Note: This is an archival copy of Security Sun Alert 201262 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000945.1.
Article ID : 1000945.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-06-26
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerabilities in the KSSL Kernel Module May Lead to a System Panic

Category
Security

Category
Availability

Release Phase
Resolved

Product
Solaris 10 Operating System

Bug Id
6497668, 6539337

Date of Resolved Release
27-JUN-2007

Impact

Due to security vulnerabilities related to the handling of memory buffers containing Secure Socket Layer (SSL) records, an unprivileged local or remote user may be able to panic a Solaris 10 system that has been configured to act as a SSL proxy. This would result in a Denial of Service (DoS) to the system.


Contributing Factors

These issues can occur in the following releases:

SPARC Platform

  • Solaris 10 with patch 121474-01 or later and without patch 125100-10

x86 Platform

  • Solaris 10 with patch 121475-01 or later and without patch 125101-10

Notes:

  1. Solaris 8 and Solaris 9 are not impacted by these issues since they do not ship the KSSL implementation. Solaris 10 3/05 did not ship with KSSL, but it was delivered via patches for Solaris 10 and was included in Solaris 10 6/06 onwards.
  2. These issues only affect systems configured with the KSSL proxy. In the default configuration, the service does not exist and is not running.

The following command can be run to determine if the KSSL proxy was configured on a system:

    $ svcs | grep kssl
    online         Apr_27   svc:/network/ssl/proxy:kssl-INADDR_ANY-443

Symptoms

If these issues have been exploited, the system panic would produce the following stack trace:

    kssl_handle_record+0x80(6000383b250, 60002a04000, 2a100c97540, 6000112d200,
    60003889c40, 0)
    strsock_kssl_input+0x14(600037f6380, 60001081540, 0, 0, 0, 60002744730)
    kstrgetmsg+0x51c(60001081540, 0, 2a100c97a10, 6000287ab28, 0, 1)
    sotpi_recvmsg+0x290(60002744730, 2a100c97870, 2a100c97a10, 2, 0, 7000)
    socktpi_read+0x44(600037f6380, 2a100c97a10, 600008022c8, 600008022c8, 0,
    60002744730)
    fop_read+0x20(600037f6380, 2a100c97a10, 0, 600008022c8, 0, 135127c)
    read+0x274(101, 0, 600027c10d8, 1f40, 83, 0)
    syscall_trap32+0xcc(101, 154b20, 1f40, 1, 493e0, 8)

Note: Other possible stack traces are possible containing calls to routines from the KCF module.


Workaround

Until patches are applied, sites may wish to disable the KSSL proxy so that SSL processing will be done in "userland" only. This may degrade the performance of servicing SSL streams.

For example, to disable the KSSL proxy listening on the default TCP port (port 443), the following command can be run:

    # ksslcfg delete 443

Note: This command will also delete the KSSL service.


Resolution

These issues are addressed in the following releases:

SPARC Platform

  • Solaris 10 with patch 125100-10 or later

x86 Platform

  • Solaris 10 with patch 125101-10 or later


References

125100-10
125101-10




Attachments
This solution has no attachment