—–BEGIN PGP SIGNED MESSAGE—–
Liebe Kolleginnen und Kollegen,
soeben erreichte uns nachfolgendes Sun Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.
CVE-2008-1480 – Schwachstelle im Solaris rpc.metad
Es besteht eine nicht naeher beschriebene Schwachstelle im Solaris
rpc.metad bei der Verarbeitung von RPC-Anfragen. Ein entfernter
Angreifer kann laut Hersteller den Dienst mit Hilfe einer entsprechend
formulierten RPC-Anfrage zum Absturz bringen.
Betroffen sind die folgenden Software Pakete und Plattformen:
Solstice Disk Suite 4.2.1
Solaris 9
Solaris 10
OpenSolaris
SPARC Plattform:
* Solstice Disk Suite 4.2.1 (fuer Solaris 8)
* Solaris 9 ohne Patch 116669-34
* Solaris 10 ohne Patch 138632-03
* OpenSolaris basierend auf den Builds snv_01 bis snv_95
x86 Plattform:
* Solstice Disk Suite 4.2.1 (fuer Solaris 8)
* Solaris 9 ohne Patch 138574-01
* Solaris 10 ohne Patch 138882-02
* OpenSolaris basierend auf den Builds snv_01 bis snv_95
Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.
Hersteller Advisory:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-249146-1
(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.
Mit freundlichen Gruessen,
Andreas Bunten, DFN-CERT
– —
Andreas Bunten (Incident Response Team), +49 40 808077-555
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
16. DFN-Workshop Sicherheit in vernetzten Systemen
https://www.dfn-cert.de/ws2009/
Solution Type Sun Alert
Solution 249146 : The Solaris rpc.metad(1M) Daemon is Vulnerable to
a Denial of Service (DoS) Attack
Related Categories
* Home>Content>Sun Alert Criteria Categories>Security
* Home>Content>Sun Alert Release Phase>Workaround
Bug ID
6676373
Product
Solstice Disk Suite 4.2.1
Solaris 9 Operating System
Solaris 10 Operating System
OpenSolaris
Date of Workaround Release
09-Jan-2009
SA Document Body
The Solaris rpc.metad(1M) Daemon is Vulnerable to a Denial of Service (DoS) Att
ack
1. Impact
A security vulnerability in rpc.metad(1M) may allow a local or remote
unprivileged user to crash rpc.metad(1M), resulting in failure of the
service and causing Solaris Volume Manager (SVM) commands to fail.
This is a type of Denial-of-Service (DoS).
This issue is referenced in the following document:
CVE-2008-1480
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1480
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform:
* Solstice Disk Suite 4.2.1 (for Solaris 8)
* Solaris 9 without patch 116669-34
* Solaris 10 without patch 138632-03
* OpenSolaris based upon builds snv_01 through snv_95
x86 Platform:
* Solstice Disk Suite 4.2.1 (for Solaris 8)
* Solaris 9 without patch 138574-01
* Solaris 10 without patch 138882-02
* OpenSolaris based upon builds snv_01 through snv_95
Note: OpenSolaris distributions may include additional bug fixes above
and beyond the build from which it was derived.
The base build can be derived as follows:
$ uname -v
snv_86
3. Symptoms
Should the described issue occur, rpc.metad(1M) exits unexpectedly and
may also generate a core file.
There may also be system error messages similar to the following:
rpc.metad: [ID 702911 daemon.error] Segmentation Fault
rpc.metad: [ID 702911 daemon.error] Bus Error
inetd[352]: [ID 702911 daemon.error] Instance
svc:/network/rpc/meta:default has exceeded its
configured failure rate, transitioning to maintenance
/usr/sbin/metaset commands on remote hosts fail with:
metaset:
/usr/sbin/meteaset commands on the local host fail with:
metaset:
/usr/bin/pstack on the resulting core file will show a stack similar to
the following:
# /usr/bin/pstack /core
core ‘/core’ of 6368: /usr/sbin/rpc.metad
ff1d7dac read_vc () + 8
ff1dc2fc fill_input_buf () + 50
ff1dc358 get_input_bytes () + 30
ff1dc414 set_input_fragment () + 28
ff1dbc88 xdrrec_getbytes () + 34
ff1dbb74 xdrrec_getint32 () + 70
ff1dbc0c xdrrec_getlong () + 8
ff1c8350 xdr_callmsg () + 3b8
ff1d8634 svc_vc_recv () + b0
ff1cf978 svc_getreq_common () + cc
ff1cf88c svc_getreq_poll () + 9c
ff1d483c _svc_run () + f0
ff1d4534 svc_run () + 84
0001c0e8 main () + 2cc
000147d0 _start () + 108
4. Workaround
There is no workaround for this issue. However, it may be possible to
recover from the Denial of Service condition using the following
method:
Verify that rpc.metad is not running:
For Solaris 8 and 9:
# pgrep -lf rpc.metad || /usr/sbin/rpc.metad
then restart rpc.metad as follows:
For Solaris 10 and OpenSolaris:
# pgrep -lf rpc.metad || svcadm clear network/rpc/meta
5. Resolution
This issue is addressed in the following releases:
SPARC Platform:
* Solaris 9 with patch 116669-34 or later
* Solaris 10 with patch 138632-03 or later
* OpenSolaris based upon builds snv_96 or later
x86 Platform:
* Solaris 9 with patch 138574-01 or later
* Solaris 10 with patch 138882-02 or later
* OpenSolaris based upon builds snv_96 or later
A final resolution is pending completion for Disk Suite 4.2.1 for
Solaris 8.
For more information on Security Sun Alerts, see Technical Instruction
ID 213557.
This Sun Alert notification is being provided to you on an “AS IS”
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This
Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.
Attachments
This solution has no attachment
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.2 (GNU/Linux)
iQEVAwUBSWyIZEhXCWfrVVdXAQGyHgf/Y+LEbGFiU3d+Xebw6Lb6AW4AcUf+ge3w
ObEVRU+t4xH/r7ntCxvsyUckFeyhRQz3vmwvkM2GcN8y7PNZC4JRZexmUkj7dF2G
GKOHLi88qq/TWqiOG4cE6k5wdi6sfIQYAOWznIlJ+jyvm/lzuacrBT32cLq18E10
LD+YKRxvl6DWfICaNEK6jXJGnoln8bAlF/yZCJVVre4HKBDXQM0PeLzbxL8KGKED
m8Fo7H9h1lClunLAJ5dyQ2LSbXDURoREgOKKdMkkv5pp2lEL8BZlSRDrtYhFVUJk
kMKtTz9e51VguV1qD1ib7Qd0DkOt3IDSknDyYbaghaoRyChEmvR/yg==
=2Vzb
—–END PGP SIGNATURE—–
