Note: This is an archival copy of Security Sun Alert 228408 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1017349.1.
Solaris 10 Operating System
Date of Resolved Release
A security vulnerability in the Solaris 10 kernel SSL feature may allow a remote unprivileged user acting as an SSL client to panic the system, creating a Denial of Service (DoS) condition.
This issue can occur in the following releases:
Note: Solaris 8 and Solaris 9 are not impacted by this issue.
This issue only occurs on systems which have a Kernel SSL Proxy service instance enabled. In the default configuration the service does not exist and is not running.
To determine if a system is configured to use the Kernel SSL Proxy, the svcs(1) command can be used to find the status of any Kernel SSL Proxy service instances:
$ svcs svc:/network/ssl/proxy svcs: Pattern 'svc:/network/ssl/proxy' doesn't match any instances STATE STIME FMRI
If the described issue occurs, the system will panic with a stack trace similar to the following:
>> $c bcopy+0x2cc(3000453ce40, 0, 40, 2a10086b0b0, 2a10086b0f0, 3000453ce40) md5_mac_init+0xec(30005fcbf40, 2a10086b348, 40, 0, 3000453ce40, 2a10086b740) crypto_mac_init_prov+0x19c(3000077c040, 0, 70119408, 2a10086b738, 0, 2a10086b530) crypto_mac_init+0x114(70119408, 2a10086b738, 0, 2a10086b530, 0, 3000077c040) kssl_tls_P_hash+0x50(10, 2a10086b738, 40, 701199d0, d, 2a10086b840) kssl_tls_PRF+0x80(30, 0, 80, 701199d0, d, 2a10086b840) ...
To workaround this issue, disable all instances of the Kernel SSL Proxy service and re-configure applications which may depend on them. Note that this will remove the benefits otherwise gained by the Kernel SSL Proxy, such as the performance enhancements.
To disable the Kernel SSL Proxy service, the svcadm(1M) command can be used for each instance of the service:
# svcadm disable svc:/network/ssl/proxy:<instance_suffix>
To disable and delete the Kernel SSL Proxy service, the ksslcfg(1M) can be used for each instance of the service:
# ksslcfg delete [host] <ssl_port>
This issue is addressed in the following releases:
This solution has no attachment