The Solaris rpc.metad(1M) Daemon is Vulnerable to a Denial of Service (DoS) Attack |
|
| Category : | Security |
| Release Phase : | Resolved |
| Bug Id : | 6676373
|
| Product : | Solaris 9 Operating System
Solaris 10 Operating System
OpenSolaris
|
| Date of Workaround Release : | 09-Jan-2009
|
| Date of Resolved Release : | 06-May-2009
|
The Solaris rpc.metad(1M) Daemon is Vulnerable to a Denial of Service (DoS) Attack
1. Impact
A security vulnerability in rpc.metad(1M) may allow a local or remote
unprivileged user to crash rpc.metad(1M), resulting in failure of the
service and causing Solaris Volume Manager (SVM) commands to
fail. This is a type of Denial-of-Service (DoS).
This issue is referenced in the following document:
CVE-2008-1480 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1480
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform:
- Solaris 9 without patch 116669-34
- Solaris 10 without patch 138632-03
- OpenSolaris based upon builds snv_01 through snv_95
x86 Platform:
- Solaris 9 without patch 138574-01
- Solaris 10 without patch 138882-02
- OpenSolaris based upon builds snv_01 through snv_95
Note: Solaris 8 is not affected by this issue.
OpenSolaris distributions
may include additional bug fixes above and beyond the build from which
it was derived.
The base build can be derived as follows:
$ uname -v
snv_86
3. Symptoms
Should the described issue occur, rpc.metad(1M) exits unexpectedly and
may also generate a core file.
There may also be system error messages similar to the following:
rpc.metad: [ID 702911 daemon.error] Segmentation Fault
rpc.metad: [ID 702911 daemon.error] Bus Error
inetd[352]: [ID 702911 daemon.error] Instance
svc:/network/rpc/meta:default has exceeded its
configured failure rate, transitioning to maintenance
/usr/sbin/metaset commands on remote hosts fail with:
metaset: <remote host>: metad client create: RPC: Program not registered
/usr/sbin/meteaset commands on the local host fail with:
metaset: <local host>: network/rpc/meta:default: service not online in SMF
/usr/bin/pstack on the resulting core file will show a stack similar to
the following:
# /usr/bin/pstack /core
core '/core' of 6368: /usr/sbin/rpc.metad
ff1d7dac read_vc () + 8
ff1dc2fc fill_input_buf () + 50
ff1dc358 get_input_bytes () + 30
ff1dc414 set_input_fragment () + 28
ff1dbc88 xdrrec_getbytes () + 34
ff1dbb74 xdrrec_getint32 () + 70
ff1dbc0c xdrrec_getlong () + 8
ff1c8350 xdr_callmsg () + 3b8
ff1d8634 svc_vc_recv () + b0
ff1cf978 svc_getreq_common () + cc
ff1cf88c svc_getreq_poll () + 9c
ff1d483c _svc_run () + f0
ff1d4534 svc_run () + 84
0001c0e8 main () + 2cc
000147d0 _start () + 108
4. Workaround
There is no workaround for this issue. However, it may be possible to
recover from the Denial of Service condition using the following method:
Verify that rpc.metad is not running:
For Solaris 8 and 9:
# pgrep -lf rpc.metad || /usr/sbin/rpc.metad
then restart rpc.metad as follows:
For Solaris 10 and OpenSolaris:
# pgrep -lf rpc.metad || svcadm clear network/rpc/meta
5. Resolution
This issue is addressed in the following releases:
SPARC Platform:
- Solaris 9 with patch 116669-34 or later
- Solaris 10 with patch 138632-03 or later
- OpenSolaris based upon builds snv_96 or later
x86 Platform:
- Solaris 9 with patch 138574-01 or later
- Solaris 10 with patch 138882-02 or later
- OpenSolaris based upon builds snv_96 or later
For more information on
Security Sun Alerts, see Technical
Instruction
ID 213557.
This Sun Alert
notification is being provided to you on
an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This
Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2009 Sun
Microsystems,
Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.
Modification History06-May-2009: Updated Contributing Factors and Resolution sections; issue is Resolved
AttachmentsThis solution has no attachment
|
Subscribe |
Careers |
Contact Us |
Site Maps |
Legal Notices |
Terms of Use |
Your Privacy Rights |
Sun Contracted Content
Sun Contracted Feature
