Note: This is an archival copy of Security Sun Alert 201492 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001115.1.
Date of Resolved Release
Although Solaris is not directly affected by recent email virus and network "worm" attacks and/or vulnerabilities, the effects of these attacks can degrade network performance and networked applications on all UNIX operating environments including Solaris.
1. This issue is described in:
W32/Sobig.F Worm IN-2003-03 at: http://www.cert.org/incident_notes/IN-2003-03.html
Microsoft Security Bulletin MS03-026 at: http://www.microsoft.com/security/incident/blast.asp
2. Worms that exploit this issue are described in:
W32/Blaster Worm CA-2003-20 at: http://www.cert.org/advisories/CA-2003-20.html
W32/Welchia or W32/Nachi at: http://www.mycert.org.my/advisory/MA-055.082003.html
This issue can affect the following releases:
1. Due do excessive load on networks caused by the email virus or network "worm", a general degradation of network performance (including longer than expected answering times for various network services like NFS or Email) may occur. Symptoms observed on infected networks include a noticable increase of packets on netbios ports 135, 137, 138, 139 (more common on Solaris with Samba or PCNetlink). Use the "snoop" command or any other tool capable of capturing network traffic to display this symptom.
2. Abnormal amount of UDP(7P) broadcast packets on a subnet (udpNoPorts) which may indicate a worm looking for open ports. This value can be checked by running:
% netstat -s | grep udpNoPorts tcpInErrs = 0 udpNoPorts =164903
3. High levels of ICMP(7P) and ARP(7P) traffic (generated by worms to discover systems on a network). This can be checked by running the following command:
% netstat -s | grep icmpInMsgs ICMPv4 icmpInMsgs = 12074 icmpInErrors = 0
4. Unexpected connections to TCP(7P) ports used by "worms". TCP resets will be generated by Solaris (tcpOutRsts) as "worms" attempt to contact ports not in use by Solaris. Check this by running the following command:
% netstat -s | grep tcpOutRsts tcpOutRsts = 4054 tcpOutFastRetrans = 24
Note: Acceptable numbers for all of the above values depend on the size of normal traffic load for a particular network.
The above advisories (see "Impact") encourage disabling access to certain network ports before applying patches to Microsoft systems. The reports do not clearly communicate the need to re-enable the ports on the Solaris systems after the patches have been installed. Customers who do not re-enable the ports may suffer negative effects on the following Solaris network services:
Note: Ports 593 and 707 are also noted in the above advisories.
Addtional information for tuning Solaris for security concerns may be found in the Sun Blueprint article on security at:
Please see the "Relief/Workaround" section above for the resolution to this issue.
Sun Linux 5.0
This solution has no attachment