Category
Security
Release Phase
Resolved
ProductSolaris 9 Operating System
Bug Id
6435580
Date of Resolved Release29-MAY-2007
Impact
A security vulnerability in the in.iked(1M) service for Solaris 9 may allow an unprivileged local or remote user to crash the in.iked(1M) daemon, causing a Denial of Service (DoS) to IPsec protected network traffic. This is due to a logical pointer-handling error in the "libike" library.
Contributing Factors
This issue can occur in the following releases:
SPARC Platform
- Solaris 9 without patch 113451-13
x86 Platform
- Solaris 9 without patch 114435-12
Notes:
- Solaris 10 is not affected by this issue.
- Solaris 8 does not ship with in.iked(1M) and is not affected by this issue.
- This issue only affects systems with the in.iked(1M) service enabled.
The in.iked(1M) daemon is configured to run on a system if the file '/etc/inet/ike/config' is present. To determine if IKE services are configured on the system, the following command can be run:
$ ls /etc/inet/ike/config
/etc/inet/ike/config: No such file or directory
By default, the in.iked(1M) service is disabled on Solaris systems.
Symptoms
If this issue has been exploited, in.iked(1M) may no longer be running on the system. When running in.iked(1M) in debug mode, the following messages will appear:
Tue Jun 06 09:52:20 2006: /usr/lib/inet/in.iked: In ssh_policy_new_connection (pm_info = 0x719b8).
Tue Jun 06 09:52:20 2006: /usr/lib/inet/in.iked: Rejecting inbound phase 1: remote port != 500.
Tue Jun 06 09:52:20 2006: /usr/lib/inet/in.iked: Phase 2 negotiation failed: Aborted notification.
Assertion failed: pm_info->local_ip != NULL && pm_info->remote_ip != NULL, file ../common/policy.c, line 1293
Abort (core dumped)
If this issue has been exploited, the IKE daemon will no longer be running on the system. To determine if the IKE (in.iked(1M)) daemon is not running on a system which has IKE configured, the following command can be run:
$ test ! -f /etc/inet/ike/config || pgrep in.iked || \
echo "in.iked not running but should be"
Workaround
Until patches can be applied, sites may wish to filter UDP packets which have a source port other than the IKE port (port 500) and also to include at least one IKE rule in the ike.config(4) file.
When this issue has occurred, it is necessary to manually restart in.iked(1M) using the following command (as 'root'):
# /usr/lib/inet/in.iked
Resolution
This issue is addressed in the following releases:
SPARC Platform
- Solaris 9 with patch 113451-13 or later
x86 Platform
- Solaris 9 with patch 114435-12 or later
References
113451-13
114435-12
AttachmentsThis solution has no attachment