Note: This is an archival copy of Security Sun Alert 251006 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1020022.1.
Article ID : 1020022.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2009-04-02
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

A Security Vulnerability in Solaris IPv6 Implementation (ip6(7p)) May Cause a System Panic



Category
Security

Release Phase
Resolved

Bug Id
6797796

Product
Solaris 10 Operating System
OpenSolaris

Date of Workaround Release
27-Jan-2009

Date of Resolved Release
03-Apr-2009

A Security Vulnerability in Solaris IPv6 Implementation (ip6(7p)) May Cause a System Panic

1. Impact

An insufficient validation security vulnerability in the Solaris IPv6 implementation (ip6(7p)) may allow a remote privileged user to panic the system using a crafted packet.  This is a type of Denial of Service (DoS).

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform:
  • Solaris 10 without patch 138888-08
  • OpenSolaris based upon builds snv_01 through snv_107
x86 Platform:
  • Solaris 10 without patch 138889-08
  • OpenSolaris based upon builds snv_01 through snv_107
Notes:

1. Solaris 8 and Solaris 9 are not affected by this issue.

2. This issue only affects systems which have at least one IPv6 interface configured and "up".

The ifconfig(1M) command can be used to list all IPv6 interfaces configured and "up" on the system as follows:
$ ifconfig -au6 
Solaris 10 does not have a default IPv6 interface configured since administrators are required to enable or disable IPv6 at install time.

3. OpenSolaris distributions may include additional bug fixes above and beyond the base build from which it was derived. The base build can be derived as follows:
$ uname -v
snv_86
3. Symptoms

If the described issue occurs, the following panic string and stack trace may be seen:
ipsec_needs_processing_v6
ipsec_needs_processing_v6 ()
ipsec_early_ah_v6 ()
ip_rput_data_v6 ()
ip_rput_v6 ()
putnext ()
dld_str_rx_fastpath ()
i_dls_link_rx ()
...
4. Workaround

Malformed packets can be blocked to prevent this issue from occurring using Solaris IP Filter (ipfilter(5)) with the following rule:

block in quick all with short

Please refer to ipf(1M) and ipf(4) for enabling and configuring ipfilter.

If an IPv6 interface is configured but not being used, then disabling the IPv6 interface will also prevent this issue from occurring on the system.

To disable all IPv6 interfaces on a system, following command can be run as root:
# ifconfig -a6 down

5. Resolution

This issue is addressed in the following releases:

SPARC Platform
  • Solaris 10 with patch 138888-08 or later
  • OpenSolaris based upon builds snv_108 or later
x86 Platform:
  • Solaris 10 with patch 138889-08 or later
  • OpenSolaris based upon builds snv_108 or later
For more information on Security Sun Alerts, see 1009886.1.

This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements.

Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.

Modification History
03-Apr-2009: Updated Contributing Factors and Resolution sections, issue Resolved


References

138888-08
138889-08





Attachments
This solution has no attachment