#228408: A Remote SSL Client May be Able to Cause a Denial of Service (DoS) of a Solaris 10 System Running a Kernel SSL Service Instance

A Remote SSL Client May be Able to Cause a Denial of Service (DoS) of a Solaris 10 System Running a Kernel SSL Service Instance

Category :	Security
Release Phase :	Resolved
Product :	Solaris 10 Operating System
Bug Id :	6401687
Date of Resolved Release :	26-SEP-2006

Impact

A security vulnerability in the Solaris 10 kernel SSL feature may allow a remote unprivileged user acting as an SSL client to panic the system, creating a Denial of Service (DoS) condition.

Contributing Factors

This issue can occur in the following releases:

SPARC Platform

Solaris 10 with patch 118822-29 or later and without patch 123304-01

x86 Platform

Solaris 10 with patch 118844-29 or later and without patch 118855-17

Note: Solaris 8 and Solaris 9 are not impacted by this issue.

This issue only occurs on systems which have a Kernel SSL Proxy service instance enabled. In the default configuration the service does not exist and is not running.

To determine if a system is configured to use the Kernel SSL Proxy, the svcs(1) command can be used to find the status of any Kernel SSL Proxy service instances:

   $ svcs svc:/network/ssl/proxy
   svcs: Pattern 'svc:/network/ssl/proxy' doesn't match any instances
   STATE          STIME    FMRI

Symptoms

If the described issue occurs, the system will panic with a stack trace similar to the following:

    >> $c
    bcopy+0x2cc(3000453ce40, 0, 40, 2a10086b0b0, 2a10086b0f0, 3000453ce40)
    md5_mac_init+0xec(30005fcbf40, 2a10086b348, 40, 0, 3000453ce40, 2a10086b740)
    crypto_mac_init_prov+0x19c(3000077c040, 0, 70119408, 2a10086b738, 0, 2a10086b530)
    crypto_mac_init+0x114(70119408, 2a10086b738, 0, 2a10086b530, 0, 3000077c040)
    kssl_tls_P_hash+0x50(10, 2a10086b738, 40, 701199d0, d, 2a10086b840)
    kssl_tls_PRF+0x80(30, 0, 80, 701199d0, d, 2a10086b840)
    ...

Workaround

To workaround this issue, disable all instances of the Kernel SSL Proxy service and re-configure applications which may depend on them. Note that this will remove the benefits otherwise gained by the Kernel SSL Proxy, such as the performance enhancements.

To disable the Kernel SSL Proxy service, the svcadm(1M) command can be used for each instance of the service:

    # svcadm disable svc:/network/ssl/proxy:<instance_suffix>

To disable and delete the Kernel SSL Proxy service, the ksslcfg(1M) can be used for each instance of the service:

    # ksslcfg delete [host] <ssl_port>

Resolution

This issue is addressed in the following releases:

SPARC Platform

Solaris 10 with patch 123304-01 or later

x86 Platform

Solaris 10 with patch 118855-17 or later

Attachments

This solution has no attachment

Login Required

Login Required