Kebe Says - Dan McDonald's Blog

A Gentle Reminder About illumos

A very bad security vulnerability in Solaris was patched-and-announced by Oracle earlier this week. Turns out, we in open-source-descendant illumos had something in the same neighborhood. We can’t confirm it’s the same bug because reverse-engineering Oracle Solaris is off the table.

In general if a vulnerability is an old one in Solaris, there’s a good chance it’s also in illumos. Alex Wilson said it best in this recent tweet:

@anthomsec Hi! re: 2020-14871 (Solaris PAM bug), do you know if this was in the OpenSolaris PAM that went into illumos (https://t.co/Rxs5ct09xs) by any chance? We don't get any info via Oracle, but we do inherit their bugs if they're old enough :(

— Alex Wilson (@arekinath) October 22, 2020

If you want to see the full history, the first 11 minutes of my talk from 2016’s FOSDEM contains WHY a sufficiently old vulnerability in Solaris 10 and even Solaris 11 may also be in illumos.

Remember folks, Solaris is closed-source under Oracle, even though it used to be open-source during the last years of Sun’s existence. illumos is open-source, related, but NOT the same as Solaris anymore. Another suggested talk covers this rather well, especially if you start at the right part.

The Actual Request

Because of this history and shared heritage, if you’re a security researcher, PLEASE make sure you find one of many illumos distributions, install it, and try your proof-of-concept on that as well. If you find the same vulnerability in illumos, please report it to us via the security@illumos.org mailing alias. We have a PGP key too!

Thank you, and please test your Solaris exploits on illumos too (and vice-versa).

David Reed passed along a pointer to this paper by Dan Geer:

A Time for Choosing

Please read it, and understand the founding spirit of the Internet. And with that, I say goodbye to Oracle.

15 years ago I was finishing up last-minute changes at NRL while getting ready to move coasts. While I'm not moving coasts, I'm at the point where I'm finishing up last-minute changes again.

I'm leaving Oracle this week, and will be trying something a bit different after that. I've been doing IPsec or at least TCP/IP related work for the entirety of my time at Sun. I expect to be back in TCP/IP-land relatively soon, but I will be learning some new-to-me technologies in the immediate future.

I've met and worked with some extraordinary people during my time at Sun. I hope to keep in touch with them after I depart. If any of you half-dozen readers wish to keep up, I'd suggest following my Twitter feed until I decide whether or not I find a new home for this blog. I'm also findable on Facebook and LinkedIn for those so inclined.

In all honesty, I'm glad this regulatory dance is over. We've all been having a little itch in our brains about this. Even if any of us have had real work to do, we've been at least a little distracted by by this whole acquisition uncertainty.

Well, we're finally part of Oracle now, and I think that's pretty cool. Larry E. wants to butt heads with IBM and HP directly, and quite honestly, we at Sun have been doing that on-and-off for at least my not-quite-14-years here. Now that this uncertainty has been removed, we can at least narrow the uncertainty to any internal-to-Oracle decisions, which given certain statements both in the past and yesterday seem pretty encouraging, at least from my engineering perspective.

Jonathan said we should light a candle for Sun. As a prank gift for my 40th birthday, I got a 40-ounce bottle of Olde English. I think instead I will pour that 40 for Sun.

Hello again. Pardon any latency. This whole Oracle thing has been a bit distracting. Never mind figuring out the hard way what limitations there are on racoon2 and what to do about them.

Anyway, Solaris 10 Update 7 (aka. 5/09) is now out. It contains a few new IPsec features that have been in OpenSolaris for a bit. They include:

• HMAC-SHA-2 support per RFC 4868 in all three sizes (SHA-256, SHA-384, and SHA-512) for IPsec and IKE.
• 2048-bit (group 14), 3072-bit (group 15), and 4096-bit (group 16) Diffie-Hellman groups for IKE. (NOTE: Be careful running 3072 or 4096 bit on Niagara 1 hardware, see here for why. Niagara 2 works better, but not optimally, with those two groups.
• IKE Dead Peer Detection
• SMF Management of IPsec. Four new services split out from network/initial:
  • svc:/network/ipsec/ipsecalgs:default -- Sets up IPsec kernel algorithm mappings.
  • svc:/network/ipsec/policy:default -- Sets up the IPsec SPD (reads /etc/inet/ipsecinit.conf).
  • svc:/network/ipsec/manual-key:default -- Reads any manually-added SAs (reads /etc/inet/secret/ipseckeys).
  • svc:/network/ipsec/ike:default -- Controls the IKE daemon.
• The UDP_NAT_T_ENDPOINT socket option from OpenSolaris, so you can develop your own NAT-Traversing IPsec key management apps without relying on in.iked.

We've even more goodies in OpenSolaris, BTW.