Note: This is an archival copy of Security Sun Alert 228408 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1017349.1.
Article ID : 1017349.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2006-09-25
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

A Remote SSL Client May be Able to Cause a Denial of Service (DoS) of a Solaris 10 System Running a Kernel SSL Service Instance

Category
Security

Release Phase
Resolved

Product
Solaris 10 Operating System

Bug Id
6401687

Date of Resolved Release
26-SEP-2006

Impact

A security vulnerability in the Solaris 10 kernel SSL feature may allow a remote unprivileged user acting as an SSL client to panic the system, creating a Denial of Service (DoS) condition.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 10 with patch 118822-29 or later and without patch 123304-01

x86 Platform

  • Solaris 10 with patch 118844-29 or later and without patch 118855-17

Note: Solaris 8 and Solaris 9 are not impacted by this issue.

This issue only occurs on systems which have a Kernel SSL Proxy service instance enabled. In the default configuration the service does not exist and is not running.

To determine if a system is configured to use the Kernel SSL Proxy, the svcs(1) command can be used to find the status of any Kernel SSL Proxy service instances:

   $ svcs svc:/network/ssl/proxy
 svcs: Pattern 'svc:/network/ssl/proxy' doesn't match any instances
 STATE          STIME    FMRI

 


Symptoms

If the described issue occurs, the system will panic with a stack trace similar to the following:

    >> $c
    bcopy+0x2cc(3000453ce40, 0, 40, 2a10086b0b0, 2a10086b0f0, 3000453ce40)
    md5_mac_init+0xec(30005fcbf40, 2a10086b348, 40, 0, 3000453ce40, 2a10086b740)
    crypto_mac_init_prov+0x19c(3000077c040, 0, 70119408, 2a10086b738, 0, 2a10086b530)
    crypto_mac_init+0x114(70119408, 2a10086b738, 0, 2a10086b530, 0, 3000077c040)
    kssl_tls_P_hash+0x50(10, 2a10086b738, 40, 701199d0, d, 2a10086b840)
    kssl_tls_PRF+0x80(30, 0, 80, 701199d0, d, 2a10086b840)
    ...

 


Workaround

To workaround this issue, disable all instances of the Kernel SSL Proxy service and re-configure applications which may depend on them. Note that this will remove the benefits otherwise gained by the Kernel SSL Proxy, such as the performance enhancements.

To disable the Kernel SSL Proxy service, the svcadm(1M) command can be used for each instance of the service:

    # svcadm disable svc:/network/ssl/proxy:<instance_suffix>

To disable and delete the Kernel SSL Proxy service, the ksslcfg(1M) can be used for each instance of the service:

    # ksslcfg delete [host] <ssl_port>

 


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 10 with patch 123304-01 or later

x86 Platform

  • Solaris 10 with patch 118855-17 or later


References

123304-01
118855-17




Attachments
This solution has no attachment