Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2003.0843 -- Sun(sm) Alert Notification - Sun Alert ID: 57428 TCP Port Conflict Between Sun Cluster for OPS/RAC and Solaris Secure Shell Server 08 December 2003 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Sun Cluster 3.x Sun Cluster 2.2 Publisher: Sun Microsystems Operating System: Solaris Platform: SPARC Impact: Denial of Service Access Required: Existing Account Comment: Original bulletin: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57428 - --------------------------BEGIN INCLUDED TEXT-------------------- DOCUMENT ID: 57428 SYNOPSIS: TCP Port Conflict Between Sun Cluster for OPS/RAC and Solaris Secure Shell Server, and Possible Denial of Service Attack by Unprivileged Users Upon Sun Cluster DETAIL DESCRIPTION: Sun(sm) Alert Notification * Sun Alert ID: 57428 * Synopsis: TCP Port Conflict Between Sun Cluster for OPS/RAC and Solaris Secure Shell Server, and Possible Denial of Service Attack by Unprivileged Users Upon Sun Cluster * Category: Availability, Security * Product: Sun Cluster * BugIDs: 4805422 * Avoidance: Workaround * State: Resolved * Date Released: 25-Nov-2003 * Date Closed: 25-Nov-2003 * Date Modified: 1. Impact During a cluster reconfiguration event (e.g. when another node joins or leaves the cluster), a Sun Cluster 3.x node can panic, and a Sun Cluster 2.2 node can abort from the cluster. Also, if a local unprivileged user is allowed to run client applications on a Sun Cluster system, they may be able to run an application which utilizes a TCP port which is also used by the DLM and thus trigger this issue, causing a Denial of Service. 2. Contributing Factors This issue can occur in the following releases: SPARC Platform * Sun Cluster 2.2 (for Solaris 2.6, Solaris 7, and Solaris 8) * Sun Cluster 3.0 (for Solaris 8 and Solaris 9) * Sun Cluster 3.1 (for Solaris 8 and Solaris 9) This issue can only occur if all of the following are true: * The Sun Cluster Oracle OPS/RAC packages ORCLudlm and SUNWudlm are installed * The Solaris Secure Shell server daemon (sshd(1M)) is running * The system is configured to enable X11 forwarding A TCP port conflict may occur for the above Sun Cluster releases which have the OPS/RAC packages installed (specifically the ORCLudlm and SUNWudlm packages) and the Solaris Secure Shell server daemon (sshd(1M)) running on the system configured to allow X11 forwarding. Sun ships Solaris Secure Shell with Solaris 9 only. Sites using earlier versions of Solaris may have installed a third party version of Secure Shell. It is recommended that a Sun Cluster system should not be used for client applications as described in: Sun Cluster 3.0 Release Notes * [1]http://docs.sun.com/db/doc/806-1428/ Sun Cluster 2.2 Software Installation Guide * [2]http://docs.sun.com/db/doc/806-1008/ 3. Symptoms For Sun Cluster 3.x During an SC3.x cluster reconfiguration event (e.g. when another node joins or leaves the cluster), one or more of the active cluster nodes can panic with the following message: panic[cpu0]/thread=2a100045d20: Failfast: Aborting because "ucmmd" died 30 seconds ago Note: This same panic can also occur for a number of other reasons. In this particular case, the system messages file (/var/adm/messages) will contain the relevant message: Oct 13 15:08:36 vha-2a ID[SUNWudlm.udlm]: Unix DLM initiating cluster abort . The DLM log file (/var/cluster/ucmm/dlm_<node-name>/logs/dlm.log) will also contain the relevant message: 15:08:36-00000-00620- BIND ERROR: 'Address already in use', family=2, port= 6007, in=172.16.193.1 For Sun Cluster 2.2 During an SC2.2 cluster reconfiguration event (e.g. when another node joins or leaves the cluster), one or more of the active cluster nodes can abort from the cluster. The system messages file (/var/adm/messages) will contain the messages: Nov 4 10:40:03 vha-2a ID[SUNWcluster.udlm.4004]: Unix DLM initiating cluster abort. Nov 4 10:40:03 vha-2a ID[SUNWcluster.clustd.transition.4008]: transition 'step3' failed. Child exit status 15 Nov 4 10:40:13 vha-2a ID[SUNWcluster.clustd.transition.4010]: cluster aborted on this node (vha-2a) The DLM log file (/var/opt/SUNWcluster/dlm_<node-name>/logs/dlm.log) will also contain the relevant message: 10:40:03-00000-00858- BIND ERROR: 'Address already in use', family=2, port=6004, in=204.152.65.33 SOLUTION SUMMARY: 4. Relief/Workaround If Solaris Secure Shell X11 forwarding is not required, disable it by editing the server configuration file on all cluster nodes as follows: # cd /etc/ssh # cp sshd_config sshd_config.save # vi sshd_config Change: X11Forwarding yes To: X11Forwarding no Then restart the sshd daemon: # /etc/init.d/sshd stop # /etc/init.d/sshd start If Solaris Secure Shell X11 forwarding is required, the DLM should be reconfigured to use an alternate, unused range of TCP port numbers. The system administrator should use the "/etc/services" file and their knowledge of the TCP applications that run on the cluster nodes when choosing a new port range for the DLM. In the following two examples (for Sun Cluster versions 3.x and 2.2), the DLM's port range is changed to the currently unassigned range of 1124-1154 (inclusive). Example 1: Sun Cluster version 3.x Reconfigure the DLM's port range by editing the DLM configuration file on all cluster nodes as follows: # cd /opt/SUNWudlm/etc # cp udlm.conf udlm.conf.save # vi udlm.conf Change: udlm.port : 6000 udlm.num_ports : 32 To: udlm.port : 1124 udlm.num_ports : 30 Note: This operation must be performed on ALL nodes in the cluster, and ALL nodes must be configured to use exactly the same port range. When the changes have been made, all cluster nodes must then be rebooted simultaneously for the changes to take effect. On one node run: # scshutdown -y -g0 Example 2: Sun Cluster version 2.2 Reconfigure the DLM's port range by editing the cdb configuration file on all cluster nodes as follows: # cd /etc/opt/SUNWcluster/conf # cp <clustername>.cdb <clustername>.cdb.save # vi <clustername>.cdb Change: udlm.port : 6000 udlm.num_ports : 32 To: udlm.port : 1124 udlm.num_ports : 30 Note: This operation must be performed on ALL nodes in the cluster, and ALL nodes must be configured to use exactly the same port range. When the changes have been made, all cluster nodes must then be removed simultaneously from the cluster and then rejoined for the changes to take effect. On all nodes, run: # scadmin stopnode Then on one node: # scadmin startcluster <nodename> <clustername> And on the remaining nodes: # scadmin startnode The two examples provided above avoid the problem of a port conflict between the DLM and Secure Shell, but do not protect against malicious denial of service attacks from unprivileged users logged into the cluster nodes. To avoid possible denial of service attacks on the DLM, it's port numbers should be changed to a privileged range (i.e. a range below 1024). Again, the system administrator should use the /etc/services file and their knowledge of the TCP applications that run on the cluster nodes when choosing a new port range for the DLM. The range 918-949 may be suitable for most systems, as it is currently unassigned by the Internet Assigned Numbers Authority (IANA) e.g. udlm.port : 918 udlm.num_ports : 32 5. Resolution There is no resolution to this problem incorporated into the issued product(s). Please change the DLM's port range using the methods described above to values that suite your own systems. This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2003 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved. References 1. http://docs.sun.com/db/doc/806-1428/ 2. http://docs.sun.com/db/doc/806-1008/ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBP9PW4Sh9+71yA2DNAQFKbgP+Oy4dU+0gxXDy0ndUeL5Mx2O2ZqbwenFj Pdd33s553G+IIQACSuaMOBKVrEsfFKi1mG/5jsjRlvVMWlwa+kZreRK9dpksUjZn 8KUfJR8dZGMiRkixbxr2p3Xz/K8HP1Ahx8+n56wAxwbsV+3YG+JHY9fyudgg5hy/ yKPk+UsNMYU= =Tfhc -----END PGP SIGNATURE-----