[Sun] Schwachstelle in Solaris lx Branded Zones – Sun Alert 266228

[Sun] Schwachstelle in Solaris lx Branded Zones - Sun Alert 266228

Von

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgendes Sun Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.

Sun Bug ID 6818191 – Denial of Service Schwachstelle in Solaris “lx Branded Zones”

Im Solaris Kernel auf x86 Plattformen befindet sich eine nicht naeher
beschriebenen Schwachstelle in der Verwaltung von “lx Branded Zones”.
Lokale Angreifer koennen diese Schwachstelle dazu ausnutzen, eine
Kernel Panic auszuloesen (Denial of Service).

Die Existenz der Schwachstelle koennen Sie wie folgt erkennen:

Um festzustellen, ob “lx Branded Zones” auf ihrem System existieren,
benutzen sie das Kommando “zonedam”

$ zoneadm list -v

Sollte die Schwachstelle ausgenutzt werden, zeigt sich ein Stack-Trace
aehnlich dem Folgenden:

$ zoneadm list -v
ID NAME STATUS PATH BRAND IP
0 global running / native shared
1 lx-zone running /zones/lx-zone lx shared

Sollte die Schwachstelle ausgenutzt werden, zeigt sich ein Stack-Trace
aehnlich dem Folgenden:

panic[cpu0]/thread=ffffff02e58edac0:
BAD TRAP: type=8 (#df Double fault) rp=fffffffffbc36db0 addr=0
zsh:
#df Double fault
pid=4702, pc=0xfffffffffb852019, sp=0xffffff00104a0f60, eflags=0x10086
cr0: 8005003b cr4:
6f8
cr2: ffffff00104a0f58
cr3: 1efe18000
cr8: c
rdi: fec44480 rsi: fedb2a00 rdx: febc18f5
rcx: 4b r8: fffffffffbc4db30 r9: ffffff02d4569580
rax: 3fb28f5b30 rbx: fec40000 rbp: ffffff00104a1050
r10: fecff3db2a00ffff r11: ffffff02e58edac0 r12: 0
r13: 0 r14: ffffff02eb2db1e0 r15: 3fb28f5b30
fsb: 0 gsb: fffffffffbc2dff0 ds: 4b
es: 4b fs: 0 gs: 1c3
trp: 8 err: 0 rip: fffffffffb852019
cs: 30 rfl: 10086 rsp: ffffff00104a0f60
ss: 38
tss.tss_rsp0: 0xffffff00104a6000
tss.tss_rsp1: 0x0
tss.tss_rsp2: 0x0
tss.tss_ist1: 0xfffffffffbc36ea0
tss.tss_ist2: 0x0
tss.tss_ist3: 0x0
tss.tss_ist4: 0x0
tss.tss_ist5: 0x0
tss.tss_ist6: 0x0
tss.tss_ist7: 0x0
fffffffffbc36c90 unix:die+10f ()
fffffffffbc36da0 unix:trap+152c ()
ffffff00104a1050 unix:bcopy_ck_size+73d8 ()
ffffff00104a1140 unix:cmntrap+c5 ()
ffffff00104a1230 unix:cmntrap+c5 ()

Betroffen sind die folgenden Software Pakete und Plattformen:

x86 Plattform
* Solaris 10 mit Patch 120012-14 und ohne Patch 141415-10
* OpenSolaris basierend auf den Builds snv_49 bis snv_117

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

Hersteller Advisory:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-266228-1

(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
Klaus Moeller, DFN-CERT

– —
Dipl. Inform. Klaus Moeller (Incident Response Team)
Phone: +49 40 808077-555, Fax: +49 40 808077-556

DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrase 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

Solution Type Sun Alert
Solution 266228 : Security Vulnerability in lx Branded Zones May
Result in Denial of Service (DoS)
Related Categories

* Home>Content>Sun Alert Criteria Categories>Security
* Home>Content>Sun Alert Release Phase>Resolved

Bug ID
6818191

Product
Solaris 10 Operating System
OpenSolaris

Date of Resolved Release
09-Sep-2009

SA Document Body
Security Vulnerability in lx Branded Zones May Result in Denial of Service (DoS
)

1. Impact
A security vulnerability in lx branded zones may allow a a local
unprivileged user to panic a Solaris x86 Intel-based system running in
64-bit mode, which is a type of Denial of Service (DoS).
2. Contributing Factors
This issue can occur in the following releases:
x86 Platform
* Solaris 10 with patch 120012-14 and without patch 141415-10
* OpenSolaris based upon builds snv_49 through snv_117

Notes:
1. Solaris 8 and 9 and Solaris on the SPARC platform are not impacted
by this issue
2. This issue only affects Intel-based systems running in 64 bit mode.
amd64 machines are not impacted by this issue. To determine if a system
is Intel-based, the following command can be run:
$ psrinfo -vp
x86 (GenuineIntel 10676 family 6 model 23 step 6 clock 3166 MHz)
Intel(r) Core(tm)2 Duo CPU E8500 @ 3.16GHz

To determine if a system is running in 64 bit mode, the following
command can be run:
$ isainfo -b
64

3. This issue only affects systems which have installed and configured
an lx branded zone. To display the list of all running zones on the
system the zoneadm(1M) command can be used as follows:
$ zoneadm list -v
ID NAME STATUS PATH BRAND IP
0 global running / native shared
1 lx-zone running /zones/lx-zone lx shared

4. OpenSolaris distributions may include additional bug fixes above and
beyond the build from which it was derived. The base build can be
derived as follows:
$ uname -v
snv_86

3. Symptoms
Should the described issue occur, the system will panic with output
similar to the following:
panic[cpu0]/thread=ffffff02e58edac0:
BAD TRAP: type=8 (#df Double fault) rp=fffffffffbc36db0 addr=0
zsh:
#df Double fault
pid=4702, pc=0xfffffffffb852019, sp=0xffffff00104a0f60, eflags=0x10086
cr0: 8005003b cr4: 6f8
cr2: ffffff00104a0f58
cr3: 1efe18000
cr8: c
rdi: fec44480 rsi: fedb2a00 rdx: febc18f5
rcx: 4b r8: fffffffffbc4db30 r9: ffffff02d4569580
rax: 3fb28f5b30 rbx: fec40000 rbp: ffffff00104a1050
r10: fecff3db2a00ffff r11: ffffff02e58edac0 r12: 0
r13: 0 r14: ffffff02eb2db1e0 r15: 3fb28f5b30
fsb: 0 gsb: fffffffffbc2dff0 ds: 4b
es: 4b fs: 0 gs: 1c3
trp: 8 err: 0 rip: fffffffffb852019
cs: 30 rfl: 10086 rsp: ffffff00104a0f60
ss: 38
tss.tss_rsp0: 0xffffff00104a6000
tss.tss_rsp1: 0x0
tss.tss_rsp2: 0x0
tss.tss_ist1: 0xfffffffffbc36ea0
tss.tss_ist2: 0x0
tss.tss_ist3: 0x0
tss.tss_ist4: 0x0
tss.tss_ist5: 0x0
tss.tss_ist6: 0x0
tss.tss_ist7: 0x0
fffffffffbc36c90 unix:die+10f ()
fffffffffbc36da0 unix:trap+152c ()
ffffff00104a1050 unix:bcopy_ck_size+73d8 ()
ffffff00104a1140 unix:cmntrap+c5 ()
ffffff00104a1230 unix:cmntrap+c5 ()

4. Workaround
There is no workaround for this issue. Please see the Resolution
section below.
5. Resolution
This issue is addressed in the following releases:
x86 Platform
* Solaris 10 with patch 141415-10 or later
* OpenSolaris based upon builds snv_118 or later

For more information on Security Sun Alerts, see Technical Instruction
ID 213557.
This Sun Alert notification is being provided to you on an “AS IS”
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This
Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.
Attachments
This solution has no attachment

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFKrht6k0kIxZMiiQ8RAhv7AKCIGLNRbTX2sZGwW9HTMS9VyNhjJQCeNGRt
dNA2akaLsfLSg0Oz/WCX9Co=
=33yL
—–END PGP SIGNATURE—–

© COMPUTEC MEDIA GmbH
Nach oben