A Security Vulnerability in idmap(1M) of OpenSolaris may Allow a Denial of the CIFS (Common Internet File System) Service (DoS) |
|
| Category : | Security |
| Release Phase : | Resolved |
| Bug Id : | 6810842
|
| Product : | OpenSolaris
|
| Date of Resolved Release : | 05-Jun-2009
|
A security vulnerability in the OpenSolaris idmap(1M) command:
1. Impact
A security vulnerability in the OpenSolaris idmap(1M) command may allow a
local unprivileged user to kill the idpmapd(1M) daemon on a CIFS (Common
Internet File System/Windows file service) server and cause the idmapd(1M)
SMF service to transition to the "maintenance" state (see smf(5)). This is a type
of Denial of Service (DoS).
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform
- OpenSolaris based upon builds snv_88 through snv_110
x86 Platform
- OpenSolaris based upon builds snv_88 through snv_110
Note
1: Solaris 8, 9 and 10 are not impacted by this issue as they
do not support idmap for CIFS.
Note 2: OpenSolaris
distributions may include additional bug fixes above and beyond the
build from which it was derived. To determine the base build of
OpenSolaris, the following command can
be used:
$ uname -v
snv_86
Note 3: Only systems that are configured to be a CIFS server are
impacted by this issue. To determine if a system is a CIFS
server, check to see if the SMB server service is online:
$ svcs svc:/network/smb/server:default
STATE STIME FMRI
online 9:17:49 svc:/network/smb/server:default
3. Symptoms
If the described issue occurs the idmapd(1M) SMF service (svc:/system/idmap) will be in the "maintenance" state and one or more core files may be generated depending on the configuration of coreadm(1M).
The state of the service can be confirmed by using the following command:
$ svcs svc:/system/idmap
If a core file is generated, the start of the stack trace (from pstack(1)
for example) will be similar to the following:
libc_hwcap2.so.1`strlen+0x30(0, fea4e9bc, a, 5)
list_mappings_cb+0x71c(fea4ea70, 13, 83b5838, 83b597c)
sqlite_exec+0xc5(817f818, 821e540, 806410c, fea4ea70, fea4ea6c, 0)
process_list_svc_sql+0x50(817f818, 80a8514, 821e540, 400, 0, 8)
4. Workaround
There is no workaround for this issue. However, if the described issue occurs, the system can be recovered by executing the following command as root:
# svcadm clear svc:/system/idmap:default
Note: This will only recover from the failure and does not prevent further failures.
5.
Resolution
This issue is addressed in the following releases:
SPARC Platform
- OpenSolaris based upon builds snv_111 or later
x86 Platform
- OpenSolaris based upon builds snv_111 or later
For more information
on Security Sun Alerts, see Technical
Instruction
ID 213557.
This Sun Alert notification is being provided
to you on
an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This
Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle,
Santa
Clara, CA 95054 U.S.A. All rights reserved.
AttachmentsThis solution has no attachment
Sun Contracted Content
Sun Contracted Feature
