Note: This is an archival copy of Security Sun Alert 201281 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000964.1.
Article ID : 1000964.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-05-28
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

A Security Vulnerability in the in.iked(1M) Service May Lead To a Denial of Service (DoS)



Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System

Bug Id
6435580

Date of Resolved Release
29-MAY-2007

Impact

A security vulnerability in the in.iked(1M) service for Solaris 9 may allow an unprivileged local or remote user to crash the in.iked(1M) daemon, causing a Denial of Service (DoS) to IPsec protected network traffic. This is due to a logical pointer-handling error in the "libike" library.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 9 without patch 113451-13

x86 Platform

  • Solaris 9 without patch 114435-12

Notes:

  1. Solaris 10 is not affected by this issue.
  2. Solaris 8 does not ship with in.iked(1M) and is not affected by this issue.
  3. This issue only affects systems with the in.iked(1M) service enabled.

The in.iked(1M) daemon is configured to run on a system if the file '/etc/inet/ike/config' is present. To determine if IKE services are configured on the system, the following command can be run:

    $ ls /etc/inet/ike/config
    /etc/inet/ike/config: No such file or directory

By default, the in.iked(1M) service is disabled on Solaris systems.


Symptoms

If this issue has been exploited, in.iked(1M) may no longer be running on the system. When running in.iked(1M) in debug mode, the following messages will appear:

    Tue Jun 06 09:52:20 2006: /usr/lib/inet/in.iked: In ssh_policy_new_connection (pm_info = 0x719b8).
    Tue Jun 06 09:52:20 2006: /usr/lib/inet/in.iked: Rejecting inbound phase 1: remote port != 500.
    Tue Jun 06 09:52:20 2006: /usr/lib/inet/in.iked: Phase 2 negotiation failed: Aborted notification.
    Assertion failed: pm_info->local_ip != NULL && pm_info->remote_ip != NULL, file ../common/policy.c, line 1293
    Abort (core dumped)

If this issue has been exploited, the IKE daemon will no longer be running on the system. To determine if the IKE (in.iked(1M)) daemon is not running on a system which has IKE configured, the following command can be run:

    $ test ! -f /etc/inet/ike/config || pgrep in.iked || \
    echo "in.iked not running but should be"

Workaround

Until patches can be applied, sites may wish to filter UDP packets which have a source port other than the IKE port (port 500) and also to include at least one IKE rule in the ike.config(4) file.

When this issue has occurred, it is necessary to manually restart in.iked(1M) using the following command (as 'root'):

    # /usr/lib/inet/in.iked

 


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 9 with patch 113451-13 or later

x86 Platform

  • Solaris 9 with patch 114435-12 or later


References

113451-13
114435-12




Attachments
This solution has no attachment