Note: This is an archival copy of Security Sun Alert 228536 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1017433.1.
Article ID : 1017433.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2006-05-22
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

A Security Vulnerability in the "libike" Library May Potentially Cause a Denial of Service to the in.iked(1M) Daemon



Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 10 Operating System

Bug Id
6348585

Date of Resolved Release
08-MAY-2006

Impact

It may be possible for a remote privileged user to cause the in.iked(1M) daemon to crash or cause in.iked to send invalid data to a peer system, potentially causing that system's in.iked daemon to crash, when an IKE exchange with a malformed payload is attempted.

If in.iked crashes, then IKE can not be used to exchange keying information for IPsec, thus causing a Denial of Service (DoS) to IPsec protected network traffic.

This issue is revealed by the test suite described in NISCC vulnerability #273756, which is available at http://www.uniras.gov.uk/niscc/docs/br-20051114-01013.html?lang=en


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 9 without patch 113451-11
  • Solaris 10 without patch 118371-07

x86 Platform

  • Solaris 9 without patch 114435-10
  • Solaris 10 without patch 118372-07

Notes:

  1. Solaris 8 does not support IKE and is not affected by this issue.
  2. The described issue only affects systems configured to run the IKE (Internet Key Exchange) daemon in.iked(1M).

The in.iked(1M) daemon is configured to run on a system if the file '/etc/inet/ike/config' is present. For example, the following command can be run to determine if IKE services are configured on the system:

    $ file /etc/inet/ike/config
    /etc/inet/ike/config:   cannot open: No such file or directory

Symptoms

If this issue has been exploited, the IKE daemon may no longer be running on the system.

To determine if the IKE (in.iked(1M)) daemon is not running on a system which has IKE configured, the following command can be run:

    $ test ! -f /etc/inet/ike/config || pgrep in.iked || \
    echo "in.iked not running but should be"

Note: The IKE protocol is an exchange of network packets between two or more peers. One or more of the peer systems may be running an operating system other than Solaris. In order to determine if the IKE daemon is configured and running correctly on a non-Solaris system consult the operating system vendor or operating system manuals for the system.


Workaround

To manually restart in.iked(1M), the following command can be run (as 'root'):

    # /usr/lib/inet/in.iked

Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 9 with patch 113451-11 or later
  • Solaris 10 with patch 118371-07 or later

x86 Platform

  • Solaris 9 with patch 114435-10 or later
  • Solaris 10 with patch 118372-07 or later


References

113451-11
114435-10
118372-07
118371-07




Attachments
This solution has no attachment