Note: This is an archival copy of Security Sun Alert 256748 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1020356.1.
Article ID : 1020356.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2009-06-08
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

A Security Vulnerability in the Solaris rpc.nisd(1M) Daemon may Cause a Denial of Service (DoS) Condition to a NIS+ Server

Category
Security

Release Phase
Resolved

Bug Id
6466160

Product
Solaris 8 Operating System
Solaris 9 Operating System
Solaris 10 Operating System
OpenSolaris

Date of Resolved Release
09-Jun-2009

A security vulnerability in the Solaris rpc.nisd(1M) daemon may cause a Denial of Service (DoS) condition to a NIS+ server:

1. Impact

A security vulnerability in the Solaris rpc.nisd(1M) daemon may allow remote privileged users on certain NIS+ clients to cause a Denial of Service (DoS) condition to a NIS+ server, preventing the server from responding to all NIS+ client requests.

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform
  • Solaris 8 without patch 128624-09
  • Solaris 9 without patch 112960-65
  • Solaris 10 without patch 140917-01
  • OpenSolaris based upon builds snv_01 through snv_103
x86 Platform
  • Solaris 8 without patch 128625-09
  • Solaris 9 without patch 114242-50
  • Solaris 10 without patch 140918-01
  • OpenSolaris based upon builds snv_01 through snv_103
Note 1: OpenSolaris distributions may include additional bug fixes above and beyond the build from which it was derived.  To determine the base build of OpenSolaris, the following command can be used:
    $ uname -v
    snv_86
Note 2: This issue only affects systems that are configured as NIS+ Master or Replica servers and have the rpc.nisd(1M) process running on the system.

To determine if a system is a NIS+ Master or Replica server and if the rpc.nisd(1M) service is running, the following command may be run:

On Solaris 10 and OpenSolaris systems:
    $ svcs svc:/network/rpc/nisplus:default
    STATE          STIME    FMRI
    online         Feb_17   svc:/network/rpc/nisplus:default
If the "state" field in the output is "disabled" the system is not configured as a NIS+ Master or Replica server.

On Solaris 8 and 9 systems:
    $ pgrep rpc.nisd || echo "This system is not a NIS+ server."
3. Symptoms

If the described issue occurs, NIS+ commands to lookup NIS+ data may hang. For example, running the following command from the NIS+ server machine may hang:
    $ niscat hosts.org_dir
The stack trace of NIS+ server process rpc.nisd(1M) may be similar to the following:
    -----------------  lwp# 1 / thread# 1  --------------------
    ff11ce9c getmsg   (101, ffbec9e4, ffbec960, ffbec96c)
    ff1ca594 getmsg   (101, 557070, ffbec9f0, ffbec9e4, 1, ffbec9e4) + 34
    ff2a0418 _tx_connect (557000, 557070, 5e5ab8, 1, ff31ef60, ffbeca70) + 1fc
    ff2a4c9c set_up_connection (101, 0, 0, 5e5ab8, 531520, 101) + 140
    ff2a48d4 clnt_vc_create (101, 531520, 654150, 4000, 4000, ff322bf8) + 1bc
    ff294dc0 clnt_tli_create (4000, 1, 7021c0, 187ce, 1, 4000) + 214
    ff2e87ec __nis_clnt_create (6ef230, 1, 1, 7021c0, 0, 187ce) + 11c
    ff2e8b48 nis_make_rpchandle_gss_svc (4000, 0, 4a3090, 4e2e68, 0, 5600e0) + 2d0
    ff2e86c0 nis_make_rpchandle_uaddr (6f34b8, 1, 187ce, 1, 1, 4000) + 2c
    ff2ab92c nis_make_rpchandle (6f34b8, 1, 187ce, 1, 1, 4000) + 24
    0001a7d4 ???????? (ffbed0e0, 6b70f0, c74c0, ffbed0e0, 57f108, 0)
    0001b2f0 nis_iblist_svc (0, 5600e0, 57f108, 0, c74c0, 57f108) + 174
    0002ff84 nis_prog_svc (52400, 4a000, 1b17c, 498c8, f, ffbeddbc) + 4e4
    ff2d2dec _svc_prog_dispatch (2faa0, 3, 0, ff31ef60, 142378, 159778) + 180
    ff2d2bb8 svc_getreq_common (ff322e54, 1, ff32c9e0, ff32c908, 400, 142378) + d8
    ff2d2ac0 svc_getreq_poll (1, 1bc598, ff31ef60, 1, 0, 1bbd98) + 9c
    000180a4 main     (4a000, 52000, 12c, 4a034, 7fffffff, 10d) + 1404
    0001597c _start   (0, 0, 0, 0, 0, 0) + b8
4. Workaround

There is no workaround for this issue. Please see the Resolution section below.

5. Resolution

This issue is addressed in the following releases:

SPARC Platform
  • Solaris 8 with patch 128624-09 or later
  • Solaris 9 with patch 112960-65 or later
  • Solaris 10 with patch 140917-01 or later
  • OpenSolaris based upon builds snv_104 or later
x86 Platform
  • Solaris 8 with patch 128625-09 or later
  • Solaris 9 with patch 114242-50 or later
  • Solaris 10 with patch 140918-01 or later
  • OpenSolaris based upon builds snv_104 or later
For more information on Security Sun Alerts, see 1009886.1.

This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements.

Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.

References

112960-65
114242-50
128624-09
128625-09
140917-01
140918-01





Attachments
This solution has no attachment