A Security Vulnerability in the in.iked(1M) Service May Lead To a Denial of Service (DoS) |
|
| Category : | Security |
| Release Phase : | Resolved |
| Product : | Solaris 9 Operating System
|
| Bug Id : | 6435580
|
| Date of Resolved Release : | 29-MAY-2007
|
A security vulnerability in the in.iked(1M) service for Solaris 9 may allow an unprivileged local or remote user to crash the in.iked(1M) daemon, causing a Denial of Service (DoS) to IPsec protected network traffic. This is due to a logical pointer-handling error in the "libike" library.
Contributing Factors
This issue can occur in the following releases:
SPARC Platform
x86 Platform
Notes:
- Solaris 10 is not affected by this issue.
- Solaris 8 does not ship with in.iked(1M) and is not affected by this issue.
- This issue only affects systems with the in.iked(1M) service enabled.
The in.iked(1M) daemon is configured to run on a system if the file '/etc/inet/ike/config' is present. To determine if IKE services are configured on the system, the following command can be run:
$ ls /etc/inet/ike/config
/etc/inet/ike/config: No such file or directory
By default, the in.iked(1M) service is disabled on Solaris systems.
Symptoms
If this issue has been exploited, in.iked(1M) may no longer be running on the system. When running in.iked(1M) in debug mode, the following messages will appear:
Tue Jun 06 09:52:20 2006: /usr/lib/inet/in.iked: In ssh_policy_new_connection (pm_info = 0x719b8).
Tue Jun 06 09:52:20 2006: /usr/lib/inet/in.iked: Rejecting inbound phase 1: remote port != 500.
Tue Jun 06 09:52:20 2006: /usr/lib/inet/in.iked: Phase 2 negotiation failed: Aborted notification.
Assertion failed: pm_info->local_ip != NULL && pm_info->remote_ip != NULL, file ../common/policy.c, line 1293
Abort (core dumped)
If this issue has been exploited, the IKE daemon will no longer be running on the system. To determine if the IKE (in.iked(1M)) daemon is not running on a system which has IKE configured, the following command can be run:
$ test ! -f /etc/inet/ike/config || pgrep in.iked || \
echo "in.iked not running but should be"
Workaround
Until patches can be applied, sites may wish to filter UDP packets which have a source port other than the IKE port (port 500) and also to include at least one IKE rule in the ike.config(4) file.
When this issue has occurred, it is necessary to manually restart in.iked(1M) using the following command (as 'root'):
# /usr/lib/inet/in.iked
Resolution
This issue is addressed in the following releases:
SPARC Platform
x86 Platform
AttachmentsThis solution has no attachment
Sun Contracted Content
Sun Contracted Feature
