=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2008/VULN078
_____________________________________________________________________

DATE                      : 26/02/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Solaris 8, Solaris 9, Solaris 10.

======================================================================

Solution Type Sun Alert

Solution  200183 : Security Vulnerability May Allow Firewall
Compromise or Creation of Denial of Service (DoS) Condition
Bug ID: 6240205
Product: Solaris 9 Operating System
          Solaris 10 Operating System
          Solaris 8 Operating System
Date of Resolved Release: 08-Feb-2008

SA Document Body
Security Vulnerability May Allow Firewall Compromise or Creation
of Denial of Service (DoS) Condition

1. Impact

    A security vulnerability in Solaris Internet Protocol (IP - see
    ip(7P)) implementation may allow a remote privileged user to
    send certain packets bypassing the security policies set by a
    firewall or to cause the system to panic, creating a Denial of
    Service (DoS) condition.

    Sun acknowledges, with thanks, Mark Dowd from IBM Internet
    Security Systems X-Force (http://xforce.iss.net) for bringing
    this issue to our attention.

2. Contributing Factors

    This issue can occur in the following releases:

    SPARC Platform

       * Solaris 8 without patch 116965-30
       * Solaris 9 without patch 114344-32
       * Solaris 10 without patch 118822-27

    x86 Platform

       * Solaris 8 without patch 116966-29
       * Solaris 9 without patch 119435-20
       * Solaris 10 without patch 118844-28

3. Symptoms

    There are no predictable symptoms that would indicate the policies
    of a firewall have been circumvented. If the system panics due
    to this issue, the following stack trace may be seen:

       icmp_pkt_v6+0xxxxx
       icmp_param_problem_v6+0xxxxx
       ip_fanout_sec_proto+0xxxxx
       ip_rput_local+0xxxxx
       ip_rput+0xxxxx
       putnext+0xxxxx

4. Workaround

    To work around the described issues:

    As "root," set the ndd(1M) variable "ip_reass_queue_bytes" to 0
    by using the following command:

       # ndd -set /dev/ip ip_reass_queue_bytes 0

    This workaround will stop the system from re-assembling IP
    fragments. Networks which send/receive fragmented IP packets
    to/from the system will become unreachable.

    Note: This workaround is not persistent across reboot.

5. Resolution

    This issue is addressed in the following releases:

    SPARC Platform

       * Solaris 8 with patch 116965-30 or later
       * Solaris 9 with patch 114344-32 or later
       * Solaris 10 with patch 118822-27 or later

    x86 Platform

       * Solaris 8 with patch 116966-29 or later
       * Solaris 9 with patch 119435-20 or later
       * Solaris 10 with patch 118844-28 or later

    For more information on Security Sun Alerts, see Sun Infodoc
    91209.

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================