#200183: Security Vulnerability May Allow Firewall Compromise or Creation of Denial of Service (DoS) Condition

Security Vulnerability May Allow Firewall Compromise or Creation of Denial of Service (DoS) Condition

Category :	Security
Release Phase :	Resolved
Bug Id :	6240205
Product :	Solaris 9 Operating System Solaris 10 Operating System Solaris 8 Operating System
Date of Resolved Release :	08-Feb-2008

Security Vulnerability May Allow Firewall Compromise or Creation of Denial of Service (DoS) Condition

1. Impact

A security vulnerability in Solaris Internet Protocol (IP - see ip(7P)) implementation may allow a remote privileged user to send certain packets bypassing the security policies set by a firewall or to cause the system to panic, creating a Denial of Service (DoS) condition.

Sun acknowledges, with thanks, Mark Dowd from IBM Internet Security Systems X-Force (http://xforce.iss.net) for bringing this issue to our attention.

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform

Solaris 8 without patch 116965-30
Solaris 9 without patch 114344-32
Solaris 10 without patch 118822-27

x86 Platform

Solaris 8 without patch 116966-29
Solaris 9 without patch 119435-20
Solaris 10 without patch 118844-28

3. Symptoms

There are no predictable symptoms that would indicate the policies of a firewall have been circumvented. If the system panics due to this issue, the following stack trace may be seen:

    icmp_pkt_v6+0xxxxx
    icmp_param_problem_v6+0xxxxx
    ip_fanout_sec_proto+0xxxxx
    ip_rput_local+0xxxxx
    ip_rput+0xxxxx
    putnext+0xxxxx

4. Workaround

To work around the described issues:

As "root," set the ndd(1M) variable "ip_reass_queue_bytes" to 0 by using the following command:

    # ndd -set /dev/ip ip_reass_queue_bytes 0

This workaround will stop the system from re-assembling IP fragments. Networks which send/receive fragmented IP packets to/from the system will become unreachable.

Note: This workaround is not persistent across reboot.