=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2006/VULN232
_____________________________________________________________________

DATE                      : 09/05/2006

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Solaris 9, Solaris 10.

======================================================================

Sun(sm) Alert Notification
      * Sun Alert ID: 102246
      * Synopsis: A Security Vulnerability in the "libike" Library May
        Potentially Cause a Denial of Service to the in.iked(1M) Daemon
      * Category: Security
      * Product: Solaris 9 Operating System, Solaris 10 Operating System
      * BugIDs: 6348585
      * Avoidance: Patch
      * State: Resolved
      * Date Released: 08-May-2006
      * Date Closed: 08-May-2006
      * Date Modified:

1. Impact

    It may be possible for a remote privileged user to cause the
    in.iked(1M) daemon to crash or cause in.iked to send invalid data to a
    peer system, potentially causing that system's in.iked daemon to
    crash, when an IKE exchange with a malformed payload is attempted.

    If in.iked crashes, then IKE can not be used to exchange keying
    information for IPsec, thus causing a Denial of Service (DoS) to IPsec
    protected network traffic.

    This issue is revealed by the test suite described in NISCC
    vulnerability #273756, which is available at
    http://www.uniras.gov.uk/niscc/docs/br-20051114-01013.html?lang=en

2. Contributing Factors

    This issue can occur in the following releases:

    SPARC Platform
      * Solaris 9 without patch 113451-11
      * Solaris 10 without patch 118371-07

    x86 Platform
      * Solaris 9 without patch 114435-10
      * Solaris 10 without patch 118372-07

    Notes:
     1. Solaris 8 does not support IKE and is not affected by this issue.
     2. The described issue only affects systems configured to run the IKE
        (Internet Key Exchange) daemon in.iked(1M).

    The in.iked(1M) daemon is configured to run on a system if the file
    '/etc/inet/ike/config' is present. For example, the following command
    can be run to determine if IKE services are configured on the system:
     $ file /etc/inet/ike/config
     /etc/inet/ike/config:   cannot open: No such file or directory

3. Symptoms

    If this issue has been exploited, the IKE daemon may no longer be
    running on the system.

    To determine if the IKE (in.iked(1M)) daemon is not running on a
    system which has IKE configured, the following command can be run:
     $ test ! -f /etc/inet/ike/config || pgrep in.iked || \
     echo "in.iked not running but should be"

    Note: The IKE protocol is an exchange of network packets between two
    or more peers. One or more of the peer systems may be running an
    operating system other than Solaris. In order to determine if the IKE
    daemon is configured and running correctly on a non-Solaris system
    consult the operating system vendor or operating system manuals for
    the system.

4. Relief/Workaround

    To manually restart in.iked(1M), the following command can be run (as
    'root'):
     # /usr/lib/inet/in.iked

5. Resolution

    This issue is addressed in the following releases:

    SPARC Platform
      * Solaris 9 with patch 113451-11 or later
      * Solaris 10 with patch 118371-07 or later

    x86 Platform
      * Solaris 9 with patch 114435-10 or later
      * Solaris 10 with patch 118372-07 or later

    This Sun Alert notification is being provided to you on an "AS IS"
    basis. This Sun Alert notification may contain information provided by
    third parties. The issues described in this Sun Alert notification may
    or may not impact your system(s). Sun makes no representations,
    warranties, or guarantees as to the information contained herein. ANY
    AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
    WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
    NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
    YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
    INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
    OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
    This Sun Alert notification contains Sun proprietary and confidential
    information. It is being provided to you pursuant to the provisions of
    your agreement to purchase services from Sun, or, if you do not have
    such an agreement, the Sun.com Terms of Use. This Sun Alert
    notification may only be used for the purposes contemplated by these
    agreements.

    Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
    Clara, CA 95054 U.S.A. All rights reserved

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================