|
Note: This is an archival copy of Security Sun Alert 200051 as previously published on http://sunsolve.sun.com. Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000039.1. |
Category Security Release Phase Resolved Sun Fire X2100 M2 Server Sun Fire X2200 M2 Server Bug Id 6546916 Date of Resolved Release 28-SEP-2007 Impact A security vulnerability in the X2100 and X2200 M2 Embedded Lights Out Manager (ELOM) software may allow remote unprivileged users the ability to initiate unauthorized network traffic from the embedded service processor (SP). This may allow the SP to be used as a proxy to send unsolicited bulk e-mail (spam). Contributing Factors This issue can occur on the following platforms:
Notes:
To determine the firmware version of the SP, the ipmitool(1M) utility can be run as in the following example: $ ipmitool -H <hostname> -U <username> mc info Device ID : 5 Device Revision : 0 Firmware Revision : 3.09 IPMI Version : 2.0 or the following command can be used at the CLI (logged in to the SP): /SP -> show /SP/AgentInfo /SP/AgentInfo ... Properties: HWVersion = 0 FWVersion = 3.09
Symptoms There are no reliable symptoms that would indicate that this issue has been exploited. Workaround To prevent this issue from occurring, administrators can restrict access to the SP by either connecting only via the serial port or else by connecting the Net Mgmt RJ-45 ethernet port to a private management network. Additional information regarding management of the Sun Fire X2100/X2200 M2 Servers, ELOM, and ipmitool(1m) can be found in the "Embedded Lights Out Manager Administration Guide" at: Resolution This issue is resolved in SP/BMC firmware version 3.09 from the 1.5 (for the X2100) and the 1.5a (for the X2200) Tools and Drivers CD ISO image available at: Sun Fire X2100 M2 Server: Sun Fire X2200 M2 Server: Modification History Date: 04-OCT-2007
Date: 25-OCT-2007
Date: 30-OCT-2007
Attachments This solution has no attachment | |||||||||||||||
|
|