Note: This is an archival copy of Security Sun Alert 235421 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1019129.1.
Article ID : 1019129.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-12-05
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in Solaris 10 Trusted Extensions Labeled Networking Related to Data Transfer Between Labeled Zones



Category
Security

Release Phase
Resolved

Bug Id
6513817

Product
Solaris 10 Operating System

Date of Workaround Release
04-Apr-2008

Date of Resolved Release
02-May-2008

Vulnerability in Solaris 10 Trusted Extensions (see details below)

1. Impact

A security vulnerability in Solaris 10 Trusted Extensions labeled networking may allow untrusted applications in separate labeled zones to exchange data on the local system by circumventing label restrictions.

2. Contributing Factors

This issue can occur if one or more all-zones interfaces are
non-vni interfaces.
This issue can occur on the following releases:

SPARC Platform
  • Solaris 10 without patch 127127-11
x86 Platform
  • Solaris 10 without patch 127128-11
Note 1: Solaris 8 and Solaris 9 are not impacted by this issue.
Note 2: This issue only impacts Solaris 10 systems which have installed and configured Solaris Trusted Extensions. Solaris Trusted Extensions is available starting in the Solaris 10 11/06 release.

To determine if a system is configured with Trusted Extensions, the following command can be run:
    $ svcs labeld
    STATE          STIME    FMRI
    online         16:19:20 svc:/system/labeld:default

If the system is configured with Trusted Extensions, the "labeld" 
service will have an instance in the online state.

Note 3: This issue only impacts systems with an all-zones interface that
is not based upon vni(7d)

To determine which interfaces are configured to be all-zones, the following
command can be run as root the global zone:

$ ifconfig -a

Those interfaces which are all-zones will contain the word "all-zones"
in their ifconfig output. If the interface is a vni0 or other vni interface,
that interface is not impacted. If any other interface is all-zones, the
interface may be impacted.

Sample ifconfig -a output illustrating a configuration where
bge0 is all-zones (vulnerable),
vni0 is all-zones (not vulnerable),
bge1 is not all-zones (not vulnerable):

bge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
all-zones
inet 129.146.163.175 netmask ffffff00 broadcast 129.146.163.255
ether 0:14:4f:f:c6:a0
bge1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
inet 192.168.128.1 netmask ffffff00 broadcast 192.168.128.255
ether 0:14:4f:f:c6:a1
vni0: flags=20010100c1<UP,RUNNING,NOARP,NOXMIT,IPv4,VIRTUAL> mtu 0 index 4
all-zones
inet 192.168.240.240 netmask ffffff00

3. Symptoms

There are no predictable symptoms that would indicate the described issue has been exploited.

4. Workaround

Interim Security Relief (ISR) is available for the following releases from http://sunsolve.sun.com/tpatches

Some customers may be restricted to running the Common Criteria evaluated version of the Solaris Trusted Extensions OE.  These customers may use the following IDRs that have been created based on the estimate that Kernel Update patches 125100-08 (SPARC) and 125101-08 (x86) will be the Target Of Evaluation (TOE):

SPARC Platform
  • Solaris 10  IDR137431-01
x86 Platform
  • Solaris 10 IDR137432-01
Note: This document refers to one or more temporary patches (T-Patches) and/or Interim Security Relief (IDRs) which are designed to address the concerns identified herein. Sun has limited experience with these T-Patches and IDRs due to their interim nature. As such, you should only install the T-Patches or IDRs on systems meeting the configurations described above. Sun may release full patches at a later date, however, Sun is under no obligation whatsoever to create, release, or distribute any such patch.

5. Resolution

This issue is addressed in the following releases:

SPARC Platform
  • Solaris 10 with patch 127127-11 or later
x86 Platform
  • Solaris 10 with patch 127128-11 or later


For more information on Security Sun Alerts, see


Modification History
02-May-2008: Updated Contributing Factors, Workaround and Resolution sections. Resolved.
05-Jun-2008: Updated Contributing Factors


References

127127-11
127128-11

sunalert-tech-questions@sun.com
and CC the following persons:
Internal Contributor/Submitter
Internal Eng Responsible Engineer
Internal Services Knowledge Engineer

References

SUNPATCH:127127-11
SUNPATCH:127128-11



Attachments
This solution has no attachment