Due to security vulnerabilities related to the handling of memory buffers containing Secure Socket Layer (SSL) records, an unprivileged local or remote user may be able to panic a Solaris 10 system that has been configured to act as a SSL proxy. This would result in a Denial of Service (DoS) to the system.

These issues can occur in the following releases:

SPARC Platform

• Solaris 10 with patch 121474-01 or later and without patch 125100-10

x86 Platform

• Solaris 10 with patch 121475-01 or later and without patch 125101-10

Notes:

1. Solaris 8 and Solaris 9 are not impacted by these issues since they do not ship the KSSL implementation. Solaris 10 3/05 did not ship with KSSL, but it was delivered via patches for Solaris 10 and was included in Solaris 10 6/06 onwards.
2. These issues only affect systems configured with the KSSL proxy. In the default configuration, the service does not exist and is not running.

The following command can be run to determine if the KSSL proxy was configured on a system:

    $ svcs | grep kssl
    online         Apr_27   svc:/network/ssl/proxy:kssl-INADDR_ANY-443

If these issues have been exploited, the system panic would produce the following stack trace:

    kssl_handle_record+0x80(6000383b250, 60002a04000, 2a100c97540, 6000112d200, 
    60003889c40, 0)
    strsock_kssl_input+0x14(600037f6380, 60001081540, 0, 0, 0, 60002744730)
    kstrgetmsg+0x51c(60001081540, 0, 2a100c97a10, 6000287ab28, 0, 1)
    sotpi_recvmsg+0x290(60002744730, 2a100c97870, 2a100c97a10, 2, 0, 7000)
    socktpi_read+0x44(600037f6380, 2a100c97a10, 600008022c8, 600008022c8, 0, 
    60002744730)
    fop_read+0x20(600037f6380, 2a100c97a10, 0, 600008022c8, 0, 135127c)
    read+0x274(101, 0, 600027c10d8, 1f40, 83, 0)
    syscall_trap32+0xcc(101, 154b20, 1f40, 1, 493e0, 8)

Note: Other possible stack traces are possible containing calls to routines from the KCF module.

Until patches are applied, sites may wish to disable the KSSL proxy so that SSL processing will be done in "userland" only. This may degrade the performance of servicing SSL streams.

For example, to disable the KSSL proxy listening on the default TCP port (port 443), the following command can be run:

    # ksslcfg delete 443

Note: This command will also delete the KSSL service.

These issues are addressed in the following releases:

SPARC Platform

• Solaris 10 with patch 125100-10 or later

x86 Platform

• Solaris 10 with patch 125101-10 or later

This solution has no attachment