 |
» |
|
|
|
|
|
|
|
|
|
<TITLE>
TITLE: SSRT4743, SSRT4884: HP Tru64 UNIX Potential TCP/IP Remote Denial of Service (DoS)
Copyright (c) Hewlett-Packard Company 2005. All rights reserved.
PRODUCT: HP Tru64 UNIX [R] V4.0G
SOURCE: Hewlett-Packard Company
ECO INFORMATION:
ECO Name: T64KIT0025920-V40GB22-ES-20050628
ECO Kit Approximate Size: 2.78MB
Kit Applies To: HP Tru64 UNIX V4.0G PK4 (BL22)
ECO Kit CHECKSUMS:
/usr/bin/sum results:
30752 2850
/usr/bin/cksum results:
1731004030 2918400
MD5 results:
13849fd555239d75d300d1cb46dc995f
SHA1 results:
ceff70c7a8a1439b53abfd834e658c30fc42a650
ECO KIT SUMMARY:
A dupatch-based, Early Release Patch kit exists for HP Tru64 UNIX V4.0G
that contains solutions to the following problem(s):
Several potential security vulnerabilities have been identified in HP Tru64
UNIX TCP/IP, including ICMP. These exploits could result in a remote Denial
of Service (DoS) from predictable Initial Sequence Numbers (ISNs), network
throughput reduction for TCP connections, or the reset of TCP connections.
HP has corrected the following potential security vulnerabilites:
SSRT4743, SSRT4884 - TCP/IP ICMP (Severity - High)
The Patch Kit Installation Instructions and the Patch Summary and Release
Notes documents provide patch kit installation and removal instructions
and a summary of each patch. Please read these documents prior to
installing patches on your system.
INSTALLATION NOTES:
1) Install this kit with the dupatch utility that is included in the patch
kit. You may need to baseline your system if you have manually changed
system files on your system. The dupatch utility provides the baselining
capability.
2) The patch in this ERP kit does not have any file intersections with any
other ERP available at this time for this product version.
3) This ERP kit will NOT install over any Customer Specific Patches (CSPs)
which have file intersections with this ERP kit. Contact your normal
Service Provider for assistance if the installation of this ERP kit is
blocked by any of your installed CSPs.
INSTALLATION PREREQUISITES:
You must have installed HP Tru64 UNIX V4.0G PK4 (BL22) prior to
installing this Early Release Patch Kit.
SUPERSEDE INFORMATION:
T64KIT0025920-V40GB22-ES-20050628.tar
supersedes
T64KIT0024774-V40GB22-ES-20050129.tar
KNOWN PROBLEMS WITH THE PATCH KIT:
None.
RELEASE NOTES FOR T64KIT0025920-V40GB22-ES-20050628:
Release Notes
This document summarizes the contents and special instructions for the
Tru64 UNIX V4.0G patches contained in this kit.
For information about installing or removing patches, baselining,
and general patch management, see the Patch Kit Installation
Instructions document.
1 Release Notes
This Early Release Patch Kit Distribution contains:
- fixes that resolve the problem(s) reported in:
o 221-2-1292
* for Tru64 UNIX V4.0G T64V40GB22AS0004-20030731.tar (BL22)
This kit includes a patch which requires system reboot.
The patches in this kit are being released early for general customer use.
Refer to the Release Notes for a summary of each patch and installation
prerequisites.
Patches in this kit are installed by running dupatch from the directory
in which the kit was untarred. For example, as root on the target system:
> mkdir -p /tmp/CSPkit1
> cd /tmp/CSPkit1
> <copy the kit to /tmp/CSPkit1>
> tar -xpvf DUV40D13-C0044900-1285-20000328.tar
> cd patch_kit
> ./dupatch
2 Special Instructions
SPECIAL INSTRUCTIONS for Tru64 UNIX V4.0G Patch C375.00
The Internet Control Message Protocol (ICMP) (RFC 792) is used in the Internet
Architecture to perform fault-isolation and recovery (RFC 816), which is the group
of actions that hosts and routers take to determine if a network failure has occurred.
The industry standard TCP specification (RFC 793) has a vulnerability whereby ICMP
packets can be used to perform a variety of attacks such as blind connection reset
attacks and blind throughput-reduction attacks. Blind connection reset attacks can be
triggered by an attacker sending forged ICMP "Destination Unreachable, host unreachable"
packets or ICMP "Destination Unreachable, port unreachable" packets. Blind
throughput-reduction attacks can be caused by an attacker sending a forged ICMP
type 4 (Source Quench) packet.
Path MTU Discovery (RFC 1191) describes a technique for dynamically discovering the MTU
(maximum transmission unit) of an arbitrary internet path. This protocol uses ICMP
packets from the router to discover the MTU for a TCP connection path. An attacker
can reduce the throughput of a TCP connection by sending forged ICMP packets (or their IPv6
counterpart) to the discovering host, causing an incorrect Path MTU setting.
HP has addressed these potential vulnerabilities by providing a new kernel tunable in
Tru64 UNIX V5.1B and 5.1A, icmp_tcpseqcheck. In Tru64 4.0F and 4.0G, HP has introduced two
new kernel tunables, icmp_tcpseqcheck and icmp_rejectcodemask. The icmp_rejectcodemask
tunable is already available in Tru64 UNIX V5.1B and 5.1A.
icmp_tcpseqcheck
The icmp_tcpseqcheck variable mitigates ICMP attacks against TCP by checking that the
TCP sequence number contained in the payload of the ICMP error message is within the range
of the data already sent but not yet acknowledged. An ICMP error message that does not
pass this check is discarded. This behavior protects TCP against spoofed ICMP packets.
Set the tunable as follows:
icmp_tcpseqcheck=1 (default)
Provides a level of protection that reduces the possibility of considering a spoofed ICMP packet as valid to 1/2''32
icmp_tcpseqcheck=0
Retains existing behavior, i.e., accepts all ICMP packets
icmp_rejectcodemask
In the Requirements for IP Version 4 Routers (RFC 1812), research suggests that the use of
ICMP Source Quench packets is an ineffective (and unfair) antidote for congestion. Thus,
HP recommends completely iqnoring ICMP Source Quench packets using the icmp_rejectcodemask
tunable. The icmp_rejectcodemask is a bitmask that designates the ICMP codes that the
system should reject. For example, to reject ICMP Source Quench packets, set the mask bit
position for the ICMP_SOURCEQUENCH code 4, which is 2'4=16 which is 0x10. The
icmp_rejectcodemask tunable can be used to reject any ICMP packet type, or multiple masks
can be combined to reject more than one type.
The ICMP type codes are in /usr/include/netinet/ip_icmp.h.
Set the tunable as follows:
icmp_rejectcodemask = 0x10
Rejects ICMP Source Quench packets
icmp_rejectcodemask = 0 (default)
Retains existing behavior, i.e., accepts all ICMP packets
Adjusting the variables
The ICMP sequence check variable (icmp_tcpseqcheck) can be adjusted using the sysconfig
and sysconfigdb commands:
# sysconfig -q inet icmp_tcpseqcheck
inet:
icmp_tcpseqcheck = 1
# sysconfig -r inet icmp_tcpseqcheck=0
icmp_tcpseqcheck: reconfigured
# sysconfig -q inet icmp_tcpseqcheck
inet:
icmp_tcpseqcheck = 0
# sysconfig -q inet icmp_tcpseqcheck > /tmp/icmp_tcpseqcheck_merge
# sysconfigdb -m -f /tmp/icmp_tcpseqcheck_merge inet
# sysconfigdb -l inet
inet:
icmp_tcpseqcheck = 1
Similarly, the icmp_rejectcodemask variable can be adjusted using the sysconfig and sysconfigdb commands:
# sysconfig -q inet icmp_rejectcodemask
inet:
icmp_rejectcodemask = 0
# sysconfig -r inet icmp_rejectcodemask=0x10
icmp_rejectcodemask: reconfigured
# sysconfig -q inet icmp_rejectcodemask
inet:
icmp_rejectcodemask = 16
# sysconfig -q inet icmp_rejectcodemask > /tmp/icmp_rejectcodemask_merge
# sysconfigdb -m -f /tmp/icmp_rejectcodemask_merge inet
# sysconfigdb -l inet
inet:
icmp_rejectcodemask = 16
3 Summary of CSPatches contained in this kit
Tru64 UNIX V4.0G
PatchId Summary Of Fix
----------------------------------------
C375.00 Fix for SSRT4743,SSRT 4884
4 Additional information from Engineering
None
5 Affected system files
This patch delivers the following files:
Tru64 UNIX V4.0G
Patch C375.00
./sys/BINARY/inet.mod
CHECKSUM: 17120 300
SUBSET: OSFBIN445
[R] UNIX is a registered trademark in the United States and other countries
licensed exclusively through X/Open Company Limited.
Copyright Hewlett-Packard Company 2005. All Rights reserved.
This software is proprietary to and embodies the confidential technology
of Hewlett-Packard Company. Possession, use, or copying of this
software and media is authorized only pursuant to a valid written license
from Hewlett-Packard or an authorized sublicensor.
This ECO has not been through an exhaustive field test process.
Due to the experimental stage of this ECO/workaround, Hewlett-Packard
makes no representations regarding its use or performance. The
customer shall have the sole responsibility for adequate protection
and back-up data used in conjunction with this ECO/workaround.
|
Printable version
