Sun System Handbook - ISO 3.4 June 2011 Internal/Partner Edition | |||
|
|
Solution Type Sun Alert Sure Solution 1000039.1 : Sun Fire X2100 M2/X2200 M2 ELOM is Vulnerable to Unauthorized Use as a Proxy For Sending Unsolicited Bulk E-mail (Spam)
PreviouslyPublishedAs 200051 Product Sun Fire X2100 M2 Server Sun Fire X2200 M2 Server Bug Id <SUNBUG: 6546916> Date of Resolved Release 28-SEP-2007 Impact A security vulnerability in the X2100 and X2200 M2 Embedded Lights Out Manager (ELOM) software may allow remote unprivileged users the ability to initiate unauthorized network traffic from the embedded service processor (SP). This may allow the SP to be used as a proxy to send unsolicited bulk e-mail (spam). Contributing Factors This issue can occur on the following platforms:
Notes:
To determine the firmware version of the SP, the ipmitool(1M) utility can $ ipmitool -H <hostname> -U <username> mc info or the following command can be used at the CLI (logged in to the SP): /SP -> show /SP/AgentInfo
Symptoms There are no reliable symptoms that would indicate that this issue has been exploited. Workaround To prevent this issue from occurring, administrators can restrict access to the SP by either connecting only via the serial port or else by connecting the Net Mgmt RJ-45 ethernet port to a private management network. Additional information regarding management of the Sun Fire X2100/X2200 M2 Servers, ELOM, and ipmitool(1m) can be found in the "Embedded Lights Out Manager Administration Guide". Resolution This issue is resolved in SP/BMC firmware version 3.09 from the 1.5 (for the X2100) and the 1.5a (for the X2200) Tools and Drivers CD ISO image available from the Oracle Software Downloads page at: http://www.oracle.com/technetwork/indexes/downloads/sun-az-index-095901.htmlModification History Date: 04-OCT-2007
Date: 25-OCT-2007
Date: 30-OCT-2007
Previously Published As 102942 Internal Comments Internal Contributor/submitter [email protected] Internal Eng Business Unit Group NSG (Network Systems Group Internal Eng Responsible Engineer [email protected], [email protected] Internal Services Knowledge Engineer [email protected] Internal Sun Alert Kasp Legacy ID 102942 Attachments This solution has no attachment |
||||||||||||
|