A Security Issue With Solaris 10 x64 Systems Using IPv6 Forwarding May Result in a Denial of Service (DoS) |
|
| Category : | Security |
| Release Phase : | Resolved |
| Product : | Solaris 10 Operating System for x86 Platforms
|
| Bug Id : | 6222966
|
| Date of Resolved Release : | 25-SEP-2006
|
Solaris 10 x64 systems configured to use Internet Protocol Version 6 (ip6(7P)) may panic when processing certain IPv6 packets. A local or remote unprivileged user may be able to send IPv6 packets that could panic the system causing a Denial of Service (DoS).
Contributing Factors
This issue can occur in the following releases:
x86 Platform
- Solaris 10 without patch 118855-16
Note: Solaris 8 and Solaris 9, systems are not impacted by this issue. Solaris 10 sparc and Solaris 10 32 bit x86 systems are also not impacted.
To determine if a system is running in 64-bit mode, the following command can be run:
$ isainfo -b
64
If "64" is returned, the system is running in 64-bit mode.
This issue only affects Systems that use IPv6 forwarding. To determine if a system is running with IPv6 enabled, the following command can be used:
$ ifconfig -a6
If entries are returned marked "UP and RUNNING" then the system is utilizing IPv6.
Symptoms
If the described issue occurs, the system will panic with a stack trace similar to the following:
fffffe80000b36c0 unix:die+da (ffffffff00000000, 184a16e00)
fffffe80000b37a0 unix:trap+5ea ()
fffffe80000b37b0 unix:cmntrap+11b ()
fffffe80000b3980 ip:ip_rput_data_v6+e00 ()
fffffe80000b39d0 ip:ip_rput_v6+193 ()
fffffe80000b3a30 unix:putnext+1f1 ()
fffffe80000b3b50 gld:gld_recv_tagged+21d ()
fffffe80000b3b60 gld:ri_ste_def+333ebf2b ()
Workaround
To work around the described issue, do not configure IPv6 addresses. To disable IPv6 on a system, run the following command as root:
# ifconfig -a6 down
Edit the "/etc/nsswitch.conf" file and change the "ipnodes" entry to be "files" only. IPv6 will function again after a reboot.
Note: To disable IPv6 on systems across a system reboot, the "/etc/hostname6.<interface>" files can be temporarily renamed.
Alternatively, to workaround the described issue while maintaining IPv6 functionality, boot the system in 32-bit mode.
To specify the 32-bit kernel, as root or with equivalent privileges, enter the following command:
# eeprom boot-file=kernel/unix
Upon the next reboot, the system will be running the 32-bit kernel.
Once the patch for this issue is installed, to reinstate 64 bit mode, as root or with equivalent privileges, enter the following command:
# eeprom boot-file=kernel/amd64/unix
Upon the next reboot, the system will be running the 64-bit kernel.
Resolution
This issue is addressed in the following releases:
x86 Platform
- Solaris 10 with patch 118855-16 or later
AttachmentsThis solution has no attachment
Sun Contracted Content
Sun Contracted Feature
