[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 540/04 - SGI Security Bulletin - bsd.a kernel networking vulnerabilities.



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 540/04 dated 29.09.04  Time: 13:40  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

SGI Security Bulletin:

bsd.a kernel networking vulnerabilities.

Detail
====== 

It has been reported thru various channels that there are several vulnerabilities 
affecting bsd.a kernel networking.

- ----------------------------------------------------------------------------------


______________________________________________________________________________

                          SGI Security Advisory

Title:      bsd.a kernel networking vulnerabilities
Number:     20040905-01-P
Date:       September 28, 2004
Reference:  SGI BUG 910841, CVE CAN-2004-0171
Reference:  SGI BUG 913122, CVE CAN-1999-0667
Reference:  SGI BUG 913287, CVE CAN-2004-0230
Reference:  SGI BUG 913386, CVE CVE-1999-0074
Reference:  SGI BUG 916973, CVE CAN-2004-0139
Fixed in:   Patches 5728 5729 5737 & 5738
______________________________________________________________________________

SGI provides this information freely to the SGI user community for its
consideration, interpretation, implementation and use.   SGI recommends
that this information be acted upon as soon as possible.

SGI provides the information in this Security Advisory on an "AS-IS" basis only, 
and disclaims all warranties with respect thereto, express, implied or otherwise, 
including, without limitation, any warranty of merchantability or fitness for a 
particular purpose.  In no event shall SGI be liable for any loss of profits, loss 
of business, loss of data or for any indirect, special, exemplary, incidental or 
consequential damages of any kind arising from your use of, failure to use or improper 
use of any of the instructions or information in this Security Advisory.
_____________________________________________________________________________

- - - -----------------------
- - - --- Issue Specifics ---
- - - -----------------------

It has been reported thru various channels that there are several vulnerabilities 
affecting bsd.a kernel networking.

The bugs addressed by these patches are:

* 910841 no limit on TCP reassembly queue size
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0171

* 913122 IRIX can accept bogus ARP update
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0667

* 913287 Improve handling of RST/SYN packets
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0230
  http://www.uniras.gov.uk/vuls/2004/236929/index.htm

* 913386 ephemeral port selection should be more randomized
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0074
  http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml
  http://securityfocus.com/archive/82/168749/2001-03-08/2001-03-14/0

* 916973 t_unbind changes t_bind's behavior
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0139

There are several non-security fixes included in the patch.

SGI has investigated the issue and recommends the following steps for resolving this 
issue.  It is HIGHLY RECOMMENDED that these measures be implemented on ALL vulnerable 
SGI systems.


- - - --------------
- - - --- Impact ---
- - - --------------
To determine the version of IRIX you are running, execute the following
command:

  # /bin/uname -R

That will return a result similar to the following:

  # 6.5 6.5.19f

The first number ("6.5") is the release name, the second ("6.5.16f" in this
case) is the extended release name.  The extended release name is the "version" we 
refer to throughout this document.

- - - ----------------
- - - --- Solution ---
- - - ----------------

SGI has provided a series of patches for these vulnerabilities and recommends that all 
affected operating systems install the appropriate patch.

OS Version     Vulnerable?     Patch #      Other Actions
- - - ----------     -----------     -------      -------------
IRIX 3.x         unknown                        Note 1
IRIX 4.x         unknown                        Note 1
IRIX 5.x         unknown                        Note 1
IRIX 6.0.x       unknown                        Note 1
IRIX 6.1         unknown                        Note 1
IRIX 6.2         unknown                        Note 1
IRIX 6.3         unknown                        Note 1
IRIX 6.4         unknown                        Note 1
IRIX 6.5         unknown                        Note 2
IRIX 6.5.1       unknown                        Note 2
IRIX 6.5.2       unknown                        Note 2
IRIX 6.5.3       unknown                        Note 2
IRIX 6.5.4       unknown                        Note 2
IRIX 6.5.5       unknown                        Note 2
IRIX 6.5.6       unknown                        Note 2
IRIX 6.5.7       unknown                        Note 2
IRIX 6.5.8       unknown                        Note 2
IRIX 6.5.9       unknown                        Note 2
IRIX 6.5.10      unknown                        Note 2
IRIX 6.5.11      unknown                        Note 2
IRIX 6.5.12      unknown                        Note 2
IRIX 6.5.13      unknown                        Note 2
IRIX 6.5.14      unknown                        Note 2
IRIX 6.5.15      unknown                        Note 2
IRIX 6.5.16      unknown                        Note 2
IRIX 6.5.17m     unknown                        Note 2
IRIX 6.5.17f     unknown                        Note 2
IRIX 6.5.18m     unknown                        Note 2 & 3
IRIX 6.5.18f     unknown                        Note 2 & 3
IRIX 6.5.19m     unknown                        Note 2 & 3
IRIX 6.5.19f     unknown                        Note 2 & 3
IRIX 6.5.20m     unknown                        Note 2 & 3
IRIX 6.5.20f     unknown                        Note 2 & 3
IRIX 6.5.21m     unknown                        Notes 2 & 3
IRIX 6.5.21f     unknown                        Notes 2 & 3
IRIX 6.5.22      yes              5738          Notes 2 & 3
IRIX 6.5.23      yes              5737          Notes 2 & 3
IRIX 6.5.24      yes              5728          Notes 2 & 3
IRIX 6.5.25      yes              5729          Notes 2 & 3
   NOTES

     1) This version of the IRIX operating has been retired. Upgrade to
        an actively supported IRIX operating system.  See
        http://support.sgi.com for more information.

     2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact
        your SGI Support Provider or URL: http://support.sgi.com

     3) Install the required patch(es) based on your operating release.

                ##### Patch File Checksums ####

The actual patch will be a tar file containing the following files:
Filename:                 README.patch.5728
Algorithm #1 (sum -r):    35186 9 README.patch.5728
Algorithm #2 (sum):       13588 9 README.patch.5728
MD5 checksum:             283FF7F48211DE12A5F701CF63D294B0

Filename:                 patchSG0005728
Algorithm #1 (sum -r):    35786 3 patchSG0005728
Algorithm #2 (sum):       28432 3 patchSG0005728
MD5 checksum:             BD7D37EF3E7A533170D2B5C21FB9953A

Filename:                 patchSG0005728.eoe_sw
Algorithm #1 (sum -r):    13196 6051 patchSG0005728.eoe_sw
Algorithm #2 (sum):       14725 6051 patchSG0005728.eoe_sw
MD5 checksum:             565CAE6A954F429CD4C2A5532F8D466B

Filename:                 patchSG0005728.idb
Algorithm #1 (sum -r):    35935 13 patchSG0005728.idb
Algorithm #2 (sum):       6797 13 patchSG0005728.idb
MD5 checksum:             7C0105CA77139F0E614F7E5505F84495

Filename:                 README.patch.5729
Algorithm #1 (sum -r):    59517 8 README.patch.5729
Algorithm #2 (sum):       39107 8 README.patch.5729
MD5 checksum:             5B079FFE7C41D3AB8FDEDDC19DFEEADD

Filename:                 patchSG0005729
Algorithm #1 (sum -r):    22880 2 patchSG0005729
Algorithm #2 (sum):       57807 2 patchSG0005729
MD5 checksum:             E262646659E28A93193C6F4BA71CDBEE

Filename:                 patchSG0005729.eoe_sw
Algorithm #1 (sum -r):    40147 4498 patchSG0005729.eoe_sw
Algorithm #2 (sum):       56533 4498 patchSG0005729.eoe_sw
MD5 checksum:             3C4CAA38798B6ECF6A27D8F2A7B8179F

Filename:                 patchSG0005729.idb
Algorithm #1 (sum -r):    40084 11 patchSG0005729.idb
Algorithm #2 (sum):       44547 11 patchSG0005729.idb
MD5 checksum:             BA25A75A6B768611640AD4B81F0097B3

Filename:                 README.patch.5737
Algorithm #1 (sum -r):    33924 10 README.patch.5737
Algorithm #2 (sum):       35712 10 README.patch.5737
MD5 checksum:             8E7F5B9E6543C36993DA3BAE88F86161

Filename:                 patchSG0005737
Algorithm #1 (sum -r):    05158 4 patchSG0005737
Algorithm #2 (sum):       57426 4 patchSG0005737
MD5 checksum:             1452B04343D0565A3B7AE4C541E7EEE0

Filename:                 patchSG0005737.eoe_sw
Algorithm #1 (sum -r):    58680 6081 patchSG0005737.eoe_sw
Algorithm #2 (sum):       37111 6081 patchSG0005737.eoe_sw
MD5 checksum:             0ABFEC7A2ABE56C5A4620B2C274A303C

Filename:                 patchSG0005737.idb
Algorithm #1 (sum -r):    50788 13 patchSG0005737.idb
Algorithm #2 (sum):       38116 13 patchSG0005737.idb
MD5 checksum:             D42D48C2568C83171E9314CC81C998BC

Filename:                 README.patch.5738
Algorithm #1 (sum -r):    34257 9 README.patch.5738
Algorithm #2 (sum):       28325 9 README.patch.5738
MD5 checksum:             0BEF17F275BF3624EF05EF90FCD83233

Filename:                 patchSG0005738
Algorithm #1 (sum -r):    54456 4 patchSG0005738
Algorithm #2 (sum):       56616 4 patchSG0005738
MD5 checksum:             FBBE94737D658F28115B9B0265AFAF30

Filename:                 patchSG0005738.eoe_sw
Algorithm #1 (sum -r):    36099 12655 patchSG0005738.eoe_sw
Algorithm #2 (sum):       548 12655 patchSG0005738.eoe_sw
MD5 checksum:             7EE0C37FDE320B0B1602E7E792A741EF

Filename:                 patchSG0005738.idb
Algorithm #1 (sum -r):    08133 32 patchSG0005738.idb
Algorithm #2 (sum):       4380 32 patchSG0005738.idb
MD5 checksum:             6FF1955330B98978174A0132BD54B050


- - - -------------
- - - --- Links ---
- - - -------------
Patches are available via the web, anonymous FTP and from your SGI service/support provider.

SGI Security Advisories can be found at: http://www.sgi.com/support/security/ 
and ftp://patches.sgi.com/support/free/security/advisories/

SGI Security Patches can be found at: http://www.sgi.com/support/security/ 
and ftp://patches.sgi.com/support/free/security/patches/

SGI patches for IRIX can be found at the following patch servers: http://support.sgi.com/ 
and ftp://patches.sgi.com/

SGI freeware updates for IRIX can be found at: http://freeware.sgi.com/

SGI fixes for SGI open sourced code can be found on: http://oss.sgi.com/projects/

SGI patches and RPMs for Linux can be found at: http://support.sgi.com/ 
or http://oss.sgi.com/projects/sgilinux-combined/download/security-fixes/

SGI patches for Windows NT or 2000 can be found at: http://support.sgi.com/

IRIX 5.2-6.4 Recommended/Required Patch Sets can be found at: http://support.sgi.com/ 
and ftp://patches.sgi.com/support/patchset/

IRIX 6.5 Maintenance Release Streams can be found at: http://support.sgi.com/

IRIX 6.5 Software Update CDs can be obtained from: http://support.sgi.com/

The primary SGI anonymous FTP site for security advisories and patches is 
patches.sgi.com (216.32.174.211). Security advisories and patches are located 
under the URL ftp://patches.sgi.com/support/free/security/

For security and patch management reasons, ftp.sgi.com (mirrors patches.sgi.com security FTP repository) 
lags behind and does not do a real-time update.


- - - -----------------------------------------
- - - --- SGI Security Information/Contacts ---
- - - -----------------------------------------

If there are questions about this document, email can be sent to security-info@xxxxxxxx

                      ------oOo------

SGI provides security information and patches for use by the entire SGI community.  This information is 
freely available to any person needing the information and is available via anonymous FTP and the Web.

The primary SGI anonymous FTP site for security advisories and patches is patches.sgi.com (216.32.174.211).  
Security advisories and patches are located under the URL ftp://patches.sgi.com/support/free/security/

The SGI Security Headquarters Web page is accessible at the URL: http://www.sgi.com/support/security/

For issues with the patches on the FTP sites, email can be sent to security-info@xxxxxxxx

For assistance obtaining or working with security patches, please contact your SGI support provider.

                      ------oOo------

SGI provides a free security mailing list service called wiretap and encourages interested parties to 
self-subscribe to receive (via email) all SGI Security Advisories when they are released. Subscribing 
to the mailing list can be done via the Web
(http://www.sgi.com/support/security/wiretap.html)
or by sending email to SGI as outlined below.

% mail wiretap-request@xxxxxxx
subscribe wiretap <YourEmailAddress>
end
^d

In the example above, <YourEmailAddress> is the email address that you wish the mailing list information 
sent to.  The word end must be on a separate line to indicate the end of the body of the message. The 
control-d (^d) is used to indicate to the mail program that you are finished composing the mail message.


                      ------oOo------

SGI provides a comprehensive customer World Wide Web site. This site is located at 
http://www.sgi.com/support/security/ .

                      ------oOo------

If there are general security questions on SGI systems, email can be sent to security-info@xxxxxxxx

For reporting *NEW* SGI security issues, email can be sent to security-alert@xxxxxxx or contact your SGI 
support provider. A  support contract is not required for submitting a security report.

______________________________________________________________________________

      This information is provided freely to all interested parties
      and may be redistributed provided that it is not altered in any
      way, SGI is appropriately credited and the document retains and
      includes its valid PGP signature.

- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of SGI for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQVqsE4pao72zK539AQEX+AP/ZPDBDTsXcADhK7f5FjjpfN3K5fjoytk1
wInPnbAM++1LcXOmtCUFxl6MX7yfT48dnrhYnw8dw3lJoaXTXFzFGnWSRvuqI1O1
0ojMXukF+itVQ0IVhC6LLDyalBUArXGU5KImnWQ+VTyFBhhT1T0IwaoS1IRBt78T
FkyfQ/NDGHI=
=/rjS
-----END PGP SIGNATURE-----