__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Denial-of-Service Attack via ping December 19, 1996 21:00 GMT Number H-18 ______________________________________________________________________________ PROBLEM: A vulnerability exists with systems receiving oversized ICMP datagrams which may cause the system to crash, freeze, or reboot. PLATFORM: Systems using any of the listed vendors maybe vulnerable. Berkeley Software Design, Inc. (BSDI) Computer Associates, Intl. (products for NCR) Cray Research Digital Equipment Corporation Free BSD, Inc. Hewlett-Packard Company IBM Corporation Linux Systems NEC Corporation Open Software Foundation (OSF) The Santa Cruz Operation, Inc. (SCO) Sun Microsystems, Inc. DAMAGE: Denial of service SOLUTION: Install vendor patches as they become available. ______________________________________________________________________________ VULNERABILITY Exploit information involving this vulnerabilities has been ASSESSMENT: made publicly available. ______________________________________________________________________________ [ Start CERT Advisory ] ============================================================================= CERT(sm) Advisory CA-96.26 Original issue date: December 18, 1996 Last revised: -- Topic: Denial-of-Service Attack via ping ------------------------------------------------------------------------------ The CERT Coordination Center has received reports of a denial-of-service attack using large ICMP datagrams. Exploitation details involving this vulnerability have been widely distributed. The CERT/CC team recommends installing vendor patches as they become available. We will update this advisory as we receive additional information. Please check advisory files regularly for updates that relate to your site. ------------------------------------------------------------------------------ I. Description The TCP/IP specification (the basis for many protocols used on the Internet) allows for a maximum packet size of up to 65536 octets (1 octet = 8 bits of data), containing a minimum of 20 octets of IP header information and 0 or more octets of optional information, with the rest of the packet being data. It is known that some systems will react in an unpredictable fashion when receiving oversized IP packets. Reports indicate a range of reactions including crashing, freezing, and rebooting. In particular, the reports received by the CERT Coordination Center indicate that Internet Control Message Protocol (ICMP) packets issued via the "ping" command have been used to trigger this behavior. ICMP is a subset of the TCP/IP suite of protocols that transmits error and control messages between systems. Two specific instances of the ICMP are the ICMP ECHO_REQUEST and ICMP ECHO_RESPONSE datagrams. These two instances can be used by a local host to determine whether a remote system is reachable via the network; this is commonly achieved using the "ping" command. Discussion in public forums has centered around the use of the "ping" command to construct oversized ICMP datagrams (which are encapsulated within an IP packet). Many ping implementations by default send ICMP datagrams consisting only of the 8 octets of ICMP header information but allow the user to specify a larger packet size if desired. You can read more information about this vulnerability on Mike Bremford's Web page. (Note that this is not a CERT/CC maintained page. We provide the URL here for your convenience.) http://www.sophist.demon.co.uk/ping/index.html II. Impact Systems receiving oversized ICMP datagrams may crash, freeze, or reboot, resulting in denial of service. III. Solution First, since crashing a router or firewall may be part of a larger, multistage attack scenario, we encourage you to inspect the running configuration of any such systems that have crashed to ensure that the configuration information is what you expect it to be. Then install a patch from your vendor. Below is a list of vendors who have provided information about patches for this problem. Details are in Appendix A of this advisory; we will update the appendix as we receive more information. If your vendor's name is not on this list, please contact the vendor directly. Berkeley Software Design, Inc. (BSDI) Computer Associates, Intl. (products for NCR) Cray Research Digital Equipment Corporation Free BSD, Inc. Hewlett-Packard Company IBM Corporation Linux Systems NEC Corporation Open Software Foundation (OSF) The Santa Cruz Operation, Inc. (SCO) Sun Microsystems, Inc. _______________________________________________________________________________ Appendix A - Vendor Information Below is a list of the vendors who have provided information for this advisory. We will update this appendix as we receive additional information. If you do not see your vendor's name, please contact the vendor directly. Berkeley Software Design, Inc. (BSDI) ===================================== BSD/OS 2.1 is not vulnerable to this problem. It correctly handles large packets without any problems. Computer Associates, Intl. ========================== (products for NCR) Not vulnerable. Cray Research ============= Attempts to send oversized ICMP datagrams are rejected with appropriate error messages. We believe that oversized ICMP datagrams sent to Unicos systems will also be rejected without crashing. Digital Equipment Corporation ============================= MSG ID: SSRT0429 From DSNlink/DIA Database The following is important information concerning a potential denial of service issue which affects Digital UNIX Operating System, Digital UNIX MLS+, Firewall implementations, and Digital TCP/IP Services for OpenVMS AXP & VAX COMPONENT: System Security / Potential Denial of Service DIGITAL UNIX Version: 3.0, 3.0b, 3.2, 3.2c, 3.2de1, 3.2de2, 3.2f, 3.2g, 4.0, 4.0a DIGITAL UNIX MLS+ Version 3.1a DIGITAL TCP/IP Services for OpenVMS AXP & VAX Versions - 4.0, 4.1 DIGITAL ULTRIX Versions 4.3, 4.3a, 4.4, 4.5 DIGITAL Firewall for UNIX DIGITAL AltaVista Firewall for UNIX DIGITAL VAX/ELN For more information check the DSNlink/DIA Articles (keyword PING), or the URL http://www.service.digital.com/html/whats-new.html for the latest information. ADVISORY INFORMATION: Digital recently discovered a potential denial of service issue that may occur by remote systems exploiting a recently published problem while executing the 'ping' command. Solutions and initial communications began appearing in DSNlink/DIA FLASH/articles in late October, 1996. SEVERITY LEVEL: High. SOLUTION: Digital has reacted promptly to this reported problem and a complete set of patch kits are being prepared for all currently supported platforms. The Digital patches may be obtained from your local Digital support channel or from the URL listed above. Please refer to the applicable README notes information prior to the installation of patch kits on your system. DIGITAL EQUIPMENT CORPORATION Copyright (c) Digital Equipment Corporation, 1996, All Rights Reserved. Unpublished Rights Reserved Under The Copyright Laws Of The United States. Free BSD, Inc. ============== We have fixed the problem in 2.1.6 and -current. Hewlett-Packard Company ======================= For HP9000 Series 700 and 800 systems, apply the appropriate patch. See Hewlett-Packard Security Bulletin #000040 (HPSBUX9610-040) for further details. The bulletin is available from the HP SupportLine and ftp://info.cert.org/pub/vendors/hp/ Patch Name(Platform/OS) | Notes --------------------------+---------------------------------- PHNE_9027 (s700 9.01) : PHNE_7704 must first be installed PHNE_9028 (s700 9.03/5/7) : PHNE_7252 must first be installed PHNE_9030 (s700 10.00) : No patch dependencies PHNE_9032 (s700 10.01) : PHNE_8168 must first be installed PHNE_9034 (s700 10.10) : PHNE_8063 must first be installed PHNE_9036 (s700 10.20) : No patch dependencies --------------------------+---------------------------------- PHNE_8672 (s800 9.00) : PHNE_7197 must first be installed PHNE_9029 (s800 9.04) : PHNE_7317 must first be installed PHNE_9031 (s800 10.00) : No patch dependencies PHNE_9033 (s800 10.01) : PHNE_8169 must first be installed PHNE_9035 (s800 10.10) : PHNE_8064 must first be installed PHNE_9037 (s800 10.20) : No patch dependencies --------------------------+---------------------------------- For our MPE operating system, patches are in process. Watch for the issuance of our MPE security bulletin. IBM Corporation =============== See the appropriate release below to determine your action. AIX 3.2 ------- Apply the following fix to your system: APAR - IX59644 (PTF - U444227 U444232) To determine if you have this PTF on your system, run the following command: lslpp -lB U444227 U444232 AIX 4.1 ------- Apply the following fix to your system: APAR - IX59453 To determine if you have this APAR on your system, run the following command: instfix -ik IX59453 Or run the following command: lslpp -h bos.net.tcp.client Your version of bos.net.tcp.client should be 4.1.4.16 or later. AIX 4.2 ------- Apply the following fix to your system: APAR - IX61858 To determine if you have this APAR on your system, run the following command: instfix -ik IX61858 Or run the following command: lslpp -h bos.net.tcp.client Your version of bos.net.tcp.client should be 4.2.0.6 or later. IBM SNG Firewall ---------------- NOTE: The fixes in this section should ONLY be applied to systems running the IBM Internet Connection Secured Network Gateway (SNG) firewall software. They should be applied IN ADDITION TO the IBM AIX fixes listed in the previous section. IBM SNG V2.1 ------------ APAR - IR33376 PTF UR46673 IBM SNG V2.2 ------------ APAR - IR33484 PTF UR46641 To Order -------- APARs may be ordered using Electronic Fix Distribution (via FixDist) or from the IBM Support Center. For more information on FixDist, reference URL: http://service.software.ibm.com/aixsupport/ or send e-mail to aixserv@austin.ibm.com with a subject of "FixDist". IBM and AIX are registered trademarks of International Business Machines Corporation. Linux Systems ============= We recommend that you upgrade your Linux 1.3.x and 2.0.x kernels to Linux 2.0.27. This is available from all the main archive sites such as ftp://ftp.cs.helsinki.fi/pub/Software/Linux Users wishing to remain with an earlier kernel version may download a patch from http://www.uk.linux.org/big-ping-patch. This patch will work with 2.0.x kernel revisions but is untested with 1.3.x kernel revisions. Red Hat Linux has chosen to issue a 2.0.18 based release with the fix. Red Hat users should obtain this from ftp://ftp.redhat.com/pub/redhat/redhat-4.0/updates/i386/kernel-2.0.18-6.i386.rpm NEC Corporation =============== --------------------------------------------------------------------------- OS Version Status ------------------- ------------ ------------------------------------- EWS-UX/V(Rel4.0) R1.x - R6.x not vulnerable EWS-UX/V(Rel4.2) R7.x - R10.x not vulnerable EWS-UX/V(Rel4.2MP) R10.x not vulnerable UP-UX/V R1.x - R4.x not vulnerable UP-UX/V(Rel4.2MP) R5.x - R7.x not vulnerable UX/4800 R11.x not vulnerable --------------------------------------------------------------------------- NCR ==== see Computer Associates, Intl. Open Software Foundation (OSF) ============================== OSF's OSF/1 R1.3.3 maintenance release includes a solution for this problem. The Santa Cruz Operation, Inc. (SCO) =================================== The following SCO products are known to be vulnerable: SCO OpenServer 5.0.0, 5.0.2 SCO Internet FastStart 1.0.0, 1.1.0 SCO Open Desktop 3.0 SCO TCP/IP 1.2.1 on SCO Unix System V/386 Release 3.2 Version 4.2 The symptoms encountered vary greatly and seem to be related to the type of network interface device being used. Support Level Supplement (SLS) OSS449 is being developed for use with the following releases: SCO OpenServer 5.0.0, 5.0.2 SCO Internet FastStart 1.0.0, 1.1.0. This SLS will be available in the near future. Watch the following URL for availability information of SLS OSS449: ftp://ftp.sco.COM/SLS/README Should more information become available for either SCO's OpenServer or UnixWare products, SCO will provide updated information for this advisory. Sun Microsystems, Inc. ====================== We are looking into this problem. _______________________________________________________________________________ [ End CERT Advisory ] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of CERT for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 510-422-8193 FAX: +1 510-423-8002 STU-III: +1 510-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC voice number 510-422-8193 and leave a message, or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC duty person, and the secondary PIN number, 8550074 is for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://ciac.llnl.gov/ Anonymous FTP: ciac.llnl.gov (128.115.19.53) Modem access: +1 (510) 423-4753 (28.8K baud) +1 (510) 423-3331 (28.8K baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and valid information for LastName FirstName and PhoneNumber when sending E-mail to ciac-listproc@llnl.gov: subscribe list-name LastName, FirstName PhoneNumber e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36 You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help. PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) H-09: HP 9000 Access Vulnerability H-10: HP-UX Security Vulnerabilities (passwd, fpkg2swpkg, newgrp) H-11: sendmail Group Permissions Vulnerability H-12: IBM AIX(r) 'SYN Flood' and 'Ping o' Death' Vulnerabilities H-13: IBM AIX(r) Security Vulnerabilities (gethostbyname, lquerypv) H-14: SGI IRIX Vulnerabilities (systour, OutOfBox, cdplayer, datman) H-15: Korn Shell (ksh) suid_exec Vulnerability H-16: HP-UX Security Vulnerabilities (chfn, Remote Watch) H-06a: Sun libc/libnsl vulnerabilities (Sun Bulletin #00137a) H-17: cron/crontab Buffer Overrun Vulnerabilities RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC) Notes 07 - 3/29/95 A comprehensive review of SATAN Notes 08 - 4/4/95 A Courtney update Notes 09 - 4/24/95 More on the "Good Times" virus urban legend Notes 10 - 6/16/95 PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability in S/Key, EBOLA Virus Hoax, and Caibua Virus Notes 11 - 7/31/95 Virus Update, Hats Off to Administrators, America On-Line Virus Scare, SPI 3.2.2 Released, The Die_Hard Virus Notes 12 - 9/12/95 Securely configuring Public Telnet Services, X Windows, beta release of Merlin, Microsoft Word Macro Viruses, Allegations of Inappropriate Data Collection in Win95 Notes 96-01 - 3/18/96 Java and JavaScript Vulnerabilities, FIRST Conference Announcement, Security and Web Search Engines, Microsoft Word Macro Virus Update