Patch-ID# 108157-16 Keywords: ENCRYPTION EFS security international HA Logdump FTP fragmentation proxy Synopsis: SunScreen EFS 3.0b (Intel) miscellaneous fixes. Date: Jan/03/2003 ****************************************************** The items made available through this website are subject to United States export laws and may be subject to export and import laws of other countries. You agree to strictly comply with all such laws and obtain licenses to export, re-export, or import as may be required. Unless expressly authorized by the United States Government to do so you will not, directly or indirectly, export or re-export the items made available through this website, nor direct the items therefrom, to any embargoed or restricted country identified in the United States export laws, including but not limited to the Export Administration Regulations (15 C.F.R. Parts 730-774). ****************************************************** Install Requirements: None Solaris Release: 2.6_x86 7_x86 SunOS Release: 5.6_x86 5.7_x86 Unbundled Product: SunScreen EFS Unbundled Release: 3.0 Rev B Xref: This patch is available for Sparc as Patch 108156. Topic: Relevant Architectures: BugId's fixed with this patch: 4231913 4231917 4253279 4257613 4258953 4259288 4259291 4263150 4263985 4267482 4268211 4269897 4271577 4272397 4273153 4273198 4273416 4274877 4275509 4276516 4278909 4279408 4280348 4280375 4281974 4286707 4287892 4291630 4291953 4292561 4297741 4302056 4302422 4306041 4310845 4313231 4314493 4317939 4326689 4328055 4329296 4333069 4347381 4347894 4347899 4347905 4351317 4355078 4355752 4365144 4366229 4368757 4370757 4371086 4371655 4371831 4373963 4373964 4377098 4377829 4378218 4380217 4395538 4400107 4409715 4412981 4415446 4418010 4431381 4432276 4432480 4458205 4464430 4467805 4468944 4474065 4475718 4475976 4483861 4484569 4485964 4489200 4491469 4493103 4494052 4500802 4530873 4531796 4621944 4632254 4658497 4693028 4710493 4713896 4729278 4760976 4762492 4764370 4764373 4767244 4770205 Changes incorporated in this version: 4371086 4371655 4458205 4467805 4468944 4474065 4475976 4483861 4491469 4530873 4531796 4632254 4658497 4693028 4710493 4713896 4729278 4760976 4762492 4764370 4764373 4767244 4770205 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: /etc/opt/SUNWicg/SunScreen/SunScreenEFS.x509 /kernel/drv/screen /kernel/strmod/efs /kernel/strmod/spf /opt/SUNWicg/SunScreen/admin/cgi-bin/html_logdump /opt/SUNWicg/SunScreen/admin/com/sun/sunscreen/internal/ssadm/Session.class /opt/SUNWicg/SunScreen/admin/com/sun/sunscreen/internal/ssadm/nl_catd.class /opt/SUNWicg/SunScreen/admin/com/sun/sunscreen/internal/ssadm/nl_catd.so /opt/SUNWicg/SunScreen/admin/htdocs/lib/admin/com/sun/sunscreen/efs/internal/gui/ConfigListWindow.class /opt/SUNWicg/SunScreen/admin/htdocs/lib/admin/com/sun/sunscreen/efs/internal/gui/GetTextDialog.class /opt/SUNWicg/SunScreen/admin/htdocs/lib/admin/com/sun/sunscreen/efs/internal/gui/SearchPanel.class /opt/SUNWicg/SunScreen/admin/htdocs/lib/admin/com/sun/sunscreen/efs/internal/gui/SunScreenApplet.class /opt/SUNWicg/SunScreen/admin/htdocs/lib/admin/com/sun/sunscreen/efs/internal/logbrowser/LogBrowser.class /opt/SUNWicg/SunScreen/admin/htdocs/lib/admin/efsgui_en_us.class /opt/SUNWicg/SunScreen/admin/htdocs/lib/admin/sg_registry.jar /opt/SUNWicg/SunScreen/admin/htdocs/plugin/plugins/identitydb.obj /opt/SUNWicg/SunScreen/bin/ss_install /opt/SUNWicg/SunScreen/bin/sslogmgmt /opt/SUNWicg/SunScreen/lib/authuser /opt/SUNWicg/SunScreen/lib/catgets /opt/SUNWicg/SunScreen/lib/datacompiler /opt/SUNWicg/SunScreen/lib/efs2to3 /opt/SUNWicg/SunScreen/lib/get_access /opt/SUNWicg/SunScreen/lib/getlog /opt/SUNWicg/SunScreen/lib/install_UDH_keys /opt/SUNWicg/SunScreen/lib/jar_hash /opt/SUNWicg/SunScreen/lib/jar_sig /opt/SUNWicg/SunScreen/lib/javaexec /opt/SUNWicg/SunScreen/lib/logbrfmt /opt/SUNWicg/SunScreen/lib/logdump /opt/SUNWicg/SunScreen/lib/logmacro /opt/SUNWicg/SunScreen/lib/logmgmt-Xample /opt/SUNWicg/SunScreen/lib/logmsg /opt/SUNWicg/SunScreen/lib/mail_relay /opt/SUNWicg/SunScreen/lib/mail_spam /opt/SUNWicg/SunScreen/lib/natcompiler /opt/SUNWicg/SunScreen/lib/proxyuser /opt/SUNWicg/SunScreen/lib/screeninfo /opt/SUNWicg/SunScreen/lib/ss_access /opt/SUNWicg/SunScreen/lib/ss_access_convert /opt/SUNWicg/SunScreen/lib/ss_active_config /opt/SUNWicg/SunScreen/lib/ss_address /opt/SUNWicg/SunScreen/lib/ss_certificate /opt/SUNWicg/SunScreen/lib/ss_compiler /opt/SUNWicg/SunScreen/lib/ss_default_drop /opt/SUNWicg/SunScreen/lib/ss_disable_send /opt/SUNWicg/SunScreen/lib/ss_ha /opt/SUNWicg/SunScreen/lib/ss_ha_active_mode /opt/SUNWicg/SunScreen/lib/ss_ha_passive_mode /opt/SUNWicg/SunScreen/lib/ss_had /opt/SUNWicg/SunScreen/lib/ss_interfaces /opt/SUNWicg/SunScreen/lib/ss_logd /opt/SUNWicg/SunScreen/lib/ss_nat /opt/SUNWicg/SunScreen/lib/ss_rule /opt/SUNWicg/SunScreen/lib/ss_rule_convert /opt/SUNWicg/SunScreen/lib/ss_service /opt/SUNWicg/SunScreen/lib/ss_spam_list /opt/SUNWicg/SunScreen/lib/ss_upgrade /opt/SUNWicg/SunScreen/lib/statetables /opt/SUNWicg/SunScreen/lib/strs /opt/SUNWicg/SunScreen/lib/user_authenticate /opt/SUNWicg/SunScreen/lib/vars /opt/SUNWicg/SunScreen/proxies/ftpp /opt/SUNWicg/SunScreen/proxies/httpp /opt/SUNWicg/SunScreen/proxies/smtpp /opt/SUNWicg/SunScreen/proxies/telnetp /opt/SUNWicg/SunScreen/ssadm/activate /opt/SUNWicg/SunScreen/ssadm/algorithm /opt/SUNWicg/SunScreen/ssadm/debug_level /opt/SUNWicg/SunScreen/ssadm/edit /opt/SUNWicg/SunScreen/ssadm/ha /opt/SUNWicg/SunScreen/ssadm/lock /opt/SUNWicg/SunScreen/ssadm/log /opt/SUNWicg/SunScreen/ssadm/logdump /opt/SUNWicg/SunScreen/ssadm/logmacro /opt/SUNWicg/SunScreen/ssadm/logstats /opt/SUNWicg/SunScreen/ssadm/patch /opt/SUNWicg/SunScreen/ssadm/policy /opt/SUNWicg/SunScreen/ssadm/stateengine /opt/SUNWicg/SunScreen/ssadm/sys_info /opt/SUNWicg/SunScreen/ssadm/traffic_stats /opt/SUNWicg/SunScreen/support/findcore /opt/SUNWicg/SunScreen/support/nattables /opt/SUNWicg/SunScreen/support/packages /opt/SUNWicg/SunScreen/support/stats /opt/SUNWicg/SunScreen/support/versions /usr/kernel/drv/screen_skip /usr/kernel/misc/screen_fail /usr/kernel/misc/screen_ftp /usr/kernel/misc/screen_nfsro /usr/kernel/misc/screen_normal /usr/kernel/misc/screen_raudio /usr/kernel/misc/screen_rsh /usr/kernel/misc/screen_sqlnet /usr/kernel/misc/screen_tcp Note: 64bit sparcv9 kernel modules not included in x86 patch. Files changed in this version of the patch: /kernel/drv/screen /kernel/strmod/efs /kernel/strmod/spf /opt/SUNWicg/SunScreen/admin/cgi-bin/html_logdump /opt/SUNWicg/SunScreen/lib/authuser /opt/SUNWicg/SunScreen/lib/datacompiler /opt/SUNWicg/SunScreen/lib/jar_hash /opt/SUNWicg/SunScreen/lib/jar_sig /opt/SUNWicg/SunScreen/lib/logdump /opt/SUNWicg/SunScreen/lib/logmacro /opt/SUNWicg/SunScreen/lib/logmsg /opt/SUNWicg/SunScreen/lib/natcompiler /opt/SUNWicg/SunScreen/lib/proxyuser /opt/SUNWicg/SunScreen/lib/ss_access_convert /opt/SUNWicg/SunScreen/lib/ss_compiler /opt/SUNWicg/SunScreen/lib/ss_disable_send /opt/SUNWicg/SunScreen/lib/ss_ha /opt/SUNWicg/SunScreen/lib/ss_had /opt/SUNWicg/SunScreen/lib/ss_logd /opt/SUNWicg/SunScreen/lib/ss_rule_convert /opt/SUNWicg/SunScreen/lib/ss_upgrade /opt/SUNWicg/SunScreen/lib/strs /opt/SUNWicg/SunScreen/lib/user_authenticate /opt/SUNWicg/SunScreen/lib/vars /opt/SUNWicg/SunScreen/ssadm/edit /opt/SUNWicg/SunScreen/ssadm/log /opt/SUNWicg/SunScreen/ssadm/logdump /opt/SUNWicg/SunScreen/ssadm/logmacro /opt/SUNWicg/SunScreen/ssadm/logstats /opt/SUNWicg/SunScreen/ssadm/traffic_stats /usr/kernel/drv/screen_skip /usr/kernel/misc/screen_fail /usr/kernel/misc/screen_ftp /usr/kernel/misc/screen_nfsro /usr/kernel/misc/screen_normal /usr/kernel/misc/screen_raudio /usr/kernel/misc/screen_rsh /usr/kernel/misc/screen_sqlnet /usr/kernel/misc/screen_tcp Problem Description: 4371086 NFS state engine assumes 20 byte tcp header size 4371655 PASSIVE screen leaks skip encrypted packets 4458205 traffic_stats output has error 4467805 UDP hash lookup needs improvement 4468944 SunScreen drops TCP ECN packets 4474065 Sun Screen Cluster hangs 4475976 Does not properly process SYN+ACK packets generated by VIP on local loopback 4483861 ttls for NAT entries need to be more closely related to stateentries 4491469 reply packets don't match broadcast UDP sessions, get dropped 4530873 ssadm traffic_stats reports negative values 4531796 ss_had shutdown sends gratuitous arp with wrong MAC address 4632254 sqlnet engine hangs after fetching few records 4658497 only a single HA_ETHER object can be stored 4693028 Stealth Screen can leak packets destined to non-local subnet with no route 4710493 Network error on heartbeat link can cause HA failover. 4713896 SunScreen3.1 allows to pass the TCP data packets prior to 3way-hand-shake. 4729278 logdump does no bounds checking on transient ports array 4760976 Fin Attack!! port continues being open 4762492 Duplicate FIN or RST will reset SunScreen CLOSING timer. 4764370 Duplicate Syn/Ack can change SunScreen state from from ESTABLISHED to CONNECTING 4764373 SunScreen does not check sequence numbers of FIN packets 4767244 SunScreen allows FIN packet in CONNECTING state. 4770205 SunScreen EFS 3.1 rejects RST packet unexpectedly (from 108157-15) 4418010 sslogmgmt always returns error: argument expected 4475718 parser stack overflow with large number of address objects 4484569 BAD TRAP occurred in module "spf" 4493103 TCP state fails on duplicate SYN, connection drops 4494052 UDP 162 is not being blocked 4500802 Byte Swap issue on X86 4621944 ss_had is writing Error: received short packet (from 108157-14) 4432480 Sunscreen NAT has performance problems in certain topologies 4485964 PASV ftp and DYNAMIC NAT broken 4489200 panic in statetable cleanup routines (from 108157-13) 4432276 Performance degradation due to inefficient TCP Hash function (from 108157-12) 4464430 problem installing binaries properly from patch (from 108157-11) 4378218 smtp proxy does not work with two rules 4412981 ftp state engine does not recognize RST 4431381 ftp state engine confused in certain instances when MicroSoft server is used 4409715 ss_had can die with Interrupted System Call 4415446 HA failover time longer than 15 seconds (from 108157-10) 4355078 performance in stealth mode slower than SPF-200 4400107 something consuming large amounts of kernel memory 4395538 ss_logd core dumps causing the system to hang 4377829 HA screen will become passive if cable is unplugged. 4377098 ss_had has a file descriptor leak. 4380217 SunScreen 3.1 with patch 109734-01 can panic in stealth mode. 4373963 screeninfo output gets truncated. 4266794 screeninfo does not return if ip forwarding status 4373976 misc enhancements to screeninfo. 4048429 Configurations names with spaces don't work 4373966 screeninfo does not get SCCS versions of all files. 4373972 screeninfo should perform consistancy checks on packages. 4373964 Patch information retrieved by screeninfo can be incorrect. 4365144 Fix not correctly implemented for Trusted Solaris. (from 108157-09) 4347381 ss_had stops when "ssadm activate" is done 4351317 HTTP POST does not work without CRLF 4355752 SunScreen http proxy core dumps when URI password included in URL 4365144 ftp state engine can't handle tcp option tstamp 4366229 Possible for encryption rules to generate system panic 4370757 ftp with NAT has sequence number problem which was introduced after fix for PASV FTP attacks 4371831 "Fragmentation Needed but DF bit set" message sent out in error when encryption rules are used (from 108157-08) 4347894 Protection against PASV FTP attacks 4347899 File containing something that looks like FTP commands could be misinterpreted 4347905 Protection against jolt2.c fragmentation attacks (from 108157-07) 4326689 Passive HA stealth screen sends ARP's 4333069 traffic passes to undefined addresses when interface addr grp used in rules. (from 108157-06) 4314493 stealth mode floods network on incorrect broadcasts. 4328055 logdump -i file -x0 does not display hex dump of packet 4329296 IPSec fragments get dropped in stealth mode. (from 108157-05) 4281974 http proxy stops working. connection limit problem. 4297741 doesn't show absolute time for SESSION logs 4302422 64-bit kernel writes session log records incorrectly. 4310845 ICMP need to fragment pkts not translated in tunnel. 4313231 Mixed mode panic with non-ip panics & tunnel of localhost. 4317939 GUI can fail in ssadm.nl_catd class(AppletSecurityException). (from 108157-04) 4258953 Cannot view online docs with java plugin 4263985 Mix of Dynamic NAT & Encrypted tunnelling problems 4292561 ssadm ha active_mode && ssadm ha passive_mode can set both screens passive. 4296011 SYN/RST spoofed packets reset statetable entry (DoS) 4302056 screeninfo: replaced "arp -a" with "netstat -pn" 4306041 smtp proxy fails with large msg on very slow connections. (from 108157-03) 4253279 Using snoop, NAT not showing correct address. 4275509 Verify NAT address grps are not empty. 4280375 Kernel panic when empty stealth interface address grps are set with encrypted traffic. Also compiler warning when address group is empty and SPF tag not set on screen object. 4286707 Disabled interface not cleared unless rebooted. 4287892 logwhy option not working. 4291630 Editor dumps core when "load" with no policy specified. 4291953 findcore will run off onto nfs & automount directories (from 108157-02) 4231913 Admin user write does not have all privileges. 4231917 Admin user read does not have all privileges. 4257613 findcore should run "file" on all core files. 4259288 screeninfo needs to gather more information. 4259291 screeninfo gets java MalformedInputException on U5/U10. 4263150 Activate fails on CMG 24-48hr since last activate. 4271577 Http Proxy not handling cookies properly. 4273153 Undefined address in AccessRemote causes core. 4278908 SNMP not sending alerts. 4280348 Ether state engine not working. (from 108157-01) 4267482 i18n: The "status" information is displayed incorrectly in zh locale. 4268211 i18n: Delete window of active configuration is not i18n 4269897 i18n: A policy with Chinese characters in its name can't be activated. 4272397 execute skiplocal with C locale for parsable result. 4273198 removed space before macro for proper getmsg processing. 4273416 i18n: Object type pull down menu in common object area is not i18n. 4274877 i18n: Some properties are duplicated. 4276516 Can not activate a l10n policy name via GUI admin. 4279409 i18n: 'ssadm logdump -x' causes Java exception. Patch Installation Instructions: -------------------------------- See Special Install Instructions. Special Install Instructions: ----------------------------- OS Patch Requirements for LibC ------------------------------ Installation of this patch without the proper LibC patch installed will result in the inability to edit or activate a policy. An example of the error produced by this failure might look as follows: # ssadm edit Initial ld.so.1: edit: fatal: relocation error: file edit: symbol __1cDstdJbad_allocG__vtbl_: referenced symbol not found # If you experience such a problem after installing patch 108157-16, the appropriate LibC patch can be installed, and the problem should disappear. The LibC patch required is as follows: Solaris 2.6: 104678-12 or later Solaris 7: 106328-13 or later. Installation Instructions for the Administration Station -------------------------------------------------------- 1. Become root on the Administration Station. 2. If you are running Solaris 2.6 on the administration station, ensure that you have already installed the latest version of Solaris patch 106125. Version 106125-06 is available on your EFS 3.0 CD. 3. Transfer the patch file to the Administration Station. 4. Then type: # uncompress 108157-16.tar.Z # tar xf 108157-16.tar # patchadd 108157-16 Installation Instructions for Locally Administered Screens ----------------------------------------------------------- 1. Become root on the Screen. 2. If you are running Solaris 2.6 on the Screen, ensure that you have already installed the latest version of Solaris patch 106125. Version 106125-06 is available on your SunScreen EFS 3.0 Rev B CD. 3. Transfer patch file to the Screen using a diskette or ftp (with 3 MB free). 4. Type the following: # uncompress 108157-16.tar.Z # tar xf 108157-16.tar # patchadd 108157-16 5. Reboot the Screen. Instructions for Remotely Administered Screens in Stealth Mode. --------------------------------------------------------------- Use this procedure ONLY if you cannot otherwise transfer the patch to the Screen. 1. Become root on the Administration Station. 2. If you are running Solaris 2.6 on the Screen, ensure that you have already installed the latest version of Solaris patch 106125. Version 106125-06 is available on your SunScreen EFS 3.0 Rev B CD. 3. Transfer the patch file to the Administration Station. 4. Type the following: # ssadm -r patch install < 108157-16.tar.Z Additional Installation Instructions for Users of the Java Plug-In for GUI Administration -------------------------------------------------------------------- Use this procedure only if you are using the Java plug-in for GUI administration. If the file identitydb.obj is used only for use with the SunScreen EFS 3.0 Rev B product, replace the existing identitydb.obj file with the new identitydb.obj file included in this patch. The new file is located on the Screen at /opt/SUNWicg/SunScreen/admin/htdocs/plugin/plugins/identitydb.obj. If you are running in stealth mode and do not have access to this file, you can retrieve it from the actual patch files with the following commands run on your Administration Station: # uncompress 108157-16.tar.Z # tar xf 108157-16.tar # cp 108157-16/SUNWicgSS/reloc/SUNWicg/SunScreen/admin/htdocs/plugin/plugins/identitydb.obj /tmp/identitydb.obj If the file identitydb.obj is used by other applications, then add SunScreen as one of the accepted signers to the file identitydb.obj using the following steps: 1. Copy the old identitydb.obj to your home directory. 2. Type the following, substituting the path for the javakey binary (/usr/java1.1) for $JAVA_HOME: % $JAVA_HOME/javakey -r SunScreenEFS % $JAVA_HOME/javakey -cs SunScreenEFS true % $JAVA_HOME/javakey -ic SunScreenEFS /etc/opt/SUNWicg/SunScreen/SunScreenEFS.x509 If you are running in stealth mode and do not have access to this file, you can retrieve it from the actual patch files with the following commands run on your Administration Station: # uncompress 108157-16.tar.Z # tar xf 108157-16.tar # cp 108157-16/SUNWicgSS/root/etc/opt/SUNWicg/SunScreen/SunScreenEFS.x509 /tmp/SunScreenEFS.x509 3. Copy the file identitydb.obj to a diskette for distribution to other Administration Stations and install it in the following directories: $HOME on UNIX systems C:\WINDOWS directory for single user Windows 95 systems C:\WINDOWS\PROFILES\username for multiuser Windows 95 & 98 systems C:\WINNT\PROFILES\username on Windows NT systems Instructions for Identifying Patches Installed on System -------------------------------------------------------- 1. To identify the patch level on your locally administered Screen, type the commands: # ls -lt /var/sadm/patch > screen.pkginfo # pkginfo -l >> screen.pkginfo 2. To identify the patch level on your remotely administered Screen in stealth mode: # ssadm -r lib/support packages > screen.pkginfo This shows (1) ls -lt /var/sadm/patch, (2) pkginfo -l, and (3) the contents of /var/log/patch.log. 3. To identify the patch level on your Administration Station, type the commands: # ls -lt /var/sadm/patch > admin.pkginfo # pkginfo -l >> admin.pkginfo Instructions to remove the patch on the Administration Station -------------------------------------------------------------- 1. Become root on the Administration Station. 2. Then type: # patchrm 108157-16 Instructions to Remove the Patch on Locally Administered Screen --------------------------------------------------------------- 1. Become root on the Screen. 2. Type the following: # patchrm 108157-16 Instructions to Remove the Patch on Remotely Administered Screens in Stealth Mode -------------------------------------------------------------------- Use this procedure ONLY if you cannot otherwise obtain access to a login prompt on the Screen. 1. Become root on the Administration Station. 2. If you are running Solaris 2.6 on the Screen, ensure that you have already installed the latest version of Solaris patch 106125. Version 106125-06 is available on your SunScreen EFS 3.0 Rev B CD. 3. Type the following: # ssadm -r patch backout 108157-16 Patch Installation Instructions for High Availability (HA) clusters. -------------------------------------------------------------------- 1. Determine which screen is ACTIVE within the HA Cluster using the following command on each: # ssadm ha status 2. Follow appropriate patch installation instructions from this README file to install the patch on the CURRENTLY ACTIVE SCREEN within the HA Cluster (determined from the previous step). 3. Be sure to reboot that screen upon completion of the patch installation. 4. After the reboot, the screen which the patch was just installed on will come up in PASSIVE mode and some other member of the HA cluster will become ACTIVE. 5. Repeat steps 1-4 until the patch has been applied to all members of the HA cluster. Notes on patching HA clusters: If the patch is installed on a PASSIVE screen before it is installed on an ACTIVE screen, the HA daemon ss_had can core dump, this gives symptoms similar to bug 4347381. The SunScreen HA model works by having 2 or more firewalls in parallel. Both firewalls see the same packets and hence calculate the same statetable entries. If a packet matches a statetable entry , then it is passed through the screen. If the ACTIVE screen is rebooted, one of the PASSIVE firewall(s) will take over. Existing connections will still be maintained as the PASSIVE firewall(s) which has just become ACTIVE will have the statetable entries. Once the originally ACTIVE firewall has been rebooted, it will have an empty statetable. This firewall will add any new connections made since it was rebooted to its statetable, but will not know about connections established before it was rebooted. If the currently ACTIVE screen is rebooted , some connections may get dropped. Its not possible to say exactly how long it will take for both (all) the firewalls to have the same statetable entries as this will depend on the type of connection being passed and the lifetime of this connection. Running the following command on both (all) firewalls in the cluster will give the administrator a good indication of when it is safe to reboot the second firewall, without significant loss of service: # ssadm lib/statetables | grep ESTABLISHED | wc -l Additional Patch Installation Instructions ------------------------------------------ Refer to the "Install.info" file within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. README -- Last modified date: Friday, January 3, 2003