Note: This is an archival copy of Security Sun Alert 201281 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000964.1.
Solaris 9 Operating System
Date of Resolved Release
A security vulnerability in the in.iked(1M) service for Solaris 9 may allow an unprivileged local or remote user to crash the in.iked(1M) daemon, causing a Denial of Service (DoS) to IPsec protected network traffic. This is due to a logical pointer-handling error in the "libike" library.
This issue can occur in the following releases:
The in.iked(1M) daemon is configured to run on a system if the file '/etc/inet/ike/config' is present. To determine if IKE services are configured on the system, the following command can be run:
$ ls /etc/inet/ike/config /etc/inet/ike/config: No such file or directory
By default, the in.iked(1M) service is disabled on Solaris systems.
If this issue has been exploited, in.iked(1M) may no longer be running on the system. When running in.iked(1M) in debug mode, the following messages will appear:
Tue Jun 06 09:52:20 2006: /usr/lib/inet/in.iked: In ssh_policy_new_connection (pm_info = 0x719b8). Tue Jun 06 09:52:20 2006: /usr/lib/inet/in.iked: Rejecting inbound phase 1: remote port != 500. Tue Jun 06 09:52:20 2006: /usr/lib/inet/in.iked: Phase 2 negotiation failed: Aborted notification. Assertion failed: pm_info->local_ip != NULL && pm_info->remote_ip != NULL, file ../common/policy.c, line 1293 Abort (core dumped)
If this issue has been exploited, the IKE daemon will no longer be running on the system. To determine if the IKE (in.iked(1M)) daemon is not running on a system which has IKE configured, the following command can be run:
$ test ! -f /etc/inet/ike/config || pgrep in.iked || \ echo "in.iked not running but should be"
Until patches can be applied, sites may wish to filter UDP packets which have a source port other than the IKE port (port 500) and also to include at least one IKE rule in the ike.config(4) file.
When this issue has occurred, it is necessary to manually restart in.iked(1M) using the following command (as 'root'):
This issue is addressed in the following releases:
This solution has no attachment