Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.0238 -- [Solaris]
Solaris 10: Incorrect Patches or Sequence of Installation May Disable N2
Hardware Encryption for IPsec on T5120 and T5220
6 March 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: kernel
IPSec
T5120
T5220
N2 Hardware Encryption
Publisher: Sun Microsystems
Operating System: Solaris 10
Platform: SPARC
Impact: Reduced Security
Access: Existing Account
Original Bulletin:
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-66-233281-1
- --------------------------BEGIN INCLUDED TEXT--------------------
Solution Type: Sun Alert
Solution 233281 : Incorrect Patches or Sequence of Installation May
Disable N2 Hardware Encryption for IPsec on T5120 and T5220
Bug ID: 6656684
Product
Solaris 10 Operating System
Date of Resolved Release: 19-Feb-2008
SA Document Body
Incorrect Patches or Sequence of Installation May Disable N2 Hardware
Encryption for IPsec on T5120 and T5220
1. Impact
If after enabling N2 Hardware Encryption for IPsec, certain Kernel
Update patches are applied (possibly the wrong Kernel Update patch,
the wrong combination of patches, or incorrect sequence in which they
are installed), N2 Wire-Speed Hardware Encryption for IPsec will be
disabled on Sun SPARC Enterprise T5120/5220 systems. The system will
default to Solaris Software Encryption with reduced speed in ciphering
functions.
2. Contributing Factors
This issue can occur in the following release:
SPARC Platform
* Solaris 10 patches 127753-02 (n2cp Crypto driver Patch) and
Kernel Update Patch 127111-06 (if not properly installed)
for the following platforms:
* Sun SPARC Enterprise T5120 and T5220 systems running N2 Hardware
Encryption Activation package
To determine if N2 Hardware Encryption for IPsec is enabled, the
elfsign(1) command can be run (as "root" user):
# elfsign verify -e /platform/sun4v/kernel/drv/sparcv9/n2cp
If N2 Hardware Encryption for IPsec is enabled, the above command will
return:
elfsign: verification of /platform/sun4v/kernel/drv/sparcv9/n2cp passed
otherwise, the elfsign(1) command will return:
elfsign: verification of /platform/sun4v/kernel/drv/sparcv9/n2cp passed, but
restricted.
Note: This issue can occur if the specific sequence in which the
patches and N2 Hardware Encryption Activation are installed is not
followed properly.
Specifically:
If after enabling N2 Hardware Encryption for IPsec with 122642-02,
Kernel Update patch 127111-06 is installed without following that
with a pkgadd(1M) of "sol-10-u4-ga-sparc-cryptoactivation.pkg" and a
patchadd of 122642-05, N2 Hardware Encryption for IPsec will be
disabled.
There is no N2 Hardware Encryption for IPsec Enabler patch for install
on top of Kernel Update patches 127111-07 and 127111-08.
Therefore, if 127111-07 or 127111-08 is installed, N2 Hardware
Encryption for IPsec is disabled and there is no patch available to
re-enable it.
The proper sequence to enable T5120/T5220 N2 Hardware Encryption for
IPsec is as follows:
Step 1:
(a) Install the n2cp Crypto driver Patch 127753-02 (available on
SunSolve)
or
(b) Install the Kernel Update Patch 127111-06 (available on
SunSolve)
Step 2: If the N2 Hardware Encryption activation package has not
already been installed, please do the following:
# pkgadd sol-10-u4-ga-sparc-cryptoactivation.pkg
Step 3: To enable N2 Hardware Encryption for IPsec, install the
appropriate version of patch 122642:
For 127753-02, install 122642-02 [127753-02 is a prerequisite
patch for 122642-02]
For 127111-06, install 122642-05 [127111-06 is a prerequisite
patch for 122642-05]
For 127111-09, install 122642-07 [127111-09 is a prerequisite
patch for 122642-07]
Note: There will be no 122642 patch for 127111-07 and
127111-08
Both the N2 Hardware Encryption activation package and 122642 patches
can be found at the Sun Download Center Web Site with keyword string
search: "UltraSPARC T2 Processor-Cryptographic Activation File & patch
122642"
Or they can be found at the Sun Download Center Web Site via:
http://www.sun.com/ipsec
3. Symptoms
If the proper patching, package install, and patching sequence is not
followed, encryption on the T5120/T5220 will default to software
encryption which has reduced performance compared to N2 Hardware
Encryption for IPsec.
4. Workaround
To work around this issue, obtain and install the newer matching N2
IPsec Enabler Patch.
Note: It is possible that a newer Kernel Update Patch will be
available and could be installed before a matching N2 IPsec Enabler
Patch is available. In that case, the choices are:
A) Use Solaris Software Encryption until the matching N2 Hardware
Enabler Patch is available for install.
Or:
B) Back out the mismatched n2cp Crypto driver Patch or Kernel Update
Patch and the N2 Hardware Enabler Patch, then obtain and install
latest matching pair of Kernel Update Patch and N2 IPsec Enabler
Patch.
5. Resolution
Please see the Workaround section above, and follow the proper
sequence in which the patches and N2 Hardware Encryption Activation
are installed. (See "Contributing Factors" section: "The proper
sequence to enable T5120/T5220 N2 Hardware Encryption for IPsec...")
This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBR893Wih9+71yA2DNAQKnBwP9GA6CRWu3ge13RRTM7BEkOztq0OusJYem
TUY7jvkV59L+1UqMJOkLtefRT0rwWJ3Q68AqRlD3NF8TmMbsXRluBx8aFXReGyux
3gzO5AGJgi8zrP3qmicEqfL2B6YGTNewA83bB0dnkRi8T1e7O5Jt52to1k7oyCZ0
DpgLANhRzJs=
=JqVs
-----END PGP SIGNATURE-----