Note: This is an archival copy of Security Sun Alert 249146 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1019927.1.
Article ID : 1019927.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2009-05-05
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

The Solaris rpc.metad(1M) Daemon is Vulnerable to a Denial of Service (DoS) Attack



Category
Security

Release Phase
Resolved

Bug Id
6676373

Product
Solaris 9 Operating System
Solaris 10 Operating System
OpenSolaris

Date of Workaround Release
09-Jan-2009

Date of Resolved Release
06-May-2009

The Solaris rpc.metad(1M) Daemon is Vulnerable to a Denial of Service (DoS) Attack

1. Impact

A security vulnerability in rpc.metad(1M) may allow a local or remote unprivileged user to crash rpc.metad(1M), resulting in failure of the service and causing Solaris Volume Manager (SVM) commands to fail.  This is a type of Denial-of-Service (DoS).

This issue is referenced in the following document:
CVE-2008-1480 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1480

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform:
  • Solaris 9 without patch 116669-34
  • Solaris 10 without patch 138632-03
  • OpenSolaris based upon builds snv_01 through snv_95
x86 Platform:
  • Solaris 9 without patch 138574-01
  • Solaris 10 without patch 138882-02
  • OpenSolaris based upon builds snv_01 through snv_95
Note: Solaris 8 is not affected by this issue.

OpenSolaris distributions may include additional bug fixes above and beyond the build from which it was derived.

The base build can be derived as follows:
$ uname -v
snv_86

3. Symptoms

Should the described issue occur, rpc.metad(1M) exits unexpectedly and may also generate a core file.

There may also be system error messages similar to the following:
rpc.metad: [ID 702911 daemon.error] Segmentation Fault
rpc.metad: [ID 702911 daemon.error] Bus Error
inetd[352]: [ID 702911 daemon.error] Instance
svc:/network/rpc/meta:default has  exceeded its
configured failure rate, transitioning to maintenance
/usr/sbin/metaset commands on remote hosts fail with:
metaset: <remote host>: metad client create: RPC: Program not registered
/usr/sbin/meteaset commands on the local host fail with:
metaset: <local host>: network/rpc/meta:default: service not online in SMF
/usr/bin/pstack on the resulting core file will show a stack similar to the following:
# /usr/bin/pstack /core
core '/core' of 6368:   /usr/sbin/rpc.metad
ff1d7dac read_vc  () + 8
ff1dc2fc fill_input_buf () + 50
ff1dc358 get_input_bytes () + 30
ff1dc414 set_input_fragment () + 28
ff1dbc88 xdrrec_getbytes () + 34
ff1dbb74 xdrrec_getint32 () + 70
ff1dbc0c xdrrec_getlong () + 8
ff1c8350 xdr_callmsg () + 3b8
ff1d8634 svc_vc_recv () + b0
ff1cf978 svc_getreq_common () + cc
ff1cf88c svc_getreq_poll () + 9c
ff1d483c _svc_run () + f0
ff1d4534 svc_run  () + 84
0001c0e8 main     () + 2cc
000147d0 _start   () + 108

4. Workaround

There is no workaround for this issue. However, it may be possible to recover from the Denial of Service condition using the following method:

Verify that rpc.metad is not running:

For Solaris 8 and 9:
# pgrep -lf rpc.metad || /usr/sbin/rpc.metad

then restart rpc.metad as follows:

For Solaris 10 and OpenSolaris:
# pgrep -lf rpc.metad || svcadm clear network/rpc/meta

5. Resolution

This issue is addressed in the following releases:

SPARC Platform:
  • Solaris 9 with patch 116669-34 or later
  • Solaris 10 with patch 138632-03 or later
  • OpenSolaris based upon builds snv_96 or later
x86 Platform:
  • Solaris 9 with patch 138574-01 or later
  • Solaris 10 with patch 138882-02  or later
  • OpenSolaris based upon builds snv_96 or later
For more information on Security Sun Alerts, see 1009886.1.

This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements.

Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.

Modification History
06-May-2009: Updated Contributing Factors and Resolution sections; issue is Resolved


References

116669-34
138632-03
138574-01
138882-02





Attachments
This solution has no attachment