Note: This is an archival copy of Security Sun Alert 200497 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000375.1.
Article ID : 1000375.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2006-04-18
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability With ARP Handling Could Cause System to Hang

Category
Security

Category
Availability

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 7 Operating System
Solaris 8 Operating System

Bug Id
4653899

Date of Resolved Release
11-FEB-2005

Impact

A system receiving a very large number of specific arp(7P) network packets (an "arp storm" or "arp hurricane") could cause the system to hang. These ARP packets could result from a remote privileged user implementing a Denial of Service (DoS) or from a misconfigured (or broken) router inadvertently sending the packets.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 7 without patch 106541-39
  • Solaris 8 without patch 116965-05
  • Solaris 9 without patch 114344-09

x86 Platform

  • Solaris 7 without patch 106542-39
  • Solaris 8 without patch 116966-05
  • Solaris 9 without patch 114345-08

Symptoms

The system will be unable to provide networked services, and an unusually heavy amount of ARP traffic will be observed on the network.

One way to verify a suspected flood of ARP packets to a specific Solaris system on the network is to run the following command as the "root" user (from another system on the same network segment): 

    # snoop -o <output-file> arp
# snoop -i <output-file>

A large number of ARP broadcasts such as: 

     7   0.12578  123.456.0.22 -> (broadcast)  ARP C Who is 123.456.0.254, 123.456.0.254 ?
15   0.10603   123.456.0.2 -> (broadcast)  ARP C Who is 123.456.0.22, 123.456.0.22 ?

may indicate an ARP flood.


Workaround

A temporary workaround would be to physically disconnect the affected segment from the system until the source can be determined, and the source of the flood of ARP packets stopped. Once the system stops processing the packet flood, the hang will no longer be in effect.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 7 with patch 106541-39 or later
  • Solaris 8 with patch 116965-05 or later
  • Solaris 9 with patch 114344-09 or later

x86 Platform

  • Solaris 7 with patch 106542-39 or later
  • Solaris 8 with patch 116966-05 or later
  • Solaris 9 with patch 114345-08 or later


Modification History

References
 116965-05

 116966-05

 114344-09

 114345-08

 106541-39

 106542-39



                                                                                                              


Attachments
This solution has no attachment