Security Vulnerability in Solaris 10 Link Aggregation may Allow Local Users Total Access to Network Packets


Category :Security
Release Phase :Resolved
Product :Solaris 10 Operating System  
Bug Id :6364350  
Date of Resolved Release :06-OCT-2006 


Impact

A security vulnerability resulting from incorrect and insufficient permission checks in the default Solaris 10 configuration may allow a local unprivileged user to create a raw socket on a Solaris link aggregation, resulting in unrestricted access to network packets.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

x86 Platform

Note: This issue does not affect Solaris 8 or Solaris 9.

This issue only affects systems which have configured aggregations of network devices using dladm(1M) and enabled with ifconfig(1M).  To determine if a system has configured one or more aggregations of network devices the following command can be run as the root user or a user with the sys_net_config privilege:

    # /usr/sbin/dladm show-aggr
       key: 1 (0x0001) policy: L4      address: 0:1:2:3:4:5 (auto)
       device       address           speed         duplex  link state
       bge1         0:1:2:3:4:5       100   Mbps    full    up      attached
       bge2         0:1:2:3:4:5       100   Mbps    full    up      attached
       bge3         0:1:2:3:4:5       100   Mbps    full    up      attached

    # /usr/sbin/ifconfig aggr1
       aggr1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 143
       inet 192.29.67.199 netmask ffffff00 broadcast 192.29.67.255
       ether 0:1:2:3:4:5

 


Symptoms

There are no reliable symptoms that would show if this issue has been exploited to access network traffic or send spoofed packets using a network link aggregation.


Workaround

To create a policy for local users that would not allow them total access, add an entry into the /etc/security/device_policy file by running the update_drv(1M) command as superuser with the following arguments:

   # /usr/sbin/update_drv -a -p 'read_priv_set=net_rawaccess write_priv_set=net_rawaccess' aggr

 


Resolution

This issue is addressed in the following releases:

SPARC Platform

x86 Platform






Attachments
This solution has no attachment
 
Sun support customers:
more support information is available after you sign in.
 
»   Login
»   Register
»   Lost UserName/Password
 
Login Required

You must login and have a valid contract to access Sun's Premium content which includes:

  • Sun Alerts
  • Bugs
  • Patches
  • Solutions
  • White Papers
  • Documentation
  • Support Knowledge

Login Required

You must login and have a valid contract to access Sun's contracted features

Access Legend:

(Login to access)   Sun Contracted Content
(Login to access)   Sun Contracted Feature

Please make use of SunSolve Feedback application by selecting the floating [+] to provide feedback about this specific document.

Search
Article Details
Article ID : 201098
Article Type : Sun Alert
Last reviewed : 2006-10-06
Audience : PUBLIC
Keywords :
Provide feedback  (help)
Page Tools
»  Print This Page
»  Email This Article
»  Bookmark This Article
Security Support
»   Security Center
»   Report Security Vulnerabilities
»   Security PGP Key
»   Sun Alert Notifications - RSS Feeds
»   Sun Alert Notifications - eNewsletter
»   Solaris Fingerprint Database
 
SunSolve Navigation
»   Forums for contracted customers
»   Licenses
»   Log a Service Request
»   Patches and Updates
»   Product Download Center
»   SunSystem Handbook
»   SunSolve Japan
SunSolve Feedback, Help and Updates
»   Blog
»   Community
»   Feedback
»   Help
»   Learn about SunSolve
»   Twitter
Contact About Sun News & Events Employment Site Map Privacy Terms of Use Trademarks Copyright Sun Microsystems, Inc. | SunSolve Version 7.4.0 #1