Operating System:

[Solaris]

Published:

08 December 2003

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

     ESB-2003.0843 -- Sun(sm) Alert Notification - Sun Alert ID: 57428
           TCP Port Conflict Between Sun Cluster for OPS/RAC and 
                        Solaris Secure Shell Server
                             08 December 2003

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                Sun Cluster 3.x
                        Sun Cluster 2.2
Publisher:              Sun Microsystems
Operating System:       Solaris
Platform:               SPARC
Impact:                 Denial of Service
Access Required:        Existing Account

Comment: Original bulletin:

         http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57428

- --------------------------BEGIN INCLUDED TEXT--------------------

   DOCUMENT ID: 57428
   SYNOPSIS: TCP Port Conflict Between Sun Cluster for OPS/RAC and
   Solaris Secure Shell Server, and Possible Denial of Service Attack by
   Unprivileged Users Upon Sun Cluster
   DETAIL DESCRIPTION:
   
Sun(sm) Alert Notification

     * Sun Alert ID: 57428
     * Synopsis: TCP Port Conflict Between Sun Cluster for OPS/RAC and
       Solaris Secure Shell Server, and Possible Denial of Service Attack
       by Unprivileged Users Upon Sun Cluster
     * Category: Availability, Security
     * Product: Sun Cluster
     * BugIDs: 4805422
     * Avoidance: Workaround
     * State: Resolved
     * Date Released: 25-Nov-2003
     * Date Closed: 25-Nov-2003
     * Date Modified:
       
1. Impact

   During a cluster reconfiguration event (e.g. when another node joins
   or leaves the cluster), a Sun Cluster 3.x node can panic, and a Sun
   Cluster 2.2 node can abort from the cluster. Also, if a local
   unprivileged user is allowed to run client applications on a Sun
   Cluster system, they may be able to run an application which utilizes
   a TCP port which is also used by the DLM and thus trigger this issue,
   causing a Denial of Service.
   
2. Contributing Factors

   This issue can occur in the following releases:
   
   SPARC Platform
     * Sun Cluster 2.2 (for Solaris 2.6, Solaris 7, and Solaris 8)
     * Sun Cluster 3.0 (for Solaris 8 and Solaris 9)
     * Sun Cluster 3.1 (for Solaris 8 and Solaris 9)
       
   This issue can only occur if all of the following are true:
     * The Sun Cluster Oracle OPS/RAC packages ORCLudlm and SUNWudlm are
       installed
     * The Solaris Secure Shell server daemon (sshd(1M)) is running
     * The system is configured to enable X11 forwarding
       
   A TCP port conflict may occur for the above Sun Cluster releases which
   have the OPS/RAC packages installed (specifically the ORCLudlm and
   SUNWudlm packages) and the Solaris Secure Shell server daemon
   (sshd(1M)) running on the system configured to allow X11 forwarding.
   Sun ships Solaris Secure Shell with Solaris 9 only. Sites using
   earlier versions of Solaris may have installed a third party version
   of Secure Shell.
   
   It is recommended that a Sun Cluster system should not be used for
   client applications as described in:
   
   Sun Cluster 3.0 Release Notes
     * [1]http://docs.sun.com/db/doc/806-1428/ 
       
   Sun Cluster 2.2 Software Installation Guide
     * [2]http://docs.sun.com/db/doc/806-1008/
       
3. Symptoms

   For Sun Cluster 3.x
   
   During an SC3.x cluster reconfiguration event (e.g. when another node
   joins or leaves the cluster), one or more of the active cluster nodes
   can panic with the following message:
    panic[cpu0]/thread=2a100045d20: Failfast: Aborting because "ucmmd" died 30
    seconds ago


   Note: This same panic can also occur for a number of other reasons. In
   this particular case, the system messages file (/var/adm/messages)
   will contain the relevant message:
    Oct 13 15:08:36 vha-2a ID[SUNWudlm.udlm]: Unix DLM initiating cluster abort
.

   The DLM log file (/var/cluster/ucmm/dlm_<node-name>/logs/dlm.log) will
   also contain the relevant message:
    15:08:36-00000-00620- BIND ERROR: 'Address already in use', family=2, port=
6007,
    in=172.16.193.1

   For Sun Cluster 2.2
   
   During an SC2.2 cluster reconfiguration event (e.g. when another node
   joins or leaves the cluster), one or more of the active cluster nodes
   can abort from the cluster. The system messages file
   (/var/adm/messages) will contain the messages:
    Nov  4 10:40:03 vha-2a ID[SUNWcluster.udlm.4004]: Unix DLM initiating cluster
    abort.
    Nov  4 10:40:03 vha-2a ID[SUNWcluster.clustd.transition.4008]: transition
    'step3' failed. Child exit status 15
    Nov  4 10:40:13 vha-2a ID[SUNWcluster.clustd.transition.4010]: cluster aborted
    on this node (vha-2a)

   The DLM log file (/var/opt/SUNWcluster/dlm_<node-name>/logs/dlm.log)
   will also contain the relevant message:
    10:40:03-00000-00858- BIND ERROR: 'Address already in use', family=2, port=6004,
    in=204.152.65.33

   SOLUTION SUMMARY:
   
4. Relief/Workaround

   If Solaris Secure Shell X11 forwarding is not required, disable it by
   editing the server configuration file on all cluster nodes as follows:
    # cd /etc/ssh
    # cp sshd_config sshd_config.save
    # vi sshd_config

   Change:
    X11Forwarding yes

   To:
    X11Forwarding no

   Then restart the sshd daemon:
    # /etc/init.d/sshd stop
    # /etc/init.d/sshd start

   If Solaris Secure Shell X11 forwarding is required, the DLM should be
   reconfigured to use an alternate, unused range of TCP port numbers.
   The system administrator should use the "/etc/services" file and their
   knowledge of the TCP applications that run on the cluster nodes when
   choosing a new port range for the DLM.
   
   In the following two examples (for Sun Cluster versions 3.x and 2.2),
   the DLM's port range is changed to the currently unassigned range of
   1124-1154 (inclusive).
   
   Example 1: Sun Cluster version 3.x
   
   Reconfigure the DLM's port range by editing the DLM configuration file
   on all cluster nodes as follows:
    # cd /opt/SUNWudlm/etc
    # cp udlm.conf udlm.conf.save
    # vi udlm.conf

   Change:
    udlm.port               : 6000
    udlm.num_ports          : 32

   To:
    udlm.port               : 1124
    udlm.num_ports          : 30

   Note: This operation must be performed on ALL nodes in the cluster,
   and ALL nodes must be configured to use exactly the same port range.
   When the changes have been made, all cluster nodes must then be
   rebooted simultaneously for the changes to take effect.
   
   On one node run:
    # scshutdown -y -g0

   Example 2: Sun Cluster version 2.2
   
   Reconfigure the DLM's port range by editing the cdb configuration file
   on all cluster nodes as follows:
    # cd /etc/opt/SUNWcluster/conf
    # cp <clustername>.cdb <clustername>.cdb.save
    # vi <clustername>.cdb

   Change:
    udlm.port               : 6000
    udlm.num_ports          : 32

   To:
    udlm.port               : 1124
    udlm.num_ports          : 30

   Note: This operation must be performed on ALL nodes in the cluster,
   and ALL nodes must be configured to use exactly the same port range.
   When the changes have been made, all cluster nodes must then be
   removed simultaneously from the cluster and then rejoined for the
   changes to take effect.
   
   On all nodes, run:
    # scadmin stopnode

   Then on one node:
    # scadmin startcluster <nodename> <clustername>

   And on the remaining nodes:
    # scadmin startnode

   The two examples provided above avoid the problem of a port conflict
   between the DLM and Secure Shell, but do not protect against malicious
   denial of service attacks from unprivileged users logged into the
   cluster nodes.
   
   To avoid possible denial of service attacks on the DLM, it's port
   numbers should be changed to a privileged range (i.e. a range below
   1024). Again, the system administrator should use the /etc/services
   file and their knowledge of the TCP applications that run on the
   cluster nodes when choosing a new port range for the DLM. The range
   918-949 may be suitable for most systems, as it is currently
   unassigned by the Internet Assigned Numbers Authority (IANA) e.g.
    udlm.port               : 918
    udlm.num_ports          : 32

5. Resolution

   There is no resolution to this problem incorporated into the issued
   product(s). Please change the DLM's port range using the methods
   described above to values that suite your own systems.
   
   This Sun Alert notification is being provided to you on an "AS IS"
   basis. This Sun Alert notification may contain information provided by
   third parties. The issues described in this Sun Alert notification may
   or may not impact your system(s). Sun makes no representations,
   warranties, or guarantees as to the information contained herein. ANY
   AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
   WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
   NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
   YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
   INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
   OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
   This Sun Alert notification contains Sun proprietary and confidential
   information. It is being provided to you pursuant to the provisions of
   your agreement to purchase services from Sun, or, if you do not have
   such an agreement, the Sun.com Terms of Use. This Sun Alert
   notification may only be used for the purposes contemplated by these
   agreements.
   
   Copyright 2000-2003 Sun Microsystems, Inc., 4150 Network Circle, Santa
   Clara, CA 95054 U.S.A. All rights reserved.
   

References

   1. http://docs.sun.com/db/doc/806-1428/
   2. http://docs.sun.com/db/doc/806-1008/

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBP9PW4Sh9+71yA2DNAQFKbgP+Oy4dU+0gxXDy0ndUeL5Mx2O2ZqbwenFj
Pdd33s553G+IIQACSuaMOBKVrEsfFKi1mG/5jsjRlvVMWlwa+kZreRK9dpksUjZn
8KUfJR8dZGMiRkixbxr2p3Xz/K8HP1Ahx8+n56wAxwbsV+3YG+JHY9fyudgg5hy/
yKPk+UsNMYU=
=Tfhc
-----END PGP SIGNATURE-----