A Security Vulnerability in Solaris 10 NFS XDR Handling May Allow a Denial of Service to NFS Servers


Category :Security
Release Phase :Resolved
Product :Solaris 10 Operating System  
Bug Id :6458704  
Date of Resolved Release :13-JUN-2007 


Impact

A security vulnerability in Solaris 10 related to the handling of XDR data within NFS requests may allow a local or remote unprivileged user to panic a Solaris system that is configured to run as an NFS server, resulting in a Denial of Service (DoS).

Sun wishes to thank Andrzej Dereszowski for bringing this issue to our attention.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 10 without patch 125100-01

x86 Platform

Notes:

  1. Solaris 8 and 9 are not impacted by this issue.
  2. This issue will only affect systems configured to run as NFS servers.

To determine if a Solaris 10 system is configured to run as an NFS server, the following command can be run:

    $ svcs nfs/server
    STATE      STIME        FMRI
    online     14:30:59     svc:/network/nfs/server:default

If the above command reports that NFS services are enabled (see smf(5)), the system may be vulnerable.


Symptoms

Should the described issue occur, the system may panic with a stack trace which ends similar to the following:

    xdrmblk_getint32+0xb4(...)
    xdr_bool+0x70(...)
    ...

Workaround

To prevent this issue until patches can be installed, NFS services may be disabled on the affected system by running the following command:

    # svcadm disable nfs/server

Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 10 with patch 125100-01 or later

x86 Platform

Note:

Revisions prior to -04 of the above listed patches do not list bug 6458704 in the READMEs, however, this discrepancy is limited to the README; installation of these patches will in fact resolve this issue.

When originally released, the READMEs for patches 124250 and 124251, revisions -01 to -03, incorrectly stated that those patches contained the fix for bug 6458704. Even if one of those two patches are installed on a system, either patch 125100-01 or 125101-01 (or later revisions) must be installed to resolve this issue (and patches 124250-01 and 124251-01 are not required to resolve this issue).






Attachments
This solution has no attachment
 
Sun support customers:
more support information is available after you sign in.
 
»   Login
»   Register
»   Lost UserName/Password
 
Login Required

You must login and have a valid contract to access Sun's Premium content which includes:

  • Sun Alerts
  • Bugs
  • Patches
  • Solutions
  • White Papers
  • Documentation
  • Support Knowledge

Login Required

You must login and have a valid contract to access Sun's contracted features

Access Legend:

(Login to access)   Sun Contracted Content
(Login to access)   Sun Contracted Feature

Please make use of SunSolve Feedback application by selecting the floating [+] to provide feedback about this specific document.

Search
Article Details
Article ID : 201267
Article Type : Sun Alert
Last reviewed : 2007-06-13
Audience : PUBLIC
Keywords :
Provide feedback  (help)
Page Tools
»  Print This Page
»  Email This Article
»  Bookmark This Article
Security Support
»   Security Center
»   Report Security Vulnerabilities
»   Security PGP Key
»   Sun Alert Notifications - RSS Feeds
»   Sun Alert Notifications - eNewsletter
»   Solaris Fingerprint Database
 
SunSolve Navigation
»   Forums for contracted customers
»   Licenses
»   Log a Service Request
»   Patches and Updates
»   Product Download Center
»   SunSystem Handbook
»   SunSolve Japan
SunSolve Feedback, Help and Updates
»   Blog
»   Community
»   Feedback
»   Help
»   Learn about SunSolve
»   Twitter
Contact About Sun News & Events Employment Site Map Privacy Terms of Use Trademarks Copyright Sun Microsystems, Inc. | SunSolve Version 7.4.0 #1