Patch-ID# 109736-13 Keywords: encryption efs security international ha ftp fragmentation proxy Synopsis: SunScreen 3.1 LITE (sparc) miscellaneous fixes Date: Mar/09/2004 ****************************************************** The items made available through this website are subject to United States export laws and may be subject to export and import laws of other countries. You agree to strictly comply with all such laws and obtain licenses to export, re-export, or import as may be required. Unless expressly authorized by the United States Government to do so you will not, directly or indirectly, export or re-export the items made available through this website, nor direct the items therefrom, to any embargoed or restricted country identified in the United States export laws, including but not limited to the Export Administration Regulations (15 C.F.R. Parts 730-774). ****************************************************** Install Requirements: None Solaris Release: 8 SunOS Release: 5.8 Unbundled Product: SunScreen EFS Unbundled Release: 3.1 LITE Xref: This patch is available for x86 as Patch 109737. Topic: Relevant Architectures: sparc BugId's fixed with this patch: 4048429 4266794 4328055 4333069 4347894 4347899 4347905 4355078 4365144 4366229 4368757 4370757 4371086 4371655 4371831 4373963 4373964 4373966 4373972 4373976 4377829 4389132 4395538 4400107 4412981 4418010 4418578 4431381 4432276 4432480 4433735 4458205 4467805 4468944 4474065 4475718 4475976 4483861 4485964 4489200 4491469 4493103 4494052 4530873 4632254 4713896 4729278 4760976 4762492 4764370 4764373 4767244 4770205 4786474 4795556 4801062 4837929 4845456 4861572 4890614 4913304 4926941 4959989 Changes incorporated in this version: 4926941 4913304 4959989 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: /etc/init.d/plumbsunscreen /etc/rcS.d/S20plumbsunscreen /kernel/drv/screen /kernel/drv/sparcv9/screen /kernel/strmod/efs /kernel/strmod/sparcv9/efs /opt/SUNWicg/SunScreen/admin/cgi-bin/html_logdump /opt/SUNWicg/SunScreen/admin/com/sun/sunscreen/internal/ssadm/Client.class /opt/SUNWicg/SunScreen/admin/com/sun/sunscreen/internal/ssadm/OutputReader.class /opt/SUNWicg/SunScreen/admin/com/sun/sunscreen/internal/ssadm/RemoteCommand.class /opt/SUNWicg/SunScreen/admin/com/sun/sunscreen/internal/ssadm/Server.class /opt/SUNWicg/SunScreen/admin/htdocs/lib/admin/com/sun/sunscreen/efs/internal/logbrowser/LogBrowser.class /opt/SUNWicg/SunScreen/admin/htdocs/plugin/welcome.html /opt/SUNWicg/SunScreen/admin/htdocs/welcome.html /opt/SUNWicg/SunScreen/bin/sslogmgmt /opt/SUNWicg/SunScreen/lib/authuser /opt/SUNWicg/SunScreen/lib/datacompiler /opt/SUNWicg/SunScreen/lib/efs2to3 /opt/SUNWicg/SunScreen/lib/getlog /opt/SUNWicg/SunScreen/lib/jar_hash /opt/SUNWicg/SunScreen/lib/jar_sig /opt/SUNWicg/SunScreen/lib/logdump /opt/SUNWicg/SunScreen/lib/logmacro /opt/SUNWicg/SunScreen/lib/logmsg /opt/SUNWicg/SunScreen/lib/natcompiler /opt/SUNWicg/SunScreen/lib/proxyuser /opt/SUNWicg/SunScreen/lib/screeninfo /opt/SUNWicg/SunScreen/lib/ss_access_convert /opt/SUNWicg/SunScreen/lib/ss_compiler /opt/SUNWicg/SunScreen/lib/ss_disable_send /opt/SUNWicg/SunScreen/lib/ss_logd /opt/SUNWicg/SunScreen/lib/ss_rule_convert /opt/SUNWicg/SunScreen/lib/ss_upgrade /opt/SUNWicg/SunScreen/lib/statetables /opt/SUNWicg/SunScreen/lib/statetables64 /opt/SUNWicg/SunScreen/lib/strs /opt/SUNWicg/SunScreen/lib/unplumb_solaris8 /opt/SUNWicg/SunScreen/lib/user_authenticate /opt/SUNWicg/SunScreen/lib/vars /opt/SUNWicg/SunScreen/ssadm/edit /opt/SUNWicg/SunScreen/ssadm/lock /opt/SUNWicg/SunScreen/ssadm/log /opt/SUNWicg/SunScreen/ssadm/logdump /opt/SUNWicg/SunScreen/ssadm/logmacro /opt/SUNWicg/SunScreen/ssadm/logstats /opt/SUNWicg/SunScreen/ssadm/traffic_stats /opt/SUNWicg/SunScreen/support/nattables /opt/SUNWicg/SunScreen/support/nattables64 /opt/SUNWicg/SunScreen/support/packages /opt/SUNWicg/SunScreen/support/statetable_summary /opt/SUNWicg/SunScreen/support/versions /opt/SUNWicg/sunscreen/ssadm/debug_level /sbin/ss_plumb_interface /usr/kernel/drv/screen_skip /usr/kernel/drv/sparcv9/screen_skip /usr/kernel/misc/screen_dns /usr/kernel/misc/screen_fail /usr/kernel/misc/screen_ftp /usr/kernel/misc/screen_ip /usr/kernel/misc/screen_nfsro /usr/kernel/misc/screen_normal /usr/kernel/misc/screen_ping /usr/kernel/misc/screen_pmap /usr/kernel/misc/screen_raudio /usr/kernel/misc/screen_rsh /usr/kernel/misc/screen_sqlnet /usr/kernel/misc/screen_stateless /usr/kernel/misc/screen_tcp /usr/kernel/misc/screen_udp /usr/kernel/misc/sparcv9/screen_dns /usr/kernel/misc/sparcv9/screen_fail /usr/kernel/misc/sparcv9/screen_ftp /usr/kernel/misc/sparcv9/screen_ip /usr/kernel/misc/sparcv9/screen_nfsro /usr/kernel/misc/sparcv9/screen_normal /usr/kernel/misc/sparcv9/screen_ping /usr/kernel/misc/sparcv9/screen_pmap /usr/kernel/misc/sparcv9/screen_raudio /usr/kernel/misc/sparcv9/screen_rsh /usr/kernel/misc/sparcv9/screen_sqlnet /usr/kernel/misc/sparcv9/screen_stateless /usr/kernel/misc/sparcv9/screen_tcp /usr/kernel/misc/sparcv9/screen_udp /opt/SUNWicg/SunScreen/lib/logmgmt-Xample Problem Description: 4926941 sunscreen 3.2 pmap state engine dropping NULL procedure 4913304 Retransmission FIN packet is dropped in CLOSING state 4959989 Fin Ack does not change state to ESTABLISHED (from 109736-12) 4837929 Unable to use ifconfig to remove SunScreen module from network interface. 4795556 ssadm logdump command hangs after some minutes 4389132 wrong version number of new created policy shown. 4433735 security home page URL at welcome screen should pop-up new browser window. 4861572 Sunscreen 3.1 network connectivity slows to unusable level 4890614 Patch 109734-09 breaks nattables command. 4801062 Customer want's less descriptive log, to not resolve hostname. only IP addresses There is a new -r option to the logdump commnd, this forces logdump not to use the name service to resolve IP addresses to names. Example: ssadm log get | ssadm logdump -i -r statetable_summary ------------------ This script is provided to aid diagnosis of performance problems caused by large state tables. The performs analysis on a file containing the output from one of: ssadm lib/statetables ssadm lib/nattables ssadm lib/screeninfo Usage: /usr/lib/sunscreen/support/statetable_summary file_to_analyse The output is written to stdout and files in /var/tmp This script can be run on a system with SunScreen installed in which case it will run the statetables & nattables commands directly if an input file is not specified. If an input file is provided then the script can be run on any Solaris system, it does not have to be run on the screen. In many cases this is desirable because the script can take a very long time to run and generate significant load on the system if the statetable it is analysing is very large. As with all programs in /usr/lib/sunscreen/support this is provided for support purposes only and not a supported part of the product. (from 109736-11) 4845456 FIN packet is unexpectedly dropped in CLOSING state (from 109736-10) 4786474 Random errors from unplumb_solaris8 (from 109736-09) 4371086 NFS state engine assumes 20 byte tcp header size 4467805 UDP hash lookup needs improvement 4475976 Does not properly process SYN+ACK packets generated by VIP on local loopback 4483861 ttls for NAT entries need to be more closely related to stateentries 4491469 reply packets don't match broadcast UDP sessions, get dropped 4713896 SunScreen3.1 allows to pass the TCP data packets prior to 3way-hand-shake. 4729278 logdump does no bounds checking on transient ports array 4760976 Fin Attack!! port continues being open 4762492 Duplicate FIN or RST will reset SunScreen CLOSING timer. 4764370 Duplicate Syn/Ack can change SunScreen state from from ESTABLISHED to CONNECTING 4764373 SunScreen does not check sequence numbers of FIN packets 4767244 SunScreen allows FIN packet in CONNECTING state. 4770205 SunScreen EFS 3.1 rejects RST packet unexpectedly (from 109736-08) 4371655 PASSIVE screen leaks skip encrypted packets 4458205 traffic_stats output has error 4468944 SunScreen drops TCP ECN packets 4474065 SunScreen cluster can hang (allocb fail) 4530873 ssadm traffic_stats reports negative values 4632254 sqlnet engine hangs after fetching few records (from 109736-07) 4418010 sslogmgmt always returns error: argument expected 4475718 large number of address objects in policy can cause compile failure 4493103 TCP state fails on duplicate SYN, connection drops after 120 seconds 4494052 UDP 162 is not being blocked (from 109736-06) 4432480 Sunscreen NAT has performance problems in certain topologies 4485964 PASV ftp and DYNAMIC NAT broken 4489200 panic in statetable cleanup routines (from 109736-05) 4432276 Performance degradation due to inefficient TCP Hash function (from 109736-04) 4418578 IP addresses get garbled with first activation of policy on interface 4412981 ftp state engine does not recognize RST 4431381 ftp state engine confused in certain instances when MicroSoft server is used (from 109736-03) 4355078 performance in stealth mode slower than SPF-200 4400107 sunscreen consuming large amounts of kernel memory 4395538 ss_logd core dumps causing the system to hang 4377829 HA screen will become passive if an interface cable is unplugged. 4373963 screeninfo output gets truncated. 4266794 ssadm screeninfo does not return ip_forwarding status 4373976 misc enhancements to screeninfo. 4048429 Configurations names with spaces don't work 4373966 screeninfo does not get SCCS versions of all files. 4373972 screeninfo should perform consistancy checks on SunScreen packages. 4373964 Patch information retrieved by screeninfo can be incorrect. 4365144 ftp state engine can't handle tcp option tstamp on PORT packets (from 109736-02) 4366229 When ecryption rule added, machine gets stack overflow panic 4368757 "*" service should be based on ipmobile not iptunnel 4370757 PASV FTP vulnerability fix breaks NAT sequence numbers 4371831 Fragmentation Needed but DF bit set message sent out in error (from 109736-01) 4328055 ssadm logdump -i file -x0 does not display hex dump of packet 4333069 traffic passes to undefined addresses despite rules 4347894 Vulnerable to the PASV FTP attack that was published on "bugtraq" 4347899 File containing something that looks like FTP commands could be misinterpreted 4347905 vulnerable to the jolt2.c fragmentation attack Patch Installation Instructions: -------------------------------- See Special Install Instructions. Special Install Instructions: ----------------------------- Installation Instructions for the Administration Station -------------------------------------------------------- 1. Become root on the Administration Station. 2. If you are running Solaris 2.6 on the administration station, ensure that you have already installed the latest version of Solaris patch 106125. Version 106125-06 is available on your EFS 3.1 CD. 3. Transfer the patch file to the Administration Station. 4. Then type: # uncompress 109736-13.tar.Z # tar xf 109736-13.tar # patchadd 109736-13 Installation Instructions for Locally Administered Screens ---------------------------------------------------------- 1. Become root on the Screen. 2. If you are running Solaris 2.6 on the Screen, ensure that you have already installed the latest version of Solaris patch 106125-06. Version 106125-06 is available on your SunScreen EFS 3.1 CD. 3. Transfer patch file to the Screen using a diskette or ftp (with 3 MB free). 4. Type the following: # uncompress 109736-13.tar.Z # tar xf 109736-13.tar # patchadd 109736-13 5. Reboot the Screen. Instructions for Remotely Administered Screens in Stealth Mode -------------------------------------------------------------- Use this procedure ONLY if you cannot otherwise transfer the patch to the Screen. 1. Become root on the Administration Station. 2. If you are running Solaris 2.6 on the Screen, ensure that you have already installed the latest version of Solaris patch 106125-06. Version 106125-06 is available on your SunScreen EFS 3.1 CD. 3. Transfer the patch file to the Administration Station. 4. Type the following: # ssadm -r patch install < 109736-13.tar.Z Installation Instructions for High Availability (HA) clusters. -------------------------------------------------------------- 1. Determine which screen is ACTIVE within the HA Cluster using the following command on each: # ssadm ha status 2. Follow appropriate patch installation instructions from this README file to install the patch on the CURRENTLY ACTIVE SCREEN within the HA Cluster (determined from the previous step). 3. Be sure to reboot that screen upon completion of the patch installation. 4. After the reboot, the screen which the patch was just installed on will come up in PASSIVE mode and some other member of the HA cluster will become ACTIVE. 5. Repeat steps 1-4 until the patch has been applied to all members of the HA cluster. Notes on patching HA clusters: If the patch is installed on a PASSIVE screen before it is installed on an ACTIVE screen, the HA daemon ss_had can core dump, this gives symptoms similar to bug 4347381. The SunScreen HA model works by having 2 or more firewalls in parallel. Both firewalls see the same packets and hence calculate the same statetable entries. If a packet matches a statetable entry , then it is passed through the screen. If the ACTIVE screen is rebooted, one of the PASSIVE firewall(s) will take over. Existing connections will still be maintained as the PASSIVE firewall(s) which has just become ACTIVE will have the statetable entries. Once the originally ACTIVE firewall has been rebooted, it will have an empty statetable. This firewall will add any new connections made since it was rebooted to its statetable, but will not know about connections established before it was rebooted. If the currently ACTIVE screen is rebooted , some connections may get dropped. Its not possible to say exactly how long it will take for both (all) the firewalls to have the same statetable entries as this will depend on the type of connection being passed and the lifetime of this connection. Running the following command on both (all) firewalls in the cluster will give the administrator a good indication of when it is safe to reboot the second firewall, without significant loss of service: # ssadm lib/statetables | grep ESTABLISHED | wc -l Instructions for Identifying Patches Installed on System -------------------------------------------------------- 1. To identify the patch level on your locally administered Screen, type the commands: # ls -lt /var/sadm/patch > screen.pkginfo # pkginfo -l >> screen.pkginfo 2. To identify the patch level on your remotely administered Screen in stealth mode: # ssadm -r lib/support packages > screen.pkginfo This shows (1) ls -lt /var/sadm/patch, (2) pkginfo -l, and (3) the contents of /var/log/patch.log. 3. To identify the patch level on your Administration Station, type the commands: # ls -lt /var/sadm/patch > admin.pkginfo # pkginfo -l >> admin.pkginfo Instructions to remove the patch on the Administration Station -------------------------------------------------------------- 1. Become root on the Administration Station. 2. Then type: # patchrm 109736-13 Instructions to Remove the Patch on Locally Administered Screen --------------------------------------------------------------- 1. Become root on the Screen. 2. Type the following: # patchrm 109736-13 Instructions to Remove the Patch on Remotely Administered Screens in Stealth Mode -------------------------------------------------------------------- Use this procedure ONLY if you cannot otherwise obtain access to a login prompt on the Screen. 1. Become root on the Administration Station. 2. If you are running Solaris 2.6 on the Screen, ensure that you have already installed the latest version of Solaris patch 106125-06. Version 106125-06 is available on your SunScreen EFS 3.1. 3. Type the following: # ssadm -r patch backout 109736-13 Additional Patch Installation Instructions ------------------------------------------ Refer to the "Install.info" file within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. README -- Last modified date: Tuesday, March 9, 2004