Note: This is an archival copy of Security Sun Alert 201098 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000819.1.
Article ID : 1000819.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2006-10-05
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in Solaris 10 Link Aggregation may Allow Local Users Total Access to Network Packets

Category
Security

Release Phase
Resolved

Product
Solaris 10 Operating System

Bug Id
6364350

Date of Resolved Release
06-OCT-2006

Impact

A security vulnerability resulting from incorrect and insufficient permission checks in the default Solaris 10 configuration may allow a local unprivileged user to create a raw socket on a Solaris link aggregation, resulting in unrestricted access to network packets.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 10 without patch 118833-23

x86 Platform

  • Solaris 10 without patch 118855-19

Note: This issue does not affect Solaris 8 or Solaris 9.

This issue only affects systems which have configured aggregations of network devices using dladm(1M) and enabled with ifconfig(1M).  To determine if a system has configured one or more aggregations of network devices the following command can be run as the root user or a user with the sys_net_config privilege:

    # /usr/sbin/dladm show-aggr
  key: 1 (0x0001) policy: L4      address: 0:1:2:3:4:5 (auto)
device       address           speed         duplex  link state
bge1         0:1:2:3:4:5       100   Mbps    full    up      attached
       bge2         0:1:2:3:4:5       100   Mbps    full    up      attached
       bge3         0:1:2:3:4:5       100   Mbps    full    up      attached

    # /usr/sbin/ifconfig aggr1
   aggr1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 143
inet 192.29.67.199 netmask ffffff00 broadcast 192.29.67.255
ether 0:1:2:3:4:5

 


Symptoms

There are no reliable symptoms that would show if this issue has been exploited to access network traffic or send spoofed packets using a network link aggregation.


Workaround

To create a policy for local users that would not allow them total access, add an entry into the /etc/security/device_policy file by running the update_drv(1M) command as superuser with the following arguments:

  # /usr/sbin/update_drv -a -p 'read_priv_set=net_rawaccess write_priv_set=net_rawaccess' aggr

 


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 10 with patch 118833-23 or later

x86 Platform

  • Solaris 10 with patch 118855-19 or later


References

118855-19
118833-23




Attachments
This solution has no attachment