Note: This is an archival copy of Security Sun Alert 200597 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000459.1.
Article ID : 1000459.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-05-23
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in NFS Client Module May Lead to a Denial of Service Condition

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System

Bug Id
6534147

Date of Resolved Release
24-MAY-2007

Impact

A security vulnerability in the NFS client module related to the handling of acl(2) packets may allow a local or remote unprivileged user to cause an NFS server to panic, leading to a Denial of Service (DoS) condition.

Sun acknowledges with thanks, Andrzej Dereszowski (deresz@gmail.com), for bringing this issue to our attention.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 8 without patch 116959-16
  • Solaris 9 without patch 113318-29
  • Solaris 10 without patch 124258-04

x86 Platform

  • Solaris 8 without patch 116960-16
  • Solaris 9 without patch 117468-15
  • Solaris 10 without patch 124259-04

Note: This issue only affects systems which have been configured as NFS servers.

To determine if a Solaris 8 or 9 system has been configured as an NFS server, the following command can be run::

    $ ps -ef | grep nfsd
    root   291     1  0   May 08 ?      0:00 /usr/lib/nfs/nfsd

To determine if a Solaris 10 system has been configured as an NFS server, the following command can be run::

    $ svcs svc:/network/nfs/server:default
    STATE          NSTATE        STIME    CTID   FMRI
    online         -             May_11       94
    svc:/network/nfs/server:default

If the state in the svcs(1) output reports "online" then the system is configured as an NFS server.


Symptoms

A stack trace similar to the following is indicative of this issue:

    d456a970 genunix:vmem_hash_delete+d0 (dac04690, d5430600,)
    d456a9ac genunix:vmem_xfree+2b (dac04690, d5430600,)
    d456a9c0 genunix:vmem_free+1e (dac04690, d5430600,)
    d456a9f4 genunix:kmem_free+36 (d5430600, c003c)
    d456aa34 genunix:xdr_array+f6 (d49cd484, d456ab20,)
    d456aa7c nfs:xdr_secattr+69 (d49cd484, d456ab18)
    d456aa98 nfs:xdr_SETACL3args+4f (d49cd484, d456aad0)
    d456aab0 rpcmod:svc_clts_kfreeargs+29 (d49cd400, fa19438c,)
    d456ad10 nfssrv:common_dispatch+6ce (d456ad8c, d49cd400,)
    d456ad34 nfssrv:acl_dispatch+1f (d456ad8c, d49cd400)
    d456adc4 rpcmod:svc_getreq+158 (d49cd400, dad9e2c0)
    d456ae0c rpcmod:svc_run+146 (d57a9960)
    d456ae2c rpcmod:svc_do_run+6e (1)
    d456af84 nfs:nfssys+3fb (e, d2940fc8, d08e, )

Workaround

To avoid this issue until patches can be applied, the NFS server can be disabled by using the following command:

For Solaris 8 and 9:

    # /etc/init.d/nfs.server stop

For Solaris 10:

    # svcadm disable svc:/network/nfs/server:default

 


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 8 with patch 116959-16 or later
  • Solaris 9 with patch 113318-29 or later
  • Solaris 10 with patch 124258-04 or later

x86 Platform

  • Solaris 8 with patch 116960-16 or later
  • Solaris 9 with patch 117468-15 or later
  • Solaris 10 with patch 124259-04 or later


References

124258-04
124259-04
113318-29
117468-15
116959-16
116960-16




Attachments
This solution has no attachment