Original issue date: December 16, 1997<BR>
Last revised: May 26, 1998<BR>
Updated vendor information for Sun Microsystems, Inc.
<P>A complete revision history is at the end of this file.
<P>The CERT Coordination Center has received reports of two attack
tools (Teardrop and Land) that are being used to exploit two
vulnerabilities in the TCP/IP protocol. Both tools enable a remote
user to cause a denial of service.
<P>The CERT/CC team recommends installing patches from your
vendor. Until you are able to do so, we urge you to use the workaround
described in Section III.B. to reduce the likelihood of a successful
attack using Land. There is no workaround for Teardrop.
<P>We will update this advisory as we receive additional information.
Please check our advisory files regularly for updates that relate to
your site.
<P><HR>
<H2>I. Description</H2>
<P>In recent weeks there has been discussion on public mailing lists
about two denial-of-service attack tools, Teardrop and Land. These
attack tools have similar effects on some systems (namely, causing the
victim machine to crash), but the tools exploit different
vulnerabilities.
<P>The CERT Coordination Center has received several reports of sites
being attacked by either one or both of these tools. It is important
to note that it may be necessary for a system administrator to apply
separate patches, if they exist, for each attack tool.
<H3>Topic 1 - Teardrop</H3>
<P>Some implementations of the TCP/IP IP fragmentation re-assembly
code do not properly handle overlapping IP fragments. Teardrop is a
widely available attack tool that exploits this vulnerability.
<H3>Topic 2 - Land</H3>
<P>Some implementations of TCP/IP are vulnerable to packets that are
crafted in a particular way (a SYN packet in which the source address
and port are the same as the destination--i.e., spoofed). Land is a
widely available attack tool that exploits this vulnerability.
<H2>II. Impact</H2>
<H3>Topic 1 - Teardrop</H3>
<P>Any remote user can crash a vulnerable machine.
<H3>Topic 2 - Land</H3>
<P>Any remote user that can send spoofed packets to a host can crash
or "hang" that host.
<H2>III. Solution</H2>
<P>CERT/CC urges you to immediately apply vendor patches if they are
available. You may have to apply different patches for each attack
tool.
<P>You may want to use the workaround for Land, so please review both
Sections A and B below.
<OL>
<H3><LI TYPE = "A">Consult your vendor</H3>
<P>Appendix A contains information from vendors who provided input for
this advisory. We will update the appendix as we receive more
information. If you do not see your vendor's name, the CERT/CC did not
hear from that vendor. Please contact your vendor directly.
<P>It is important to note that you may have to apply different
patches for each attack tool.
<H3><LI>Apply the following workaround (Land only)</H3>
<P>A workaround for the Land attack tool is to block IP-spoofed
packets. This workaround does not apply to the Teardrop attack tool
because the Teardrop attack does not rely on IP-spoofed packets.
<P>Attacks like those of the Land tool rely on the use of forged
packets, that is, packets where the attacker deliberately falsifies
the origin address. With the current IP protocol technology, it is
impossible to eliminate IP-spoofed packets. However, you can reduce
the likelihood of your site's networks being used to initiate forged
packets by filtering outgoing packets that have a source address
different from that of your internal network.
<P>Currently, the best method to reduce the number of IP-spoofed
packets exiting your network is to install filtering on your routers
that requires packets leaving your network to have a source address
from your internal network. This type of filter prevents a source IP
spoofing attack from your site by filtering all outgoing packets that
contain a source address from a different network.
<P>A detailed description of this type of filtering is available in
RFC 2267, "Network Ingress Filtering: Defeating Denial of Service
Attacks which employ IP Source Address Spoofing" by Paul Ferguson of
Cisco Systems, Inc. and Daniel Senie of Blazenet, Inc. We recommend it
to both Internet Service Providers and sites that manage their own
routers. The document is currently available at
<P><A HREF="ftp://ftp.isi.edu/in-notes/rfc2267.txt">
ftp://ftp.isi.edu/in-notes/rfc2267.txt</A>
<P></OL>
<HR>
<H2>Appendix A - Vendor Information</H2>
<P>Below is a list of the vendors who have provided information for
this advisory. We will update this appendix as we receive additional
information. If you do not see your vendor's name, the CERT/CC did
not hear from that vendor. Please contact the vendor directly.
<H4>Berkeley Software Design, Inc. (BSDI)</H4>
<P>No version of BSD/OS is vulnerable to Teardrop.
<P>Patched versions of 2.1 and all 3.0 and 3.1 versions are also not
vulnerable to Land.
<H4>Caldera Corporation</H4>
<P>
Topic 1 - Teardrop
<P>Unless patched, Linux 2.0.x kernels prior to 2.0.32 are vulnerable.
With the application of the kernel update described in Caldera
Security Advisory SA-1997.29 (dated 3-Dec-1997), Caldera OpenLinux is
not vulnerable. This Caldera advisory describes how to obtain and
install the update and can be found at:
<P><A HREF="http://www.caldera.com/tech-ref/security/SA-1997.29.html">http://www.caldera.com/tech-ref/security/SA-1997.29.html</A>
<P>Other Caldera Security Advisories can be found at:
<P><A HREF="http://www.caldera.com/tech-ref/security/">http://www.caldera.com/tech-ref/security/</A>
<P>Topic 2 - Land
<P>There are no known reports of any version of the Linux kernel, including
those shipping with Caldera OpenLinux, being vulnerable to this exploit.
<H4>Cisco Systems</H4>
Topic 1 - Teardrop
<P>Not vulnerable.
<P>Topic 2 - Land
<P>IOS/7000 software, Catalyst 5xxx and 29xx LAN switches, BPX and IGX WAN
switches and AXIS shelf appear to be vulnerable.
PIX firewall and Centri firewall are not vulnerable.
<P>For more information reference URL:<BR>
<A HREF="http://www.cisco.com/warp/public/770/land-pub.shtml">http://www.cisco.com/warp/public/770/land-pub.shtml</A>
<H4>Digital Equipment Corporation</H4>
This reported problem is not present for Digital's ULTRIX or
Digital UNIX Operating Systems Software.
<H4>The FreeBSD Project</H4>
Topic 1 - Teardrop
<P>CSRG 4.4 is not vulnerable.
<P>Topic 2 - Land
<P>No feedback.
<H4>Hewlett-Packard Corporation</H4>
HPSBUX9801-076 <BR>
SECURITY BULLETIN: #00076, 21 January 1998<BR>
<P>Description: Security Vulnerability with land on HP-UX
<P>The problem can be fixed by applying the appropriate cumulative ARPA
Transport patch mentioned below.
<P>
<PRE>
HP-UX release 11.00 HP9000 Series 700/800 PHNE_14017
HP-UX release 10.30 HP9000 Series 700/800 PHNE_13671
HP-UX release 10.20 HP9000 Series 800 PHNE_13468
HP-UX release 10.24 HP9000 Series 700 PHNE_13888
HP-UX release 10.24 HP9000 Series 800 PHNE_13889
HP-UX release 10.20 HP9000 Series 800 PHNE_13468
HP-UX release 10.20 HP9000 Series 700 PHNE_13469
HP-UX release 10.16 HP9000 Series 700 PHKL_14242
HP-UX release 10.16 HP9000 Series 800 PHKL_14243
HP-UX release 10.10 HP9000 Series 800 PHNE_13470
HP-UX release 10.10 HP9000 Series 700 PHNE_13471
HP-UX release 10.01 HP9000 Series 800 PHNE_13472
HP-UX release 10.01 HP9000 Series 700 PHNE_13473
HP-UX release 10.00 HP9000 Series 800 PHNE_13474
HP-UX release 10.00 HP9000 Series 700 PHNE_13475
HP-UX release 9.04 HP9000 Series 800 PHNE_13476
HP-UX release 9.0[3,5,7] HP9000 Series 700 PHNE_13477
HP-UX release 9.01 HP9000 Series 700 PHNE_13478
HP-UX release 9.00 HP9000 Series 800 PHNE_13479
</PRE>
<H4>IBM Corporation</H4>
Topic 1 - Teardrop
<P>AIX is not vulnerable.
<P>Topic 2 - Land
<P>AIX is not vulnerable.
<H4>Microsoft Corporation</H4>
Topic 1 - Teardrop
<P>Windows NT 4.0 with SP 3 and post SP 3 fixes applied and Windows 95
with the appropriate patch are not vulnerable.<BR>
Patch information is available at URL:<BR>
<A HREF="ftp://ftp.microsoft.com/bussys/winnt/kb/Q154/1/74.TXT">ftp://ftp.microsoft.com/bussys/winnt/kb/Q154/1/74.TXT</A>
<P>Topic 2 - Land
<P>Windows NT 4.0 with the appropriate patch is not vulnerable.<BR>
Patch information is available at URL:<BR>
<A HREF="ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/land-fix/Q165005.txt">ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/land-fix/Q165005.txt</A>
<P>Windows 95 without the WinSock 2.0 Update is not vulnerable.<BR>
Patch information is available at URL:<BR>
<A HREF="ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/land-fix/Q177539.TXT">ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/land-fix/Q177539.TXT</A>
<H4>NCR Corporation</H4>
Topic 1 - Teardrop
<P>NCR MP-RAS TCP/IP implementation is not vulnerable.
<P>
Topic 2 - Land
<P>Apply a patch for your MP-RAS UNIX TCP/IP depending on the revision of
the inet package installed on your system. To check its version
execute:
<P>
<PRE>
pkginfo -x inet
</PRE>
<P>For inet 5.01.xx.xx: - PINET501 (Version later than 05.01.01.08)<BR>
For inet 6.01.xx.xx. - Not vulnerable.<BR>
For inet 6.02.xx.xx. - Not vulnerable.<BR>
<P>
<H4>The NetBSD Project</H4>
<P>Topic 1 - Teardrop
<P>Versions 1.2 and above are not vulnerable.
<P>Topic 2 - Land
<P>Versions prior to 1.3_BETA will hang. 1.3_BETA and later versions are
not vulnerable.
<H4>Red Hat Software</H4>
Topic 1 - Teardrop
<P>Linux is not vulnerable.
<P>Topic 2 - Land
<P>Linux is not vulnerable.
<H4>Sun Microsystems, Inc.</H4>
Topic 1 - Teardrop
<P>All releases of Solaris are not vulnerable. All supported versions of
SunOS 4.1.x (4.1.3_U1 and 4.1.4) are not vulnerable.
<P>Topic 2 - Land
<P>
<PRE>All releases of Solaris are not vulnerable. SunOS 4.1.3_U1 and 4.1.4
are vulnerable. The following patches should be installed:
SunOS version Patch Id
------------- --------
4.1.4 102517-05
4.1.3_U1 102010-06
Sun recommended and security patches (including checksums) are available from:
http://sunsolve.sun.com/sunsolve/pubpatches/patches.html
</PRE>
<P><HR>
<P>The CERT Coordination Center thanks Paul Ferguson and Daniel Senie for
providing information on network ingress filtering.
<P><HR>
<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 1997, 1998 Carnegie Mellon University.</P>
<HR>
Revision History
<PRE>
May 26, 1998 Updated vendor information for Sun Microsystems, Inc.
Apr. 28, 1998 Corrected URL for obtaining RFCs.
Mar. 10, 1998 Updated vendor information for Hewlett-Packard.
Jan. 29, 1998 Updated reference to the filtering document (now an RFC) in Section III.B.
Jan. 22, 1998 Updated vendor information for Hewlett-Packard.
Jan. 15, 1998 Updated vendor information for Cisco Systems (Teardrop topic).
Jan. 5, 1998 Updated vendor information for NetBSD.
Dec. 17, 1997 Added or updated vendor information for Caldera, NCR,
BSDI, and Sun.
Dec. 16, 1997 Added vendor information for Digital Equipment
Corporation and Hewlett-Packard.
</PRE>
|