 |
» |
|
|
|
|
|
|
|
|
|
<TITLE>
TITLE: SSRT4743, SSRT4884: HP Tru64 UNIX Potential TCP/IP Remote Denial of Service (DoS)
Copyright (c) Hewlett-Packard Company 2005. All rights reserved.
PRODUCT: HP Tru64 UNIX [R] V5.1A
SOURCE: Hewlett-Packard Company
ECO INFORMATION:
ECO Name: T64KIT0026446-V51AB24-ES-20050914
ECO Kit Approximate Size: 3.73MB
Kit Applies To: HP Tru64 UNIX V5.1A PK6 (BL24)
ECO Kit CHECKSUMS:
/usr/bin/sum results:
06914 3820
/usr/bin/cksum results:
1961986036 3911680
MD5 results:
75c1039c63444e530772cc2b7e25cf0a
SHA1 results:
dc348954d21626926cdaf79e710481dc5c8b5e90
ECO KIT SUMMARY:
A dupatch-based, Early Release Patch kit exists for HP Tru64 UNIX V5.1A
that contains solutions to the following problem(s):
Several potential security vulnerabilities have been identified in HP Tru64
UNIX TCP/IP, including ICMP. These exploits could result in a remote Denial
of Service (DoS) from predictable Initial Sequence Numbers (ISNs), network
throughput reduction for TCP connections, or the reset of TCP connections.
HP has corrected the following potential security vulnerabilites:
SSRT4743, SSRT4884 - TCP/IP ICMP (Severity - High)
The Patch Kit Installation Instructions and the Patch Summary and Release
Notes documents provide patch kit installation and removal instructions
and a summary of each patch. Please read these documents prior to
installing patches on your system.
INSTALLATION NOTES:
1) Install this kit with the dupatch utility that is included in the patch
kit. You may need to baseline your system if you have manually changed
system files on your system. The dupatch utility provides the baselining
capability.
2) The patch in this ERP kit does not have any file intersections with any
other ERP available at this time for this product version.
3) This ERP kit will NOT install over any Customer Specific Patches (CSPs)
which have file intersections with this ERP kit. Contact your normal
Service Provider for assistance if the installation of this ERP kit is
blocked by any of your installed CSPs.
INSTALLATION PREREQUISITES:
You must have installed HP Tru64 UNIX V5.1A PK6 (BL24) prior to
installing this Early Release Patch Kit.
SUPERSEDE INFORMATION:
T64KIT0026446-V51AB24-ES-20050914
supersedes
T64KIT0025922-V51AB24-ES-20050628
KNOWN PROBLEMS WITH THE PATCH KIT:
None.
RELEASE NOTES FOR T64KIT0026446-V51AB24-ES-20050914:
Release Notes
This document summarizes the contents and special instructions for the
Tru64 UNIX V5.1A patches contained in this kit.
For information about installing or removing patches, baselining,
and general patch management, see the Patch Kit Installation
Instructions document.
1 Release Notes
This Early Release Patch Kit Distribution contains:
- fixes that resolve the problem(s) reported in:
o 18923 221-2-1292
* for Tru64 UNIX V5.1A T64V51AB24AS0006-20031031.tar (BL24)
The patches in this kit are being released early for general customer use.
Refer to the Release Notes for a summary of each patch and installation
prerequisites.
Patches in this kit are installed by running dupatch from the directory
in which the kit was untarred. For example, as root on the target system:
> mkdir -p /tmp/CSPkit1
> cd /tmp/CSPkit1
> <copy the kit to /tmp/CSPkit1>
> tar -xpvf DUV40D13-C0044900-1285-20000328.tar
> cd patch_kit
> ./dupatch
2 Special Instructions
SPECIAL INSTRUCTIONS for Tru64 UNIX V5.1A Patch C1663.01
The Internet Control Message Protocol (ICMP) (RFC 792) is used in the Internet
Architecture to perform fault-isolation and recovery (RFC 816), which is the
group of actions that hosts and routers take to determine if a network failure
has occurred.
The industry standard TCP specification (RFC 793) has a vulnerability whereby
ICMP packets can be used to perform a variety of attacks such as blind
connection reset attacks and blind throughput-reduction attacks. Blind
connection reset attacks can be triggered by an attacker sending forged ICMP
"Destination Unreachable, host unreachable" packets or ICMP "Destination
Unreachable, port unreachable" packets. Blind throughput-reduction attacks can
be caused by an attacker sending a forged ICMP type 4 (Source Quench) packet.
Path MTU Discovery (RFC 1191) describes a technique for dynamically discovering
the MTU (maximum transmission unit) of an arbitrary internet path. This
protocol uses ICMP packets from the router to discover the MTU for a TCP
connection path. An attacker can reduce the throughput of a TCP connection by
sending forged ICMP packets (or their IPv6
counterpart) to the discovering host, causing an incorrect Path MTU setting.
HP has addressed these potential vulnerabilities by providing a new kernel
tunable in Tru64 UNIX V5.1B and 5.1A, icmp_tcpseqcheck. In Tru64 4.0F and 4.0G,
HP has introduced two new kernel tunables, icmp_tcpseqcheck and
icmp_rejectcodemask. The icmp_rejectcodemask tunable is already available in
Tru64 UNIX V5.1B and 5.1A.
icmp_tcpseqcheck
The icmp_tcpseqcheck variable mitigates ICMP attacks against TCP by checking
that the TCP sequence number contained in the payload of the ICMP error message
is within the range of the data already sent but not yet acknowledged. An ICMP
error message that does not pass this check is discarded. This behavior
protects TCP against spoofed ICMP packets.
Set the tunable as follows:
icmp_tcpseqcheck=1 (default)
Provides a level of protection that reduces the possibility of
considering a spoofed ICMP packet as valid to 1/2''32
icmp_tcpseqcheck=0
Retains existing behavior, i.e., accepts all ICMP packets
icmp_rejectcodemask
In the Requirements for IP Version 4 Routers (RFC 1812), research suggests that
the use of ICMP Source Quench packets is an ineffective (and unfair) antidote
for congestion. Thus, HP recommends completely iqnoring ICMP Source Quench
packets using the icmp_rejectcodemask tunable. The icmp_rejectcodemask is a
bitmask that designates the ICMP codes that the system should reject. For
example, to reject ICMP Source Quench packets, set the mask bit position for
the ICMP_SOURCEQUENCH code 4, which is 2'4=16 which is 0x10. The
icmp_rejectcodemask tunable can be used to reject any ICMP packet type, or
multiple masks can be combined to reject more than one type.
The ICMP type codes are in /usr/include/netinet/ip_icmp.h.
Set the tunable as follows:
icmp_rejectcodemask = 0x10
Rejects ICMP Source Quench packets
icmp_rejectcodemask = 0 (default)
Retains existing behavior, i.e., accepts all ICMP packets
Adjusting the variables
The ICMP sequence check variable (icmp_tcpseqcheck) can be adjusted using the
sysconfig and sysconfigdb commands:
# sysconfig -q inet icmp_tcpseqcheck
inet:
icmp_tcpseqcheck = 1
# sysconfig -r inet icmp_tcpseqcheck=0
icmp_tcpseqcheck: reconfigured
# sysconfig -q inet icmp_tcpseqcheck
inet:
icmp_tcpseqcheck = 0
# sysconfig -q inet icmp_tcpseqcheck > /tmp/icmp_tcpseqcheck_merge
# sysconfigdb -m -f /tmp/icmp_tcpseqcheck_merge inet
# sysconfigdb -l inet
inet:
icmp_tcpseqcheck = 1
Similarly, the icmp_rejectcodemask variable can be adjusted using the
sysconfig and sysconfigdb commands:
# sysconfig -q inet icmp_rejectcodemask
inet:
icmp_rejectcodemask = 0
# sysconfig -r inet icmp_rejectcodemask=0x10
icmp_rejectcodemask: reconfigured
# sysconfig -q inet icmp_rejectcodemask
inet:
icmp_rejectcodemask = 16
# sysconfig -q inet icmp_rejectcodemask > /tmp/icmp_rejectcodemask_merge
# sysconfigdb -m -f /tmp/icmp_rejectcodemask_merge inet
# sysconfigdb -l inet
inet:
icmp_rejectcodemask = 16
3 Summary of CSPatches contained in this kit
Tru64 UNIX V5.1A
PatchId Summary Of Fix
----------------------------------------
C1663.01 Fix for SSRT 4743, SSRT 4884
4 Additional information from Engineering
None
5 Affected system files
This patch delivers the following files:
Tru64 UNIX V5.1A
Patch C1663.01
./sys/BINARY/inet.mod
CHECKSUM: 12211 537
SUBSET: OSFBIN520
./sys/BINARY/ipv6.mod
CHECKSUM: 64004 114
SUBSET: OSFBIN520
./sys/BINARY/net.mod
CHECKSUM: 26222 302
SUBSET: OSFBIN520
[R] UNIX is a registered trademark in the United States and other countries
licensed exclusively through X/Open Company Limited.
Copyright Hewlett-Packard Company 2005. All Rights reserved.
This software is proprietary to and embodies the confidential technology
of Hewlett-Packard Company. Possession, use, or copying of this
software and media is authorized only pursuant to a valid written license
from Hewlett-Packard or an authorized sublicensor.
This ECO has not been through an exhaustive field test process.
Due to the experimental stage of this ECO/workaround, Hewlett-Packard
makes no representations regarding its use or performance. The
customer shall have the sole responsibility for adequate protection
and back-up data used in conjunction with this ECO/workaround.
|
Printable version
