Note: This is an archival copy of Security Sun Alert 200183 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000137.1.
Article ID : 1000137.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2008-02-07
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability May Allow Firewall Compromise or Creation of Denial of Service (DoS) Condition

Category
Security

Release Phase
Resolved

Bug Id
6240205

Product
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System

Date of Resolved Release
08-Feb-2008

Security Vulnerability May Allow Firewall Compromise or Creation of Denial of Service (DoS) Condition

1. Impact

A security vulnerability in Solaris Internet Protocol (IP - see ip(7P)) implementation may allow a remote privileged user to send certain packets bypassing the security policies set by a firewall or to cause the system to panic, creating a Denial of Service (DoS) condition.

Sun acknowledges, with thanks, Mark Dowd from IBM Internet Security Systems X-Force (http://xforce.iss.net) for bringing this issue to our attention.

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 8 without patch 116965-30
  • Solaris 9 without patch 114344-32
  • Solaris 10 without patch 118822-27

x86 Platform

  • Solaris 8 without patch 116966-29
  • Solaris 9 without patch 119435-20
  • Solaris 10 without patch 118844-28

3. Symptoms

There are no predictable symptoms that would indicate the policies of a firewall have been circumvented. If the system panics due to this issue, the following stack trace may be seen:

    icmp_pkt_v6+0xxxxx
    icmp_param_problem_v6+0xxxxx
    ip_fanout_sec_proto+0xxxxx
    ip_rput_local+0xxxxx
    ip_rput+0xxxxx
    putnext+0xxxxx

4. Workaround

To work around the described issues:

As "root," set the ndd(1M) variable "ip_reass_queue_bytes" to 0 by using the following command:

    # ndd -set /dev/ip ip_reass_queue_bytes 0

This workaround will stop the system from re-assembling IP fragments. Networks which send/receive fragmented IP packets to/from the system will become unreachable.

Note: This workaround is not persistent across reboot.

5. Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 8 with patch 116965-30 or later
  • Solaris 9 with patch 114344-32 or later
  • Solaris 10 with patch 118822-27 or later

x86 Platform

  • Solaris 8 with patch 116966-29 or later
  • Solaris 9 with patch 119435-20 or later
  • Solaris 10 with patch 118844-28 or later
For more information on Security Sun Alerts, see Sun 1009886.1.

References

116965-30
114344-32
118822-27
116966-29
119435-20
118844-28




Attachments
This solution has no attachment