Re: Sun M-class hardware denial of service

[Theo de Raadt <deraadt () cvs openbsd org>]

> I apologise if I'm misunderstanding you, but it seems to me that this
> issue can only be initiated by a privileged user on a domain.

If one domain can be broken into, and a Solaris kernel module is
loaded which then crashes that one domain, the entire machine
eventually has to be powered off to recover that one domain.

> The only system immediately affected is that particular domain.

That is WRONG.  The long-term uptime of all other domains on the
machine are eventually impacted because the entire physical machine
must, after a service call to Sun, eventually be powered down.

Management eventually has to decide to impact the SLA's of all domains.
That means that Sun's promise of isolation is bunk.

> The
> removal of service from the other domains is a system/service
> management decision, rather than an exploit of some kind.

That is wrong, too.  If any of the other domains were supposed to meet
five 9's SLA's, then the failure of one domain on that physical
hardware would impact the SLA's of all the other domains.

> That's why I don't view it as a DoS vulnerability.

How absolutely bizzare.  Basically you spend half a million dollars on
Sun hardware, and it isn't required to do this better than VMWare?  In
fact, it does it worse than VMWare.  I am just stunned at your
acceptance of a serious problem.

> If you exploit this on your
> own domain, which then becomes unavailable then, frankly, tough.

If you exploit this on one domain, the other domains must all
eventually be powered off.

Compare this to VMWare.  If an OS running inside VMWare was able to
cause a situation making it neccessary to reboot the host environment
and restart all VMWare instances, it would be considered a very
serious and significant security problem for VMWare.  It would be all
over the news.  (And at least with VMotion you can move the instances
to another machine; with Sun you cannot).

This issue is very significant.

> You
> wait until the frame administrators choose to power cycle the other
> domains to bring you back.

And what if your SLA's say that you are supposed to only go down for a
maximum of 3 hours a year, yet you need that dead domain back
immediately?

> You stated in your original message that this is a high-end frame, of
> the kind generally used by financial institutions etc.  I would
> imagine any system which warrants this kind of hardware would have
> some level of redundancy or DR.

Oh great!  Sun is off the hook for selling something which doesn't
work, and their customers must mitigate against it themselves.
Utterly ridiculous.