Security Vulnerability in Solaris 10 Trusted Extensions Labeled Networking Related to Data Transfer Between Labeled Zones

---

Vulnerability in Solaris 10 Trusted Extensions (see details below)

1. Impact

A security vulnerability in Solaris 10 Trusted Extensions labeled networking may allow untrusted applications in separate labeled zones to exchange data on the local system by circumventing label restrictions.

2. Contributing Factors

This issue can occur if one or more all-zones interfaces are
non-vni interfaces.

This issue can occur on the following releases:

SPARC Platform

• Solaris 10 without patch 127127-11

x86 Platform

• Solaris 10 without patch 127128-11

Note 1: Solaris 8 and Solaris 9 are not impacted by this issue.
Note 2: This issue only impacts Solaris 10 systems which have installed and configured Solaris Trusted Extensions. Solaris Trusted Extensions is available starting in the Solaris 10 11/06 release.

To determine if a system is configured with Trusted Extensions, the following command can be run:
    $ svcs labeld
    STATE          STIME    FMRI
    online         16:19:20 svc:/system/labeld:default

If the system is configured with Trusted Extensions, the "labeld" 
service will have an instance in the online state.
    
Note 3:  This issue only impacts systems with an all-zones interface that
is not based upon vni(7d)

To determine which interfaces are configured to be all-zones, the following
command can be run as root the global zone: 

    $ ifconfig -a

Those interfaces which are all-zones will contain the word "all-zones"
in their ifconfig output.  If the interface is a vni0 or other vni interface,
that interface is not impacted.  If any other interface is all-zones, the
interface may be impacted.

Sample ifconfig -a output illustrating a configuration where
 bge0 is all-zones (vulnerable), 
 vni0 is all-zones (not vulnerable),
 bge1 is not all-zones (not vulnerable):

bge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
        all-zones
        inet 129.146.163.175 netmask ffffff00 broadcast 129.146.163.255
        ether 0:14:4f:f:c6:a0 
bge1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
        inet 192.168.128.1 netmask ffffff00 broadcast 192.168.128.255
        ether 0:14:4f:f:c6:a1 
vni0: flags=20010100c1<UP,RUNNING,NOARP,NOXMIT,IPv4,VIRTUAL> mtu 0 index 4
        all-zones
        inet 192.168.240.240 netmask ffffff00 

3. Symptoms

There are no predictable symptoms that would indicate the described issue has been exploited.

4. Workaround

Interim Security Relief (ISR) is available for the following releases from http://sunsolve.sun.com/tpatches

Some customers may be restricted to running the Common Criteria evaluated version of the Solaris Trusted Extensions OE.  These customers may use the following IDRs that have been created based on the estimate that Kernel Update patches 125100-08 (SPARC) and 125101-08 (x86) will be the Target Of Evaluation (TOE):

SPARC Platform

• Solaris 10  IDR137431-01

x86 Platform

• Solaris 10 IDR137432-01

Note: This document refers to one or more temporary patches (T-Patches) and/or Interim Security Relief (IDRs) which are designed to address the concerns identified herein. Sun has limited experience with these T-Patches and IDRs due to their interim nature. As such, you should only install the T-Patches or IDRs on systems meeting the configurations described above. Sun may release full patches at a later date, however, Sun is under no obligation whatsoever to create, release, or distribute any such patch.

5. Resolution

This issue is addressed in the following releases:

SPARC Platform

• Solaris 10 with patch 127127-11 or later
  

x86 Platform

• Solaris 10 with patch 127128-11 or later
  

For more information on Security Sun Alerts, see Technical Instruction ID 213557 at: http://sunsolve.sun.com/search/document.do?assetkey=1-61-213557-1

This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements.

Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.



Modification History

02-May-2008: Updated Contributing Factors, Workaround and Resolution sections. Resolved.
05-Jun-2008: Updated Contributing Factors

Attachments

This solution has no attachment