Sun Microsystems, Inc.  Sun System Handbook - ISO 3.4 June 2011 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-77-1000039.1
Update Date:2011-02-11
Keywords:

Solution Type  Sun Alert Sure

Solution  1000039.1 :   Sun Fire X2100 M2/X2200 M2 ELOM is Vulnerable to Unauthorized Use as a Proxy For Sending Unsolicited Bulk E-mail (Spam)  


Related Items
  • Sun Fire X2200 M2 Server
  •  
  • Sun Fire X2100 M2 Server
  •  
Related Categories
  • GCS>Sun Microsystems>Sun Alert>Criteria Category>Security
  •  
  • GCS>Sun Microsystems>Sun Alert>Release Phase>Resolved
  •  

PreviouslyPublishedAs
200051


Product
Sun Fire X2100 M2 Server
Sun Fire X2200 M2 Server

Bug Id
<SUNBUG: 6546916>

Date of Resolved Release
28-SEP-2007

Impact

A security vulnerability in the X2100 and X2200 M2 Embedded Lights Out Manager (ELOM) software may allow remote unprivileged users the ability to initiate unauthorized network traffic from the embedded service processor (SP). This may allow the SP to be used as a proxy to send unsolicited bulk e-mail (spam).


Contributing Factors

This issue can occur on the following platforms:

  • Sun Fire X2100 M2 Server
  • Sun Fire X2200 M2 Server

Notes:

  1. No other x64 systems are affected by this issue.
  2. The SPARC platform is not affected by this issue.
To determine the firmware version of the SP, the ipmitool(1M) utility can
be run as in the following example:
    $ ipmitool -H <hostname> -U <username> mc info
    Device ID : 5
    Device Revision : 0
    Firmware Revision : 3.09
    IPMI Version : 2.0

or the following command can be used at the CLI (logged in to the SP):

    /SP -> show /SP/AgentInfo
    /SP/AgentInfo
    ...
    Properties:
        HWVersion = 0
        FWVersion = 3.09

 


Symptoms

There are no reliable symptoms that would indicate that this issue has been exploited.


Workaround

To prevent this issue from occurring, administrators can restrict access to the SP by either connecting only via the serial port or else by connecting the Net Mgmt RJ-45 ethernet port to a private management network.

Additional information regarding management of the Sun Fire X2100/X2200 M2 Servers, ELOM, and ipmitool(1m) can be found in the "Embedded Lights Out Manager Administration Guide".


Resolution

This issue is resolved in SP/BMC firmware version 3.09 from the 1.5 (for the X2100) and the 1.5a (for the X2200) Tools and Drivers CD ISO image available from the Oracle Software Downloads page at:

http://www.oracle.com/technetwork/indexes/downloads/sun-az-index-095901.html

Modification History
Date: 04-OCT-2007
  • Updated the Resolution section

Date: 25-OCT-2007
  • Updated the Synopsis

Date: 30-OCT-2007
  • Updated Contributing Factors and Relief/Workaround sections

Previously Published As
102942
Internal Comments
Internal Contributor/submitter
Gerry.Krajenka@Sun.COM
Internal Eng Business Unit Group
NSG (Network Systems Group
Internal Eng Responsible Engineer
Tongming.Zhou@Sun.COM, Chris.Kaminaris@Sun.COM
Internal Services Knowledge Engineer
jeff.folla@sun.com
Internal Sun Alert Kasp Legacy ID
102942

Attachments
This solution has no attachment
  Copyright © 2011 Sun Microsystems, Inc.  All rights reserved.
 Feedback