Patch-ID# 109734-13 Keywords: encryption efs security international ha ftp fragmentation proxy Synopsis: SunScreen 3.1 (sparc) miscellaneous fixes Date: Mar/09/2004 ****************************************************** The items made available through this website are subject to United States export laws and may be subject to export and import laws of other countries. You agree to strictly comply with all such laws and obtain licenses to export, re-export, or import as may be required. Unless expressly authorized by the United States Government to do so you will not, directly or indirectly, export or re-export the items made available through this website, nor direct the items therefrom, to any embargoed or restricted country identified in the United States export laws, including but not limited to the Export Administration Regulations (15 C.F.R. Parts 730-774). ****************************************************** Install Requirements: None Solaris Release: 2.6 7 8 SunOS Release: 5.6 5.7 5.8 Unbundled Product: SunScreen EFS Unbundled Release: 3.1 Xref: This patch is available for x86 as Patch 109735. Topic: Relevant Architectures: sparc BugId's fixed with this patch: 4048429 4266794 4326689 4328055 4333069 4347381 4347894 4347899 4347905 4351317 4355078 4355752 4365144 4366229 4368757 4370757 4371086 4371655 4371831 4373963 4373964 4373966 4373972 4373976 4377098 4377829 4378218 4380217 4389132 4395538 4400107 4409715 4412981 4415446 4418010 4418578 4431381 4432276 4432480 4433735 4458205 4467805 4468944 4474065 4475718 4475976 4483861 4484569 4484731 4485964 4489200 4491469 4493103 4494052 4530873 4531796 4599245 4621944 4632254 4636508 4636511 4636514 4658497 4693028 4710480 4710493 4713896 4729278 4760976 4762492 4764370 4764373 4767244 4770205 4786105 4786474 4790511 4795556 4801062 4837929 4845456 4861572 4890614 4913304 4926941 4959989 Changes incorporated in this version: 4926941 4913304 4959989 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: /etc/init.d/plumbsunscreen /etc/rcS.d/S20plumbsunscreen /kernel/drv/screen /kernel/drv/sparcv9/screen /kernel/strmod/efs /kernel/strmod/sparcv9/efs /kernel/strmod/sparcv9/spf /kernel/strmod/spf /opt/SUNWicg/SunScreen/admin/cgi-bin/html_logdump /opt/SUNWicg/SunScreen/admin/com/sun/sunscreen/internal/ssadm/Client.class /opt/SUNWicg/SunScreen/admin/com/sun/sunscreen/internal/ssadm/OutputReader.class /opt/SUNWicg/SunScreen/admin/com/sun/sunscreen/internal/ssadm/RemoteCommand.class /opt/SUNWicg/SunScreen/admin/com/sun/sunscreen/internal/ssadm/Server.class /opt/SUNWicg/SunScreen/admin/htdocs/lib/admin/com/sun/sunscreen/efs/internal/logbrowser/LogBrowser.class /opt/SUNWicg/SunScreen/admin/htdocs/plugin/welcome.html /opt/SUNWicg/SunScreen/admin/htdocs/welcome.html /opt/SUNWicg/SunScreen/bin/sslogmgmt /opt/SUNWicg/SunScreen/lib/authuser /opt/SUNWicg/SunScreen/lib/datacompiler /opt/SUNWicg/SunScreen/lib/efs2to3 /opt/SUNWicg/SunScreen/lib/getlog /opt/SUNWicg/SunScreen/lib/jar_hash /opt/SUNWicg/SunScreen/lib/jar_sig /opt/SUNWicg/SunScreen/lib/logdump /opt/SUNWicg/SunScreen/lib/logmacro /opt/SUNWicg/SunScreen/lib/logmsg /opt/SUNWicg/SunScreen/lib/natcompiler /opt/SUNWicg/SunScreen/lib/proxyuser /opt/SUNWicg/SunScreen/lib/screeninfo /opt/SUNWicg/SunScreen/lib/ss_access_convert /opt/SUNWicg/SunScreen/lib/ss_compiler /opt/SUNWicg/SunScreen/lib/ss_disable_send /opt/SUNWicg/SunScreen/lib/ss_ha /opt/SUNWicg/SunScreen/lib/ss_had /opt/SUNWicg/SunScreen/lib/ss_logd /opt/SUNWicg/SunScreen/lib/ss_rule_convert /opt/SUNWicg/SunScreen/lib/ss_upgrade /opt/SUNWicg/SunScreen/lib/statetables /opt/SUNWicg/SunScreen/lib/statetables64 /opt/SUNWicg/SunScreen/lib/strs /opt/SUNWicg/SunScreen/lib/unplumb_solaris8 /opt/SUNWicg/SunScreen/lib/user_authenticate /opt/SUNWicg/SunScreen/lib/vars /opt/SUNWicg/SunScreen/proxies/ftpp /opt/SUNWicg/SunScreen/proxies/httpp /opt/SUNWicg/SunScreen/proxies/smtpp /opt/SUNWicg/SunScreen/proxies/telnetp /opt/SUNWicg/SunScreen/ssadm/edit /opt/SUNWicg/SunScreen/ssadm/lock /opt/SUNWicg/SunScreen/ssadm/log /opt/SUNWicg/SunScreen/ssadm/logdump /opt/SUNWicg/SunScreen/ssadm/logmacro /opt/SUNWicg/SunScreen/ssadm/logstats /opt/SUNWicg/SunScreen/ssadm/traffic_stats /opt/SUNWicg/SunScreen/support/nattables /opt/SUNWicg/SunScreen/support/nattables64 /opt/SUNWicg/SunScreen/support/packages /opt/SUNWicg/SunScreen/support/statetable_summary /opt/SUNWicg/SunScreen/support/versions /opt/SUNWicg/sunscreen/ssadm/debug_level /sbin/ss_plumb_interface /usr/kernel/drv/screen_skip /usr/kernel/drv/sparcv9/screen_skip /usr/kernel/misc/screen_dns /usr/kernel/misc/screen_fail /usr/kernel/misc/screen_ftp /usr/kernel/misc/screen_ip /usr/kernel/misc/screen_nfsro /usr/kernel/misc/screen_normal /usr/kernel/misc/screen_ping /usr/kernel/misc/screen_pmap /usr/kernel/misc/screen_raudio /usr/kernel/misc/screen_rsh /usr/kernel/misc/screen_sqlnet /usr/kernel/misc/screen_stateless /usr/kernel/misc/screen_tcp /usr/kernel/misc/screen_udp /usr/kernel/misc/sparcv9/screen_dns /usr/kernel/misc/sparcv9/screen_fail /usr/kernel/misc/sparcv9/screen_ftp /usr/kernel/misc/sparcv9/screen_ip /usr/kernel/misc/sparcv9/screen_nfsro /usr/kernel/misc/sparcv9/screen_normal /usr/kernel/misc/sparcv9/screen_ping /usr/kernel/misc/sparcv9/screen_pmap /usr/kernel/misc/sparcv9/screen_raudio /usr/kernel/misc/sparcv9/screen_rsh /usr/kernel/misc/sparcv9/screen_sqlnet /usr/kernel/misc/sparcv9/screen_stateless /usr/kernel/misc/sparcv9/screen_tcp /usr/kernel/misc/sparcv9/screen_udp /opt/SUNWicg/SunScreen/lib/logmgmt-Xample Problem Description: 4926941 sunscreen 3.2 pmap state engine dropping NULL procedure 4913304 Retransmission FIN packet is dropped in CLOSING state 4959989 Fin Ack does not change state to ESTABLISHED (from 109734-12) 4837929 Unable to use ifconfig to remove SunScreen module from network interface. 4795556 ssadm logdump command hangs after some minutes 4389132 wrong version number of new created policy shown. 4433735 security home page URL at welcome screen should pop-up new browser window. 4861572 Sunscreen 3.1 network connectivity slows to unusable level 4890614 Patch 109734-09 breaks nattables command. 4801062 Customer want's less descriptive log, to not resolve hostname. only IP addresses There is a new -r option to the logdump commnd, this forces logdump not to use the name service to resolve IP addresses to names. Example: ssadm log get | ssadm logdump -i -r statetable_summary ------------------ This script is provided to aid diagnosis of performance problems caused by large state tables. The performs analysis on a file containing the output from one of: ssadm lib/statetables ssadm lib/nattables ssadm lib/screeninfo Usage: /usr/lib/sunscreen/support/statetable_summary file_to_analyse The output is written to stdout and files in /var/tmp This script can be run on a system with SunScreen installed in which case it will run the statetables & nattables commands directly if an input file is not specified. If an input file is provided then the script can be run on any Solaris system, it does not have to be run on the screen. In many cases this is desirable because the script can take a very long time to run and generate significant load on the system if the statetable it is analysing is very large. As with all programs in /usr/lib/sunscreen/support this is provided for support purposes only and not a supported part of the product. (from 109734-11) 4845456 FIN packet is unexpectedly dropped in CLOSING state (from 109734-10) 4790511 FTP proxy: after of subcommand REST error 503 bad sequence of commands 4786105 passive screen sends wrong MAC address in gratuitous arp at boot time. 4786474 Random errors from unplumb_solaris8 4599245 Some HA messages don't get into messages files 4636508 ss_had does not log enough information to diagnose HA issues. 4710480 ss_had prints erroneous errors to syslog. 4636511 Age drift can cause unnecessary HA failover 4636514 Active screen will become passive then active when ss_had restarted on secondary 4484731 typo in ss_had error message (from 109734-09) 4371086 NFS state engine assumes 20 byte tcp header size 4467805 UDP hash lookup needs improvement 4475976 Does not properly process SYN+ACK packets generated by VIP on local loopback 4483861 ttls for NAT entries need to be more closely related to stateentries 4491469 reply packets don't match broadcast UDP sessions, get dropped 4531796 ss_had shutdown sends gratuitous arp with wrong MAC address 4710493 Network error on heartbeat link can cause HA failover. 4713896 SunScreen3.1 allows to pass the TCP data packets prior to 3way-hand-shake. 4729278 logdump does no bounds checking on transient ports array 4760976 Fin Attack!! port continues being open 4762492 Duplicate FIN or RST will reset SunScreen CLOSING timer. 4764370 Duplicate Syn/Ack can change SunScreen state from from ESTABLISHED to CONNECTING 4764373 SunScreen does not check sequence numbers of FIN packets 4767244 SunScreen allows FIN packet in CONNECTING state. 4770205 SunScreen EFS 3.1 rejects RST packet unexpectedly (from 109734-08) 4371655 PASSIVE screen leaks skip encrypted packets 4458205 traffic_stats output has error 4468944 SunScreen drops TCP ECN packets 4474065 SunScreen cluster can hang (allocb fail) 4530873 ssadm traffic_stats reports negative values 4632254 sqlnet engine hangs after fetching few records 4658497 Problem with multiple screen definitions containing HA_ETHER 4693028 Stealth Screen can leak packets destined to non-local subnet with no route (from 109734-07) 4418010 sslogmgmt always returns error: argument expected 4475718 large number of address objects in policy can cause compile failure 4484569 BAD TRAP occurred in module "spf" due to a NULL pointer dereference 4493103 TCP state fails on duplicate SYN, connection drops after 120 seconds 4494052 UDP 162 is not being blocked 4621944 ss_had is writing Error: received short packet to /var/adm/messages (from 109734-06) 4432480 Sunscreen NAT has performance problems in certain topologies 4485964 PASV ftp and DYNAMIC NAT broken 4489200 panic in statetable cleanup routines (from 109734-05) 4432276 Performance degradation due to inefficient TCP Hash function (from 109734-04) 4418578 IP addresses get garbled with first activation of policy on interface 4378218 smtp proxy does not work with two rules 4412981 ftp state engine does not recognize RST 4431381 ftp state engine confused in certain instances when MicroSoft server is used 4409715 ss_had can die with Interrupted System Call 4415446 Sunscreen 3.X HA failover time usually takes considerably longer than 15 seconds (from 109734-03) 4355078 performance in stealth mode slower than SPF-200 4400107 sunscreen consuming large amounts of kernel memory 4395538 ss_logd core dumps causing the system to hang 4377829 HA screen will become passive if an interface cable is unplugged. 4377098 ss_had has a file descriptor leak. 4380217 SunScreen 3.1 with patch 109734-01 can panic in stealth mode. 4373963 screeninfo output gets truncated. 4266794 ssadm screeninfo does not return ip_forwarding status 4373976 misc enhancements to screeninfo. 4048429 Configurations names with spaces don't work 4373966 screeninfo does not get SCCS versions of all files. 4373972 screeninfo should perform consistancy checks on SunScreen packages. 4373964 Patch information retrieved by screeninfo can be incorrect. 4365144 ftp state engine can't handle tcp option tstamp on PORT packets (from 109734-02) 4347381 ss_had stops when "ssadm activate" is done. 4351317 HTTP POST does not work without CRLF 4355752 SunScreen http proxy core dumps when URI password included in URL. 4366229 When ecryption rule added, machine gets stack overflow panic 4368757 "*" service should be based on ipmobile not iptunnel 4370757 PASV FTP vulnerability fix breaks NAT sequence numbers 4371831 Fragmentation Needed but DF bit set message sent out in error (from 109734-01) 4326689 Passive HA stealth screen sends ARP's 4328055 ssadm logdump -i file -x0 does not display hex dump of packet 4333069 traffic passes to undefined addresses despite rules 4347894 Vulnerable to the PASV FTP attack that was published on "bugtraq" 4347899 File containing something that looks like FTP commands could be misinterpreted 4347905 vulnerable to the jolt2.c fragmentation attack Patch Installation Instructions: -------------------------------- See Special Install Instructions. Special Install Instructions: ----------------------------- Installation Instructions for the Administration Station -------------------------------------------------------- 1. Become root on the Administration Station. 2. If you are running Solaris 2.6 on the administration station, ensure that you have already installed the latest version of Solaris patch 106125. Version 106125-06 is available on your EFS 3.1 CD. 3. Transfer the patch file to the Administration Station. 4. Then type: # uncompress 109734-13.tar.Z # tar xf 109734-13.tar # patchadd 109734-13 Installation Instructions for Locally Administered Screens ---------------------------------------------------------- 1. Become root on the Screen. 2. If you are running Solaris 2.6 on the Screen, ensure that you have already installed the latest version of Solaris patch 106125-06. Version 106125-06 is available on your SunScreen EFS 3.1 CD. 3. Transfer patch file to the Screen using a diskette or ftp (with 3 MB free). 4. Type the following: # uncompress 109734-13.tar.Z # tar xf 109734-13.tar # patchadd 109734-13 5. Reboot the Screen. Instructions for Remotely Administered Screens in Stealth Mode -------------------------------------------------------------- Use this procedure ONLY if you cannot otherwise transfer the patch to the Screen. 1. Become root on the Administration Station. 2. If you are running Solaris 2.6 on the Screen, ensure that you have already installed the latest version of Solaris patch 106125-06. Version 106125-06 is available on your SunScreen EFS 3.1 CD. 3. Transfer the patch file to the Administration Station. 4. Type the following: # ssadm -r patch install < 109734-13.tar.Z Installation Instructions for High Availability (HA) clusters. -------------------------------------------------------------- 1. Determine which screen is ACTIVE within the HA Cluster using the following command on each: # ssadm ha status 2. Follow appropriate patch installation instructions from this README file to install the patch on the CURRENTLY ACTIVE SCREEN within the HA Cluster (determined from the previous step). 3. Be sure to reboot that screen upon completion of the patch installation. 4. After the reboot, the screen which the patch was just installed on will come up in PASSIVE mode and some other member of the HA cluster will become ACTIVE. 5. Repeat steps 1-4 until the patch has been applied to all members of the HA cluster. Notes on patching HA clusters: If the patch is installed on a PASSIVE screen before it is installed on an ACTIVE screen, the HA daemon ss_had can core dump, this gives symptoms similar to bug 4347381. The SunScreen HA model works by having 2 or more firewalls in parallel. Both firewalls see the same packets and hence calculate the same statetable entries. If a packet matches a statetable entry , then it is passed through the screen. If the ACTIVE screen is rebooted, one of the PASSIVE firewall(s) will take over. Existing connections will still be maintained as the PASSIVE firewall(s) which has just become ACTIVE will have the statetable entries. Once the originally ACTIVE firewall has been rebooted, it will have an empty statetable. This firewall will add any new connections made since it was rebooted to its statetable, but will not know about connections established before it was rebooted. If the currently ACTIVE screen is rebooted , some connections may get dropped. Its not possible to say exactly how long it will take for both (all) the firewalls to have the same statetable entries as this will depend on the type of connection being passed and the lifetime of this connection. Running the following command on both (all) firewalls in the cluster will give the administrator a good indication of when it is safe to reboot the second firewall, without significant loss of service: # ssadm lib/statetables | grep ESTABLISHED | wc -l Instructions for Identifying Patches Installed on System -------------------------------------------------------- 1. To identify the patch level on your locally administered Screen, type the commands: # ls -lt /var/sadm/patch > screen.pkginfo # pkginfo -l >> screen.pkginfo 2. To identify the patch level on your remotely administered Screen in stealth mode: # ssadm -r lib/support packages > screen.pkginfo This shows (1) ls -lt /var/sadm/patch, (2) pkginfo -l, and (3) the contents of /var/log/patch.log. 3. To identify the patch level on your Administration Station, type the commands: # ls -lt /var/sadm/patch > admin.pkginfo # pkginfo -l >> admin.pkginfo Instructions to remove the patch on the Administration Station -------------------------------------------------------------- 1. Become root on the Administration Station. 2. Then type: # patchrm 109734-13 Instructions to Remove the Patch on Locally Administered Screen --------------------------------------------------------------- 1. Become root on the Screen. 2. Type the following: # patchrm 109734-13 Instructions to Remove the Patch on Remotely Administered Screens in Stealth Mode -------------------------------------------------------------------- Use this procedure ONLY if you cannot otherwise obtain access to a login prompt on the Screen. 1. Become root on the Administration Station. 2. If you are running Solaris 2.6 on the Screen, ensure that you have already installed the latest version of Solaris patch 106125-06. Version 106125-06 is available on your SunScreen EFS 3.1. 3. Type the following: # ssadm -r patch backout 109734-13 Additional Patch Installation Instructions ------------------------------------------ Refer to the "Install.info" file within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. README -- Last modified date: Tuesday, March 9, 2004