link Aggregation may Allow Local Users Total Access to Network Packets


Release Phase

Solaris 10 Operating System

Bug Id

Date of Resolved Release


A security vulnerability resulting from incorrect and insufficient permission checks in the default Solaris 10 configuration may allow a local unprivileged user to create a raw socket on a Solaris link aggregation, resulting in unrestricted access to network packets.

Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 10 without patch 118833-23

x86 Platform

  • Solaris 10 without patch 118855-19

Note: This issue does not affect Solaris 8 or Solaris 9.

This issue only affects systems which have configured aggregations of network devices using dladm(1M) and enabled with ifconfig(1M).  To determine if a system has configured one or more aggregations of network devices the following command can be run as the root user or a user with the sys_net_config privilege:

    # /usr/sbin/dladm show-aggr
  key: 1 (0x0001) policy: L4      address: 0:1:2:3:4:5 (auto)
device       address           speed         duplex  link state
bge1         0:1:2:3:4:5       100   Mbps    full    up      attached
       bge2         0:1:2:3:4:5       100   Mbps    full    up      attached
       bge3         0:1:2:3:4:5       100   Mbps    full    up      attached
    # /usr/sbin/ifconfig aggr1
   aggr1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 143
inet netmask ffffff00 broadcast
ether 0:1:2:3:4:5



There are no reliable symptoms that would show if this issue has been exploited to access network traffic or send spoofed packets using a network link aggregation.


To create a policy for local users that would not allow them total access, add an entry into the /etc/security/device_policy file by running the update_drv(1M) command as superuser with the following arguments:

  # /usr/sbin/update_drv -a -p 'read_priv_set=net_rawaccess write_priv_set=net_rawaccess' aggr



This issue is addressed in the following releases:

SPARC Platform

  • Solaris 10 with patch 118833-23 or later

x86 Platform

  • Solaris 10 with patch 118855-19 or later



This solution has no attachment