Note: This is an archival copy of Security Sun Alert 200659 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000516.1.
Article ID : 1000516.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2003-02-05
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Certain UDP RPC Packets May Cause a Denial of Service in Solaris

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 2.5.1
Solaris 2.6 Operating System
Solaris 7 Operating System
Solaris 8 Operating System

Bug Id
4680691

Date of Resolved Release
18-FEB-2003

Impact

Sending specific UDP RPC packets to a Solaris machine may lead to allocation of large memory amounts, eventually exhausting the swap space and effectively disabling the system.

Such UDP RPC packets may be caused by misbehaving RPC clients, hardware errors, or malicious (local or remote) users.

Please see Sun Alert document 50747 for a related issue.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 2.5.1
  • Solaris 2.6 without patch 105401-41
  • Solaris 7 without patch 106942-24
  • Solaris 8 without patch 108827-36
  • Solaris 9 without patch 113319-04

x86 Platform

  • Solaris 2.5.1
  • Solaris 2.6 without patch 105402-41
  • Solaris 7 without patch 106943-24
  • Solaris 8 without patch 108828-37

Note: Solaris 9 on Intel platforms is not affected.

Solaris 2.5.1 will not be evaluated regarding the potential impact of the issue described in this Sun Alert document.


Symptoms

Possibly symptoms of this issue are:

1. Memory allocation errors logged in the "/var/adm/messages" file by applications, for example: 

    [ID 462250 daemon.error] xdr_string: out of memory

or generic memory exhaustion warnings, for example: 

    tmpfs: WARNING: /tmp: File system full, swap space limit exceeded

2. The RPC process receiving the malicious RPC packet might report erroneous arguments, for example the "nisstat" command may report: 

    OP=[...]:C=139255:E=2:T=1335

where "E=2" indicates two errors in previous RPC calls, or, as a second example, "rpcinfo -m" may report failed RPC calls as shown below: 

    RPCBIND (version 4) statistics
NULL    SET     UNSET   GETADDR DUMP    CALLIT  TIME    U2T     T2U
0       0/0     0/0     0/100   0       0/0     0       0       0

(here, "0/100" indicates 100 failed "GETADDR" RPC calls).

3. The process receiving the malicious RPC packet will consume a large (and possibly growing) amount of memory (this can be checked by using the "-o vsz" option with the ps(1) command).


Workaround

There is no workaround. Please see the "Resolution" section below.:


Resolution

This issue is addressed in the following releases:

SPARC

  • Solaris 2.6 with patch 105401-41 or later
  • Solaris 7 with patch 106942-24 or later
  • Solaris 8 with patch 108827-36 or later
  • Solaris 9 with patch 113319-04 or later

Intel

  • Solaris 2.6 with patch 105402-41 or later
  • Solaris 7 with patch 106943-24 or later
  • Solaris 8 with patch 108828-37 or later

To address the described issue, customers running Solaris 2.5.1 should upgrade to Solaris 2.6 (or later) with the appropriate patches .

Please see Sun Alert document 50747 for potential side effects of installing the above patches.



Modification History

References
 105401-41

 105402-41

 106942-24

 106943-24

 108827-36

 108828-37

 113319-04



                                                                                                 


Attachments
This solution has no attachment