Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-266: Sun Solaris SCTP 'sctp(7P)' and SDP 'sdp(7D)' Sockets Local Denial Of Service Vulnerability

November 5, 2009 20:00 GMT
PROBLEM: Sun Solaris is prone to a local denial-of-service vulnerability in SCTP (Stream Control Transmission Protocol 'sctp(7P)') and SDP (Sockets Direct Protocol 'sdp(7D)') driver sockets.
PLATFORM: OpenSolaris based upon builds snv_106 through snv_126
ABSTRACT: A security vulnerability in SCTP (Stream Control Transmission Protocol (see sctp(7P))) and SDP (Sockets Direct Protocol driver (see sdp(7D))) sockets may allow local unprivileged users to leak kernel memory, thereby causing a Denial of Service (DoS) condition.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-266.shtml
  OTHER LINKS: Security Focus
http://www.securityfocus.com/bid/36938/info

IMPACT ASSESSMENT: This risk is low. Local attackers may exploit this issue to cause denial-of-service conditions. 
Discussion:
A security vulnerability in SCTP (Stream Control Transmission Protocol (see sctp(7P))) and SDP (Sockets Direct Protocol driver (see sdp(7D))) sockets may allow local unprivileged users to leak kernel memory, thereby causing a Denial of Service (DoS) condition.

This issue can occur in the following releases:

SPARC Platform

    * OpenSolaris based upon builds snv_106 through snv_126

x86 Platform

    * OpenSolaris based upon builds snv_106 through snv_126

Note 1: Solaris 8, 9 and 10 are not impacted by this issue.

Note 2: OpenSolaris distributions may include additional bug fixes above and beyond the build from which it was derived.  To determine the base build of OpenSolaris, the following command can be used:

    $ uname -v
    snv_86

Symptoms:
A saved crash dump of the kernel generated on unresponsive systems may show a large number of buffers being used by SCTP or SDP.  The following command can be run to find buffer usage information from the operating system crash dump files:

    $ echo ::kmastat -m | mdb # | egrep "sdp_conn_cache|sctp_conn_cache"

Where # is the numerical suffix of the two operating system crash dump files.  For example, if the suffix is "3", mdb infers  that  it should examine  the  files  "unix.3"  and "vmcore.3".

    sctp_conn_cache             2264      1      7         0M         1     0 
    sdp_conn_cache              5032   6379   6379        49M      6379     0

The value in the third column indicates the number of buffers in use. If the value is much larger than the expected number of active connections, then a Denial of Service may have occurred.

Solution:
This issue is addressed in the following releases:

SPARC Platform

    * OpenSolaris based upon builds snv_127 or later

x86 Platform

    * OpenSolaris based upon builds snv_127 or later
DOE-CIRC wishes to acknowledge the contributions of Sun Microsystems for the information contained in this bulletin.
DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788