Date: Fri, 29 Mar 2024 01:52:11 -0400 (EDT) Message-ID: <1385606535.543.1711691531703@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_542_1596376722.1711691531700" ------=_Part_542_1596376722.1711691531700 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
A complete revision history is at the end of this file.
The CERT Coordination Center has received reports of a denial-of-service= attack using large ICMP datagrams. Exploitation details involving this vul= nerability have been widely distributed.
The CERT/CC team recommends installing vendor patches as they become ava= ilable.
We will update this advisory as we receive additional information. Pleas= e check advisory files regularly for updates that relate to your site.
The TCP/IP specification (the basis for many protocols used on the Inter= net) allows for a maximum packet size of up to 65536 octets (1 octet =3D 8 = bits of data), containing a minimum of 20 octets of IP header information a= nd 0 or more octets of optional information, with the rest of the packet be= ing data. It is known that some systems will react in an unpredictable fash= ion when receiving oversized IP packets. Reports indicate a range of reacti= ons including crashing, freezing, and rebooting.
In particular, the reports received by the CERT Coordination Center indi= cate that Internet Control Message Protocol (ICMP) packets issued via the "= ping" command have been used to trigger this behavior. ICMP is a subset of = the TCP/IP suite of protocols that transmits error and control messages bet= ween systems. Two specific instances of the ICMP are the ICMP ECHO_REQUEST = and ICMP ECHO_RESPONSE datagrams. These two instances can be used by a loca= l host to determine whether a remote system is reachable via the network; t= his is commonly achieved using the "ping" command.
Discussion in public forums has centered around the use of the "ping" co= mmand to construct oversized ICMP datagrams (which are encapsulated within = an IP packet). Many ping implementations by default send ICMP datagrams con= sisting only of the 8 octets of ICMP header information but allow the user = to specify a larger packet size if desired.
You can read more information about this vulnerability on Mike Bremford'= s Web page. (Note that this is not a CERT/CC maintained page. We provide th= e URL here for your convenience.)
http://www.s= ophist.demon.co.uk/ping/index.html
Systems receiving oversized ICMP datagrams may crash, freeze, or reboot,= resulting in denial of service.
First, since crashing a router or firewall may be part of a larger, mult= istage attack scenario, we encourage you to inspect the running configurati= on of any such systems that have crashed to ensure that the configuration i= nformation is what you expect it to be.
Then install a patch from your vendor.
Below is a list of vendors who have provided information about patches f= or this problem. Details are in Appendix A of this advisory; we will update= the appendix as we receive more information. If your vendor's name is not = on this list, please contact the vendor directly.
Below is a list of the vendors who have provided information for this ad= visory. We will update this appendix as we receive additional information. = If you do not see your vendor's name, please contact the vendor directly.= p>
Not vulnerable.
The following is important information concerning a potential denial of = service issue which affects Digital UNIX Operating System, Digital UNIX MLS= +, Firewall implementations, and Digital TCP/IP Services for OpenVMS AXP &a= mp; VAX
COMPONENT: System Security / Potential Denial of Service DIGITAL UNIX Version: 3.0, 3.0b, 3.2, 3.2c, 3.2de1, 3.2de2, 3.2f, 3.2g, 4.0, 4.0a DIGITAL UNIX MLS+ Version 3.1a DIGITAL TCP/IP Services for OpenVMS AXP & VAX Versions - 4.0, 4.1 DIGITAL ULTRIX Versions 4.3, 4.3a, 4.4, 4.5 DIGITAL Firewall for UNIX DIGITAL AltaVista Firewall for UNIX DIGITAL VAX/ELN
ADVISORY INFORMATION:
Digital recently discovered a potential denial of service issue that may= occur by remote systems exploiting a recently published problem while exec= uting the 'ping' command. Solutions and initial communications began appear= ing in DSNlink/DIA FLASH/articles in late October, 1996.
SEVERITY LEVEL: High.
SOLUTION:
Digital has reacted promptly to this reported problem and a complete set= of patch kits are being prepared for all currently supported platforms.
The Digital patches may be obtained from your local Digital support chan= nel or from the URL listed above. Please refer to the applicable README not= es information prior to the installation of patch kits on your system.
DIGITAL EQUIPMENT CORPORATION
Copyright (c) Digital Equipment Corporation, 1996, All Rights Reserved. = Unpublished Rights Reserved Under The Copyright Laws Of The United States.<= /p>
Patch Name(Platform/OS) | Notes --------------------------+---------------------------------- PHNE_9027 (s700 9.01) : PHNE_7704 must first be installed PHNE_9028 (s700 9.03/5/7) : PHNE_7252 must first be installed PHNE_9030 (s700 10.00) : No patch dependencies PHNE_9032 (s700 10.01) : PHNE_8168 must first be installed PHNE_9034 (s700 10.10) : PHNE_8063 must first be installed PHNE_9036 (s700 10.20) : No patch dependencies --------------------------+---------------------------------- PHNE_8672 (s800 9.00) : PHNE_7197 must first be installed PHNE_9029 (s800 9.04) : PHNE_7317 must first be installed PHNE_9031 (s800 10.00) : No patch dependencies PHNE_9033 (s800 10.01) : PHNE_8169 must first be installed PHNE_9035 (s800 10.10) : PHNE_8064 must first be installed PHNE_9037 (s800 10.20) : No patch dependencies --------------------------+----------------------------------For our MPE operating system, patches are in process. Watch for the = issuance of our MPE security bulletin.=20
APAR - IX59644 (PTF - U444227 U444232)
To determine if you have this PTF on your system, run the following comm= and:
lslpp -lB U444227 U444232
APAR - IX59453
To determine if you have this APAR on your system, run the following com= mand:
instfix -ik IX59453Or run the following command:=20
lslpp -h bos.net.tcp.clientYour version of bos.net.tcp.client should be 4.1.4.16 or later.=20
APAR - IX61858
To determine if you have this APAR on your system, run the following com= mand:
instfix -ik IX61858Or run the following command:=20
lslpp -h bos.net.tcp.clientYour version of bos.net.tcp.client should be 4.2.0.6 or later.=20
http://service.s= oftware.ibm.com/aixsupport/
or send e-mail to aixserv@aust= in.ibm.com with a subject of "FixDist".
IBM and AIX are registered trademarks of International Business Machines=
ftp://ftp.cs.hel= sinki.fi/pub/Software/Linux
Users wishing to remain with an earlier kernel version may download a pa= tch from http://www.uk.l= inux.org/big-ping-patch. This patch will work with 2.0.x kernel revisio= ns but is untested with 1.3.x kernel revisions.
Red Hat Linux has chosen to issue a 2.0.18 based release with the fix. R= ed Hat users should obtain this from
ftp://ftp.redhat.com/pub/redhat/redhat-4.0/updates/i38= 6/kernel-2.0.18-6.i386.rpm >
- --------------------------------------------------------------------= ------ OS Version Status - ------------------ ------------ ------------------------------------- EWS-UX/V(Rel4.0) R1.x - R6.x not vulnerable EWS-UX/V(Rel4.2) R7.x - R10.x not vulnerable EWS-UX/V(Rel4.2MP) R10.x not vulnerable UP-UX/V R1.x - R4.x not vulnerable UP-UX/V(Rel4.2MP) R5.x - R7.x not vulnerable UX/4800 R11.x not vulnerable - -------------------------------------------------------------------------= -
ftp://ftp.sco.COM/SLS/oss4=
49a.ltr (cover letter)
=
ftp://ftp.sco.COM/SLS/oss449a.Z (image)
The checksums are as follows:
sum -r ------ oss449a.ltr: 28877 42 oss449a.Z: 54558 1762 MD5 --- MD5 (oss449a.Z) =3D e8fc8a29dd59683ce5107f3b9b8d1169 MD5 (oss449a.ltr) =3D d51ee1caf33edb86f4dbeb1733c99d86
If this SLS is ever updated, it will be noted at:
Should more information become available for either SCO's OpenServer or = UnixWare products, SCO will provide updated information for this advisory.<= /p>
If you need further assistance, SCO's Web page is at http://www.sco.COM.
Support requests from supported customers may be addressed to support@sco.COM , or you may contact SCO as fo= llows:
USA/Canada: 6am-5pm Pacific Standard Time (PST)
1-408-425-4726 (voice)
1-408-427-5443 (fax)
Pacific Rim, Asia, and Latin American customers: 6am-5pm Pacific Standar=
d Time (PST)
1-408-425-4726 (voice)
1-408-427-5443 (fax)
Europe, Middle East, Africa: 9am-5:00pm Greenwich Mean Time (GMT)
+44 1923 816344 (voice)
+44 1923 817781 (fax)
103630-09 5.5.1 103631-09 5.5.1_x86 103169-12 5.5 103170-12 5.5_x86 101945-51 5.4 101946-45 5.4_x86
The CERT Coordination Center staff thanks AUSCERT, the Australian Comput= er Emergency Response Team, and DFN-CERT, the German team, for their contri= butions to this advisory, and we thank Mike Bremford for permission to cite= the information he has made available to the community.
Copyright 1996 Carnegie Mellon University.
Dec. 5, 1997 Appendix A - Updated information for NCR Corporation. Sep. 24,1997 Updated copyright statement Aug. 7, 1997 Changed vendor information for Sun Microsystems to remove incorrect patch reference. July 28, 1997 Added vendor information for Sun Microsystems. Jan. 20, 1997 Appendix A - added information from Data General Corporation. Jan. 14, 1997 Appendix A - modified SCO entry to include updated patch information.