Patch-ID# 112613-05 Keywords: encryption sunscreen international Synopsis: SunScreen 3.2 miscellaneous fixes for Solaris 9 SPARC Date: Mar/08/2004 ****************************************************** The items made available through this website are subject to United States export laws and may be subject to export and import laws of other countries. You agree to strictly comply with all such laws and obtain licenses to export, re-export, or import as may be required. Unless expressly authorized by the United States Government to do so you will not, directly or indirectly, export or re-export the items made available through this website, nor direct the items therefrom, to any embargoed or restricted country identified in the United States export laws, including but not limited to the Export Administration Regulations (15 C.F.R. Parts 730-774). ****************************************************** Install Requirements: None Solaris Release: 9 SunOS Release: 5.9 Unbundled Product: SunScreen EFS Unbundled Release: 3.2 Xref: This patch is available for Trusted Solaris 8 SPARC as Patch 112614. Topic: Relevant Architectures: sparc BugId's fixed with this patch: 4389132 4433735 4458205 4474065 4475718 4475976 4484731 4494052 4498719 4504550 4504560 4504562 4530873 4531796 4546483 4599245 4621944 4623384 4627419 4632254 4636508 4636511 4636514 4641757 4641855 4650187 4658497 4693028 4708402 4710480 4710493 4713896 4729278 4731099 4760976 4762492 4764370 4764373 4767244 4770205 4790511 4801062 4821206 4833684 4861572 4913304 4926941 4959989 4960160 4961375 4974853 4987066 4987247 4987254 4987260 Changes incorporated in this version: 4926941 4959989 4913304 4961375 4960160 4974853 4987247 4987066 4987254 4987260 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: NOTE: Files changed in this version of the patch: /kernel/drv/screen /kernel/drv/sparcv9/screen /kernel/strmod/efs /kernel/strmod/sparcv9/efs /kernel/strmod/sparcv9/spf /kernel/strmod/spf /usr/kernel/drv/screen_ipsec /usr/kernel/drv/screen_skip /usr/kernel/drv/sparcv9/screen_ipsec /usr/kernel/drv/sparcv9/screen_skip /usr/kernel/misc/screen_dns /usr/kernel/misc/screen_fail /usr/kernel/misc/screen_ftp /usr/kernel/misc/screen_ip /usr/kernel/misc/screen_nfsro /usr/kernel/misc/screen_normal /usr/kernel/misc/screen_ping /usr/kernel/misc/screen_pmap /usr/kernel/misc/screen_raudio /usr/kernel/misc/screen_rsh /usr/kernel/misc/screen_sqlnet /usr/kernel/misc/screen_stateless /usr/kernel/misc/screen_tcp /usr/kernel/misc/screen_ts7 /usr/kernel/misc/screen_ts8 /usr/kernel/misc/screen_udp /usr/kernel/misc/sparcv9/screen_dns /usr/kernel/misc/sparcv9/screen_fail /usr/kernel/misc/sparcv9/screen_ftp /usr/kernel/misc/sparcv9/screen_ip /usr/kernel/misc/sparcv9/screen_nfsro /usr/kernel/misc/sparcv9/screen_normal /usr/kernel/misc/sparcv9/screen_ping /usr/kernel/misc/sparcv9/screen_pmap /usr/kernel/misc/sparcv9/screen_raudio /usr/kernel/misc/sparcv9/screen_rsh /usr/kernel/misc/sparcv9/screen_sqlnet /usr/kernel/misc/sparcv9/screen_stateless /usr/kernel/misc/sparcv9/screen_tcp /usr/kernel/misc/sparcv9/screen_ts7 /usr/kernel/misc/sparcv9/screen_ts8 /usr/kernel/misc/sparcv9/screen_udp /usr/lib/sunscreen/lib/certdb /usr/lib/sunscreen/lib/certlocal /usr/lib/sunscreen/lib/certrldb /usr/lib/sunscreen/lib/libcertlib.so.1 /usr/lib/sunscreen/ssadm/debug_level Files included with this patch: /etc/init.d/plumbsunscreen /etc/rcS.d/S21plumbsunscreen /kernel/drv/screen /kernel/drv/sparcv9/screen /kernel/strmod/efs /kernel/strmod/sparcv9/efs /kernel/strmod/sparcv9/spf /kernel/strmod/spf /sbin/ss_plumb_interface /usr/kernel/drv/screen_ipsec /usr/kernel/drv/screen_skip /usr/kernel/drv/sparcv9/screen_ipsec /usr/kernel/drv/sparcv9/screen_skip /usr/kernel/misc/screen_dns /usr/kernel/misc/screen_fail /usr/kernel/misc/screen_ftp /usr/kernel/misc/screen_ip /usr/kernel/misc/screen_nfsro /usr/kernel/misc/screen_normal /usr/kernel/misc/screen_ping /usr/kernel/misc/screen_pmap /usr/kernel/misc/screen_raudio /usr/kernel/misc/screen_rsh /usr/kernel/misc/screen_sqlnet /usr/kernel/misc/screen_stateless /usr/kernel/misc/screen_tcp /usr/kernel/misc/screen_ts7 /usr/kernel/misc/screen_ts8 /usr/kernel/misc/screen_udp /usr/kernel/misc/sparcv9/screen_dns /usr/kernel/misc/sparcv9/screen_fail /usr/kernel/misc/sparcv9/screen_ftp /usr/kernel/misc/sparcv9/screen_ip /usr/kernel/misc/sparcv9/screen_nfsro /usr/kernel/misc/sparcv9/screen_normal /usr/kernel/misc/sparcv9/screen_ping /usr/kernel/misc/sparcv9/screen_pmap /usr/kernel/misc/sparcv9/screen_raudio /usr/kernel/misc/sparcv9/screen_rsh /usr/kernel/misc/sparcv9/screen_sqlnet /usr/kernel/misc/sparcv9/screen_stateless /usr/kernel/misc/sparcv9/screen_tcp /usr/kernel/misc/sparcv9/screen_ts7 /usr/kernel/misc/sparcv9/screen_ts8 /usr/kernel/misc/sparcv9/screen_udp /usr/lib/sunscreen/admin/cgi-bin/html_logdump /usr/lib/sunscreen/admin/htdocs/lib/admin/com/sun/sunscreen/efs/internal/gui/IPsecHeader.class /usr/lib/sunscreen/admin/htdocs/lib/admin/com/sun/sunscreen/efs/internal/gui/IPsecPanel.class /usr/lib/sunscreen/admin/htdocs/lib/admin/com/sun/sunscreen/efs/internal/gui/ServiceApplet.class /usr/lib/sunscreen/admin/htdocs/plugin/welcome.html /usr/lib/sunscreen/admin/htdocs/welcome.html /usr/lib/sunscreen/admin/jass/Finish/minimize-sunscreen.fin /usr/lib/sunscreen/lib/authuser /usr/lib/sunscreen/lib/certdb /usr/lib/sunscreen/lib/certlocal /usr/lib/sunscreen/lib/certrldb /usr/lib/sunscreen/lib/datacompiler /usr/lib/sunscreen/lib/efs2to3 /usr/lib/sunscreen/lib/jar_hash /usr/lib/sunscreen/lib/jar_sig /usr/lib/sunscreen/lib/libcertlib.so /usr/lib/sunscreen/lib/libcertlib.so.1 /usr/lib/sunscreen/lib/logdump /usr/lib/sunscreen/lib/logmacro /usr/lib/sunscreen/lib/logmsg /usr/lib/sunscreen/lib/natcompiler /usr/lib/sunscreen/lib/proxyuser /usr/lib/sunscreen/lib/ss_access_convert /usr/lib/sunscreen/lib/ss_compiler /usr/lib/sunscreen/lib/ss_disable_send /usr/lib/sunscreen/lib/ss_ha /usr/lib/sunscreen/lib/ss_had /usr/lib/sunscreen/lib/ss_logd /usr/lib/sunscreen/lib/ss_rule_convert /usr/lib/sunscreen/lib/ss_upgrade /usr/lib/sunscreen/lib/strs /usr/lib/sunscreen/lib/user_authenticate /usr/lib/sunscreen/lib/vars /usr/lib/sunscreen/proxies/ftpp /usr/lib/sunscreen/proxies/smtpp /usr/lib/sunscreen/ssadm/configure /usr/lib/sunscreen/ssadm/debug_level /usr/lib/sunscreen/ssadm/edit /usr/lib/sunscreen/ssadm/lock /usr/lib/sunscreen/ssadm/log /usr/lib/sunscreen/ssadm/logdump /usr/lib/sunscreen/ssadm/logmacro /usr/lib/sunscreen/ssadm/logstats /usr/lib/sunscreen/ssadm/traffic_stats /usr/lib/sunscreen/support/statetables /usr/lib/sunscreen/support/statetables64 Problem Description: 4926941 sunscreen 3.2 pmap state engine dropping NULL procedure 4959989 Fin Ack does not change state to ESTABLISHED 4913304 Retransmission FIN packet is dropped in CLOSING state 4961375 SS3.2 leaking memory in HA passive node config 4960160 sunscreen certrldb core dumps from invalid CRL 4974853 certrldb will dump core if pem_to_ber() returns NULL 4987247 SunScreen certificate tools don't check open() return codes. 4987066 certrldb -e dumps core 4987254 ssadm certlocal -r - dumps core 4987260 SunScreen certrldb command exits without an error. (from 112613-04) 4801062 Customer want's less descriptive log, to not resolve hostname. only IP addresses There is a new -r option to the logdump commnd, this forces logdump not to use the name service to resolve IP addresses to names. Example: ssadm log get | ssadm logdump -i - -r 4861572 Sunscreen 3.1 network connectivity slows to unusable level 4833684 sunscreen admin gui hangs when selecting a service that uses a range 4389132 wrong version number of new created policy shown. 4433735 security home page URL at welcome screen should pop-up new browser window. 4821206 SunScreen 3.2 PROXY_SMTP truncates MTA replies (EHLO, HELP) statetable_summary ------------------ This script is provided to aid diagnosis of performance problems caused by large state tables. The performs analysis on a file containing the output from one of: ssadm lib/statetables ssadm lib/nattables ssadm lib/screeninfo Usage: /usr/lib/sunscreen/support/statetable_summary file_to_analyse The output is written to stdout and files in /var/tmp This script can be run on a system with SunScreen installed in which case it will run the statetables & nattables commands directly if an input file is not specified. If an input file is provided then the script can be run on any Solaris system, it does not have to be run on the screen. In many cases this is desirable because the script can take a very long time to run and generate significant load on the system if the statetable it is analysing is very large. As with all programs in /usr/lib/sunscreen/support this is provided for support purposes only and not a supported part of the product. (from 112613-03) 4484731 typo in ss_had error message 4599245 Some HA messages don't get into messages files 4636508 ss_had does not log enough information to diagnose HA issues. 4636511 Age drift can cause unnecessary HA failover 4636514 Active screen will become passive then active when ss_had restarted on secondary 4710480 ss_had prints erroneous errors to syslog. 4790511 FTP proxy: after of subcommand REST error 503 bad sequence of commands (from 112613-02) 4475976 Does not properly process SYN+ACK packets generated by VIP on local loopback 4531796 ss_had shutdown sends gratuitous arp with wrong MAC address 4621944 ss_had is writing Error: received short packet to /var/adm/messages 4710493 Network error on heartbeat link can cause HA failover. 4713896 SunScreen3.1 allows to pass the TCP data packets prior to 3way-hand-shake. 4729278 logdump does no bounds checking on transient ports array 4731099 Panic in screen_nfsro:nfsro_tcp_check() 4760976 Fin Attack!! port continues being open 4762492 Duplicate FIN or RST will reset SunScreen CLOSING timer. 4764370 Duplicate Syn/Ack can change SunScreen state from from ESTABLISHED to CONNECTING 4764373 SunScreen does not check sequence numbers of FIN packets 4767244 SunScreen allows FIN packet in CONNECTING state. 4770205 SunScreen EFS 3.1 rejects RST packet unexpectedly (from 112613-01) 4458205 traffic_stats output has error 4474065 SunScreen cluster can hang (allocb fail) 4475718 large number of address objects in policy can cause compile failure 4494052 UDP 162 is not being blocked 4498719 ifconfig modlist can fail with "invalid argument" 4504550 problem re-editing manual ipsec parameters in SunScreen GUI 4504560 Cannot add Source/Dest tunnel in manual ipsec rules in GUI 4504562 Cannot add tunnel address in manual ipsec rules in GUI 4530873 ssadm traffic_stats reports negative values 4546483 Manual IPsec policy cannot be compiled in SunScreen HA configuration 4623384 Transport mode IPsec fragments dropped in reassembly 4627419 GUI does not allow ESP with no auth with IPsec Manual 4632254 sqlnet engine hangs after fetching few records 4641757 panic in screen_ipsec when wrong source tunnel address received 4641855 GUI strips out white space from key names when creating rules 4650187 SunScreen cannot handle RealAudio traffic 4658497 Problem with multiple screen definitions containing HA_ETHER 4693028 Stealth Screen can leak packets destined to non-local subnet with no route 4708402 ss_ipsecd shutdown sequence can cause panic Patch Installation Instructions: -------------------------------- See Special Install Instructions. Special Install Instructions: ----------------------------- Installation Instructions for the Administration Station -------------------------------------------------------- 1. Become root on the Administration Station. 2. Transfer the patch file to the Administration Station. 3. Then type: # uncompress 112613-05.tar.Z # tar xf 112613-05.tar # patchadd 112613-05 Installation Instructions for Locally Administered Screens ---------------------------------------------------------- 1. Become root on the Screen. 2. Transfer patch file to the Screen using a diskette or ftp (with 3 MB free). 3. Type the following: # uncompress 112613-05.tar.Z # tar xf 112613-05.tar # patchadd 112613-05 4. Reboot the Screen. How to be sure this is the Correct SunScreen 3.2 Patch ------------------------------------------------------ There were two revisions of the SunScreen 3.2 product. The installation of patch 112613-05 will fail if the revision you are patching does not match that of the product installed. In the case of a mismatch, you will see the following error: # patchadd 112613-05 Checking installed patches... One or more patch packages included in 112613-05 are not installed on this system. Patchadd is terminating. # To verify which product revision is installed, run the following command: # pkginfo -l SUNWsfwr | grep VERSION For patch 112613-05, the result should be as follows: 3.2,REV=45 If you get no result, then there was a problem installing the SunScreen 3.2 product initially, and the installation logs should be checked for errors. If you have a revision mismatch, the result will read as follows: 3.2,REV=42 In this case, you are installing the wrong patch. You should be installing patch 112614 instead. Instructions for Remotely Administered Screens in Stealth Mode -------------------------------------------------------------- Use this procedure ONLY if you cannot otherwise transfer the patch to the Screen. 1. Become root on the Administration Station. 2. Transfer the patch file to the Administration Station. 3. Type the following: # ssadm -r patch install < 112613-05.tar.Z Installation Instructions for High Availability (HA) clusters. -------------------------------------------------------------- 1. Determine which screen is ACTIVE within the HA Cluster using the following command on each: # ssadm ha status 2. Follow appropriate patch installation instructions from this README file to install the patch on the CURRENTLY ACTIVE SCREEN within the HA Cluster (determined from the previous step). 3. Be sure to reboot that screen upon completion of the patch installation. 4. After the reboot, the screen which the patch was just installed on will come up in PASSIVE mode and some other member of the HA cluster will become ACTIVE. 5. Repeat steps 1-4 until the patch has been applied to all members of the HA cluster. Notes on patching HA clusters: The SunScreen HA model works by having 2 or more firewalls in parallel. Both firewalls see the same packets and hence calculate the same statetable entries. If a packet matches a statetable entry , then it is passed through the screen. If the ACTIVE screen is rebooted, one of the PASSIVE firewall(s) will take over. Existing connections will still be maintained as the PASSIVE firewall(s) which has just become ACTIVE will have the statetable entries. Once the originally ACTIVE firewall has been rebooted, it will have an empty statetable. This firewall will add any new connections made since it was rebooted to its statetable, but will not know about connections established before it was rebooted. If the currently ACTIVE screen is rebooted , some connections may get dropped. It's not possible to say exactly how long it will take for both (all) the firewalls to have the same statetable entries as this will depend on the type of connection being passed and the lifetime of this connection. Running the following command on both (all) firewalls in the cluster will give the administrator a good indication of when it is safe to reboot the second firewall, without significant loss of service: # ssadm lib/statetables | grep ESTABLISHED | wc -l Instructions for Identifying Patches Installed on System -------------------------------------------------------- 1. To identify the patch level on your locally administered Screen, type the commands: # ls -lt /var/sadm/patch > screen.pkginfo # pkginfo -l >> screen.pkginfo 2. To identify the patch level on your remotely administered Screen in stealth mode: # ssadm -r lib/support packages > screen.pkginfo This shows (1) ls -lt /var/sadm/patch, (2) pkginfo -l, and (3) the contents of /var/log/patch.log. 3. To identify the patch level on your Administration Station, type the commands: # ls -lt /var/sadm/patch > admin.pkginfo # pkginfo -l >> admin.pkginfo Instructions to remove the patch on the Administration Station -------------------------------------------------------------- 1. Become root on the Administration Station. 2. Then type: # patchrm 112613-05 Instructions to Remove the Patch on Locally Administered Screen --------------------------------------------------------------- 1. Become root on the Screen. 2. Type the following: # patchrm 112613-05 Instructions to Remove the Patch on Remotely Administered Screens in Stealth Mode -------------------------------------------------------------------- Use this procedure ONLY if you cannot otherwise obtain access to a login prompt on the Screen. 1. Become root on the Administration Station. 2. Type the following: # ssadm -r patch backout 112613-05 Additional Patch Installation Instructions ------------------------------------------ Refer to the "Install.info" file within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. README -- Last modified date: Monday, March 8, 2004