Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0238 -- [Solaris] Solaris 10: Incorrect Patches or Sequence of Installation May Disable N2 Hardware Encryption for IPsec on T5120 and T5220 6 March 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: kernel IPSec T5120 T5220 N2 Hardware Encryption Publisher: Sun Microsystems Operating System: Solaris 10 Platform: SPARC Impact: Reduced Security Access: Existing Account Original Bulletin: http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-66-233281-1 - --------------------------BEGIN INCLUDED TEXT-------------------- Solution Type: Sun Alert Solution 233281 : Incorrect Patches or Sequence of Installation May Disable N2 Hardware Encryption for IPsec on T5120 and T5220 Bug ID: 6656684 Product Solaris 10 Operating System Date of Resolved Release: 19-Feb-2008 SA Document Body Incorrect Patches or Sequence of Installation May Disable N2 Hardware Encryption for IPsec on T5120 and T5220 1. Impact If after enabling N2 Hardware Encryption for IPsec, certain Kernel Update patches are applied (possibly the wrong Kernel Update patch, the wrong combination of patches, or incorrect sequence in which they are installed), N2 Wire-Speed Hardware Encryption for IPsec will be disabled on Sun SPARC Enterprise T5120/5220 systems. The system will default to Solaris Software Encryption with reduced speed in ciphering functions. 2. Contributing Factors This issue can occur in the following release: SPARC Platform * Solaris 10 patches 127753-02 (n2cp Crypto driver Patch) and Kernel Update Patch 127111-06 (if not properly installed) for the following platforms: * Sun SPARC Enterprise T5120 and T5220 systems running N2 Hardware Encryption Activation package To determine if N2 Hardware Encryption for IPsec is enabled, the elfsign(1) command can be run (as "root" user): # elfsign verify -e /platform/sun4v/kernel/drv/sparcv9/n2cp If N2 Hardware Encryption for IPsec is enabled, the above command will return: elfsign: verification of /platform/sun4v/kernel/drv/sparcv9/n2cp passed otherwise, the elfsign(1) command will return: elfsign: verification of /platform/sun4v/kernel/drv/sparcv9/n2cp passed, but restricted. Note: This issue can occur if the specific sequence in which the patches and N2 Hardware Encryption Activation are installed is not followed properly. Specifically: If after enabling N2 Hardware Encryption for IPsec with 122642-02, Kernel Update patch 127111-06 is installed without following that with a pkgadd(1M) of "sol-10-u4-ga-sparc-cryptoactivation.pkg" and a patchadd of 122642-05, N2 Hardware Encryption for IPsec will be disabled. There is no N2 Hardware Encryption for IPsec Enabler patch for install on top of Kernel Update patches 127111-07 and 127111-08. Therefore, if 127111-07 or 127111-08 is installed, N2 Hardware Encryption for IPsec is disabled and there is no patch available to re-enable it. The proper sequence to enable T5120/T5220 N2 Hardware Encryption for IPsec is as follows: Step 1: (a) Install the n2cp Crypto driver Patch 127753-02 (available on SunSolve) or (b) Install the Kernel Update Patch 127111-06 (available on SunSolve) Step 2: If the N2 Hardware Encryption activation package has not already been installed, please do the following: # pkgadd sol-10-u4-ga-sparc-cryptoactivation.pkg Step 3: To enable N2 Hardware Encryption for IPsec, install the appropriate version of patch 122642: For 127753-02, install 122642-02 [127753-02 is a prerequisite patch for 122642-02] For 127111-06, install 122642-05 [127111-06 is a prerequisite patch for 122642-05] For 127111-09, install 122642-07 [127111-09 is a prerequisite patch for 122642-07] Note: There will be no 122642 patch for 127111-07 and 127111-08 Both the N2 Hardware Encryption activation package and 122642 patches can be found at the Sun Download Center Web Site with keyword string search: "UltraSPARC T2 Processor-Cryptographic Activation File & patch 122642" Or they can be found at the Sun Download Center Web Site via: http://www.sun.com/ipsec 3. Symptoms If the proper patching, package install, and patching sequence is not followed, encryption on the T5120/T5220 will default to software encryption which has reduced performance compared to N2 Hardware Encryption for IPsec. 4. Workaround To work around this issue, obtain and install the newer matching N2 IPsec Enabler Patch. Note: It is possible that a newer Kernel Update Patch will be available and could be installed before a matching N2 IPsec Enabler Patch is available. In that case, the choices are: A) Use Solaris Software Encryption until the matching N2 Hardware Enabler Patch is available for install. Or: B) Back out the mismatched n2cp Crypto driver Patch or Kernel Update Patch and the N2 Hardware Enabler Patch, then obtain and install latest matching pair of Kernel Update Patch and N2 IPsec Enabler Patch. 5. Resolution Please see the Workaround section above, and follow the proper sequence in which the patches and N2 Hardware Encryption Activation are installed. (See "Contributing Factors" section: "The proper sequence to enable T5120/T5220 N2 Hardware Encryption for IPsec...") This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBR893Wih9+71yA2DNAQKnBwP9GA6CRWu3ge13RRTM7BEkOztq0OusJYem TUY7jvkV59L+1UqMJOkLtefRT0rwWJ3Q68AqRlD3NF8TmMbsXRluBx8aFXReGyux 3gzO5AGJgi8zrP3qmicEqfL2B6YGTNewA83bB0dnkRi8T1e7O5Jt52to1k7oyCZ0 DpgLANhRzJs= =JqVs -----END PGP SIGNATURE-----