Note: This is an archival copy of Security Sun Alert 275590 as previously published on http://sunsolve.sun.com. Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1021781.1. |
Category Security Release Phase Resolved SUNBUG: 6902029 Product Solaris 8 Operating System Solaris 9 Operating System Solaris 10 Operating System OpenSolaris Date of Workaround Release 13-Jan-2010 Date of Resolved Release 30-Jun-2010 1. ImpactA security vulnerability in the ntp Daemon (xntpd(1M)) associated
with the handling of NTP mode 7 (MODE_PRIVATE), may lead to consumption
of CPU and
excessive logging, resulting in a denial of the Solaris Network Time
Protocol (NTP) service. CVE-2009-3563 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3563
US-CERT Vulnerability Note VU#568372 at http://www.kb.cert.org/vuls/id/568372 2. Contributing FactorsThis issue can occur in the following releases:
x86 Platform
Note: Only systems running as an NTP server are impacted by
this issue. To determine if a system is acting as an NTP server,
execute the
following command: $ netstat -an | grep 123 If the output of the command contains the above two lines, then the system is running as an NTP server.
Note: OpenSolaris distributions may include additional bug
fixes
above and beyond the build from which it was derived. The base
build can be derived as follows: $ uname -v Note: Solaris 8 entered EOSL Phase 2 on 1 April 2009. Entitlement to patches developed on or after 1 April 2009 requires the purchase of the Solaris 8 Vintage Patch Service. See Note in section 5 for more details. 3. SymptomsIf this issue occurs, then the ntpd(1M) or xntpd(1M) process will use an abnormal amount of system cycles. Also, an excessive number of MODE 7 NTP packets will be seen on the network. 4. WorkaroundTo avoid being vulnerable to this issue until patches can be
installed, add the following line to the '/etc/inet/ntp.conf' file if
you are using xntpd(1M): restrict default noquery And then restart the xntpd process. If you are using ntpd rather than
xntpd, please add the following two lines: restrict default noquery And then restart the ntpd process. For OpenSolaris and Solaris 10 prior to Update 8, do the following: The above command will show one NTP service enabled. Use the FMRI
from the enabled service to restart. This will be either
svc:/network/ntp:default or
svc:/network/ntp4:default $ svcadm restart svc:/network/ntp:default This workaround will prevent the NTP server from responding to any mode 6 or mode 7 packets. These are the types of packets used by the ntpq(1M), ntpq4(1M), ntptrace4(1M), xntpdc(1M) and ntpdc(1M) programs, so these programs will no longer be able to contact the NTP server.
You can allow these programs to work from individual systems by
adding a restrict line to the ntp.conf file that allows that system
again. Using its IP
address, add a line similar to this: restrict <ip-addr-of-system> Then restart the NTP service as described above. Be aware that if the system you are allowing is itself an NTP
server, you will disable the workaround and again be vulnerable. 5. ResolutionThis issue is addressed in the following releases:
x86 Platform
The READMEs of Solaris 8 patches developed on or after 1 April 2009 are available to all customers. However, Solaris 8 entered EOSL Phase 2 on April 1, 2009, and thus entitlement for these patches, including those that fix security vulnerabilities, requires the purchase of the Solaris 8 Vintage Patch Service. More information about the Solaris 8 Vintage Patch Service is available at: http://www.sun.com/service/eosl/Solaris8.html Modification History 08-Feb-2010: Updated Workaround section. 16-Feb-2010: Updated Contributing Factors and Resolution sections 10-Mar-2010: Updated Contributing Factors, Workaround and Resolution sections. 17-Mar-2010: Updated Contributing Factors, Workaround and Resolution sections. 12-Apr-2010: Updated Contributing Factors, Workaround and Resolution sections. 30-Jun-2010: Updated Contributing Factors, Resolution sections for patch release, now Resolved. ReferencesSUNPATCH 143725-01SUNPATCH 143726-01 SUNPATCH 117143-02 SUNPATCH 117144-02 SUNPATCH 127724-02 SUNPATCH 127725-02 SUNPATCH 109667-08 SUNPATCH 109668-08 SUNBUG 6902029 109667-08, 109668-08 Attachments This solution has no attachment |
|