Note: This is an archival copy of Security Sun Alert 201091 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000812.1.
Article ID : 1000812.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2006-09-25
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

A Security Issue With Solaris 10 x64 Systems Using IPv6 Forwarding May Result in a Denial of Service (DoS)

Category
Security

Release Phase
Resolved

Product
Solaris 10 Operating System for x86 Platforms

Bug Id
6222966

Date of Resolved Release
25-SEP-2006

Impact

Solaris 10 x64 systems configured to use Internet Protocol Version 6 (ip6(7P)) may panic when processing certain IPv6 packets. A local or remote unprivileged user may be able to send IPv6 packets that could panic the system causing a Denial of Service (DoS).


Contributing Factors

This issue can occur in the following releases:

x86 Platform

  • Solaris 10 without patch 118855-16

Note: Solaris 8 and Solaris 9, systems are not impacted by this issue. Solaris 10 sparc and Solaris 10 32 bit x86 systems are also not impacted.

To determine if a system is running in 64-bit mode, the following command can be run:

    $ isainfo -b
    64

If "64" is returned, the system is running in 64-bit mode.

This issue only affects Systems that use IPv6 forwarding. To determine if a system is running with IPv6 enabled, the following command can be used:

    $ ifconfig -a6

If entries are returned marked "UP and RUNNING" then the system is utilizing IPv6.


Symptoms

If the described issue occurs, the system will panic with a stack trace similar to the following:

    fffffe80000b36c0 unix:die+da (ffffffff00000000, 184a16e00)
    fffffe80000b37a0 unix:trap+5ea ()
    fffffe80000b37b0 unix:cmntrap+11b ()
    fffffe80000b3980 ip:ip_rput_data_v6+e00 ()
    fffffe80000b39d0 ip:ip_rput_v6+193 ()
    fffffe80000b3a30 unix:putnext+1f1 ()
    fffffe80000b3b50 gld:gld_recv_tagged+21d ()
    fffffe80000b3b60 gld:ri_ste_def+333ebf2b ()

 


Workaround

To work around the described issue, do not configure IPv6 addresses. To disable IPv6 on a system, run the following command as root:

    # ifconfig -a6 down

Edit the "/etc/nsswitch.conf" file and change the "ipnodes" entry to be "files" only. IPv6 will function again after a reboot.

Note: To disable IPv6 on systems across a system reboot, the "/etc/hostname6.<interface>" files can be temporarily renamed.

Alternatively, to workaround the described issue while maintaining IPv6 functionality, boot the system in 32-bit mode.

To specify the 32-bit kernel, as root or with equivalent privileges, enter the following command:

    # eeprom boot-file=kernel/unix

Upon the next reboot, the system will be running the 32-bit kernel.

Once the patch for this issue is installed, to reinstate 64 bit mode, as root or with equivalent privileges, enter the following command:

    # eeprom boot-file=kernel/amd64/unix

Upon the next reboot, the system will be running the 64-bit kernel.


Resolution

This issue is addressed in the following releases:

x86 Platform

  • Solaris 10 with patch 118855-16 or later


References

118855-16




Attachments
This solution has no attachment