Note: This is an archival copy of Security Sun Alert 200060 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000045.1.
Article ID : 1000045.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-06-13
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in IPv6 Implementation (ip6(7p)) Related to the Handling of IPsec Packets may Lead to a System Panic, Resulting in a Denial of Service (DoS)

Category
Security

Release Phase
Resolved

Product
Solaris 10 Operating System

Bug Id
6553350

Date of Resolved Release
14-JUN-2007

Impact

An unprivileged local or remote user may be able to panic a Solaris 10 system which is configured to use IPv6 (ip6(7p)) but is not configured to use the IPsec stack (ipsec(7P)), therefore causing a Denial of Service to the system as a whole.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 10 without patch 125100-09

x86 Platform

  • Solaris 10 without patch 125101-09

Note 1: Solaris 8 and Solaris 9 are not affected by this issue.

Note 2: This issue only affects systems which have IPv6 interfaces but which are not configured to use the IPsec stack.

The following command can be run to determine and list all IPv6 interfaces configured on the host:

    $ ifconfig -a6

Solaris 10 does not have a default IPv6 setting since administrators are required to enable or disable IPv6 interfaces at install time.

The following command can be used to determine if the IPsec stack has been loaded on a system:

    $ modinfo | grep ipsec

 


Symptoms

If the described issue occurs, the system will panic with a stack trace similar to the following:

    ip_rput_data_v6+0x28cc(600106ee2a0, 600132c98a8, 60013279140, 428, 600132c98a8, 0)
    ip_rput_v6+0x64c(600106ee2a0, 60013279180, 0, 132a84bc, 600132c98a8, 300000d1d80)
    putnext+0x208(600106ee490, 600106ee2a0, 60013279180, 100, 1814c00, 0)
    dld_str_rx_fastpath+0x90(6001102ddc8, 600132a8094, 60013279180, 0, 0, 0)
    i_dls_link_rx+0x2d0(600132cde38, 0, 60013279180, 131273c, 0, 86dd000)
    mac_rx+0x44(0, 0, 60013279180, 1314c48, 60010598120, 600132cbf10)
    e1000g_intr+0xb0(80, 6001138c000, 6001138c230, 60013279180, 6001138c238, b)
    pci_intr_wrapper+0xac(600107aa370, 300003dd8e8, 7bafa2ac, 6001138c000,
    60011006560, 0)
    intr_thread+0x168(183f8a0, 1055b40, 1813800, 180c000, 3852e9, 60010615f80)
    idle+0x38(181281c, 1, 180c000, 1837fc0, 1, 1812800)
    thread_start+4(0, 0, 0, 0, 0, 0)

 


Workaround

Until patches can be applied, sites may wish to workaround this issue by loading the IPsec stack. This can be done by the root user via the following commands:

    # touch /etc/inet/ipsecinit.conf
    # ipsecconf -qa  /etc/inet/ipsecinit.conf

Note 1: This does NOT enable encryption using IPsec, but it works around the issue by simply having the IPsec functionality loaded onto the TCP/IP stack.

Note 2: The workaround is persistent across reboot.


Resolution

This issue is addressed in the following releases:

SPARC Platform:

  • Solaris 10 with patch 125100-09 or later

x86 Platform:

  • Solaris 10 with patch 125101-09 or later


References

125100-09
125101-09




Attachments
This solution has no attachment