Note: This is an archival copy of Security Sun Alert 246746 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1019814.1.
Date of Resolved Release
An IP(7P) spoofing security vulnerability in certain midrange Sun Fire Server's firmware:
An IP(7P) spoofing security vulnerability in certain Mid-range Sun Fire Server's firmware may allow a remote privileged/unprivileged user to gain unauthorized access to the System Controller (SC). Such users may also gain access to the system console and possibly the host operating system running on these servers.This may allow such users to power off or reset the system which is a type of Denial of Service (DoS).
2. Contributing Factors
This issue can occur in the following releases:
To determine the version of ScApp on a system, the following command can be run (from sc0:SC>):
sc0:SC> showscNote: This issue only impacts systems that have a System Controller V2 without SSH enabled.
To determine if a system has System Controller V2, the following command can be run (from the platform shell):
sc0:SC> showscTo determine if SSH is configured on the System Controller, please see the documentation regarding configuring of network parameters in the System Administration Guide for these servers.
There are no reliable symptoms that would indicate the described issues have been exploited.
To work around the described issue, one of the following options can be used:
This issue is addressed in the following releases:
Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
Sun Fire 3800 Server
Sun Fire 4800 Server
Sun Fire 4810 Server
Sun Fire 6800 Server
Sun Fire E2900 Server
Sun Fire E4900 Server
Sun Fire E6900 Server
Sun Fire V1280 Server
Netra 1280 Server
Sun Netra 1290 Server
This solution has no attachment