 |
» |
|
|
|
|
|
|
|
|
|
<TITLE>
TITLE: SSRT4696- HP Tru64 UNIX - Potential TCP Stack Denial of Service Vulnerabilities
Copyright (c) Hewlett-Packard Company 2005. All rights reserved.
PRODUCT: HP Tru64 UNIX [R] V5.1A
SOURCE: Hewlett-Packard Company
ECO INFORMATION:
ECO Name: T64KIT0024743-V51AB24-ES-20050125
ECO Kit Approximate Size: 3.39MB
Kit Applies To: HP Tru64 UNIX V5.1A PK6 (BL24)
ECO Kit CHECKSUMS:
/usr/bin/sum results:
15776 3470
/usr/bin/cksum results:
1281713501 3553280
MD5 results:
69fea9493f6a21c9558afb7e53673fc7
SHA1 results:
81408a2c1fa32fc1196c2b2f540ee1a37c439abb
ECO KIT SUMMARY:
A dupatch-based, Early Release Patch kit exists for HP Tru64 UNIX V5.1A
that contains solutions to the following problem(s):
Two potential security vulnerabilities have been identified in the
Transmission Control Protocol (TCP) on HP Tru64 UNIX systems. The potential
vulnerabilities could be remotely exploitable, resulting in denial of
service (DoS).
SSRT4696 - TCP (Severity - High)
The Patch Kit Installation Instructions and the Patch Summary and Release
Notes documents provide patch kit installation and removal instructions
and a summary of each patch. Please read these documents prior to
installing patches on your system.
INSTALLATION NOTES:
1) Install this kit with the dupatch utility that is included in the patch
kit. You may need to baseline your system if you have manually changed
system files on your system. The dupatch utility provides the baselining
capability.
2) The patch in this ERP kit does not have any file intersections with any
other ERP available at this time for this product version.
3) This ERP kit will NOT install over any Customer Specific Patches (CSPs)
which have file intersections with this ERP kit. Contact your normal
Service Provider for assistance if the installation of this ERP kit is
blocked by any of your installed CSPs.
INSTALLATION PREREQUISITES:
You must have installed HP Tru64 UNIX V5.1A PK6 (BL24) prior to
installing this Early Release Patch Kit.
SUPERSEDE INFORMATION:
T64KIT0024743-V51AB24-ES-20050125.tar replaces
T64KIT0024527-V51AB24-ES-20041219.tar
KNOWN PROBLEMS WITH THE PATCH KIT:
None.
RELEASE NOTES FOR T64KIT0024743-V51AB24-ES-20050125:
Release Notes
This document summarizes the contents and special instructions for the
Tru64 UNIX V5.1A patches contained in this kit.
For information about installing or removing patches, baselining,
and general patch management, see the Patch Kit Installation
Instructions document.
1 Release Notes
This Early Release Patch Kit Distribution contains:
- fixes that resolve the problem(s) reported in:
o 221-2-1290 221-2-359
* for Tru64 UNIX V5.1A T64V51AB24AS0006-20031031.tar (BL24)
This kit includes a patch which requires system reboot.
The patches in this kit are being released early for general customer use.
Refer to the Release Notes for a summary of each patch and installation
prerequisites.
Patches in this kit are installed by running dupatch from the directory
in which the kit was untarred. For example, as root on the target system:
> mkdir -p /tmp/CSPkit1
> cd /tmp/CSPkit1
> <copy the kit to /tmp/CSPkit1>
> tar -xpvf DUV40D13-C0044900-1285-20000328.tar
> cd patch_kit
> ./dupatch
2 Special Instructions
SPECIAL INSTRUCTIONS for Tru64 UNIX V5.1A Patch C1604.06
The industry standard TCP specification (RFC793) has a vulnerability
whereby established TCP connections can be reset by an attacker using
the TCP RST (Reset) or SYN (Synchronize) flags.
These packets need to have source and destination IP addresses that match
the established connection as well as the same source and destination TCP ports.
The fact that TCP sessions can be reset by sending suitable RST and SYN
packets is a design feature of TCP. According to RFC 793, a RST or SYN
attack is only possible when the source IP address and TCP port can be
forged or "spoofed." In that case TCP sessions, including Telnet, SSH,
SFTP and HTTP may be disconnected without warning. TCP sessions that have
been disconnected can be re-established.
Normally, a TCP SYN packet (request for a new connection) that arrives on
a server using a matching IP address, port number, and matching sequence
number for an existing connection causes a TCP RST packet to be returned
to the client. An attacker can guess the proper sequence number, along
with the port and IP addresses, to cause an existing connection to
be terminated with a TCP RST.
When a client is rebooted without closing an old connection to the server,
a subsequent attempt to connect to the server that matches the old
connection tuple and sequence number will require a TCP RST in order
to purge the old (stale) connection.
HP has addressed these potential vulnerabilities, called TCP RST attack and
TCP SYN attack, by providing two new kernel tunable variables, tcp_rst_win
(TCP RST window) and tcp_syn_win (TCP SYN window).
The tcp_rst_win and tcp_syn_win variables mitigate the TCP reset attack by
reducing the window sizes in which a TCP RST/SYN packet will be accepted
by the HP Tru64 UNIX system.
Set the tunable values as follows:
a) tcp_rst_win
tcp_rst_win = -1 (default)
Retains existing TCP behavior with respect to reset packets.
tcp_rst_win = 2048
Provides a level of protection that significantly reduces the size
of the TCP reset window while allowing for common TCP client/server
sequence number variations. This allows a reset packet to be accepted
by the HP Tru64 UNIX system when the remote machine has
unacknowledged outstanding packets of up to a total of 2048 bytes.
tcp_rst_win = 0
Provides maximum security against the potential DoS condition. Setting
tcp_rst_win to 0 provides the highest level of protection without
migrating to an IPSec environment. This setting restricts the
acceptance of a reset packet to the current sequence number and may
result in the rejection of valid reset packets where sent data packets
have not been acknowledged.
b) tcp_syn_win
WARNING: by setting tcp_syn_win down to 2048 or less, the probability
increases that a rebooted client will not be able to re-connect to a
former server. For this reason, setting tcp_syn_win to any value other
than the default value of -1 is not recommended. The client connection
attempt could time out, but then work as expected when trying it again
at a later time.
tcp_syn_win = -1 (default)
Retains existing TCP behavior with respect to SYN packets.
tcp_syn_win = 2048
Provides a level of protection that significantly reduces the size
of the TCP syn window while allowing for common TCP client/server
sequence number variations. This will allow a SYN packet to be
accepted by the HP Tru64 UNIX system when the remote machine as
unacknowledged outstanding packets of up to a total of 2048 bytes.
tcp_syn_win = 0
This setting should not be used without evidence of an active SYN
attack. When a client attempts to establish a new connection to
the server, the IP addresses and often the port numbers are the
same, and the sequence number can sometimes fall within the existing
(stale) sequence number space of the old connection. A TCP RESET
packet is sent to purge the stale connection from the server and
allow the client to establish a new connection. The
"tcp_syn_win = 0" setting may cause a valid SYN to fail at resetting
an established connection, as evidenced by a rebooted client failing
to connect during initial attempts to re-establish previous
socket connections.
Customers who are extremely sensitive to this security issue should
implement IPSec, available in HP Tru64 UNIX 5.1A and 5.1B. Tru64 UNIX
customers running V4.0F and V4.0G can receive maximum available protection
with tcp_rst_win to 0 and tcp_syn_win to 0.
To implement the new kernel tunable variables, customers should first
install the ERP appropriate for for their verson and patch kit. Following
the ERP installation, customers can adjust the tunable variables as
described below.
The TCP RST window variable (tcp_rst_win) can be adjusted using the
"sysconfig" and "sysconfigdb" commands:
# sysconfig -q inet tcp_rst_win
inet:
tcp_rst_win = -1
# sysconfig -r inet tcp_rst_win=2048
tcp_rst_win: reconfigured
# sysconfig -q inet tcp_rst_win
inet:
tcp_rst_win = 2048
# sysconfig -q inet tcp_rst_win > /tmp/tcp_rst_win_merge
# sysconfigdb -m -f /tmp/tcp_rst_win_merge inet
# sysconfigdb -l inet
inet:
tcp_rst_win = 2048
Similarly, the TCP SYN window variable (tcp_syn_win) can be adjusted using
the "sysconfig" and "sysconfigdb" commands:
# sysconfig -q inet tcp_syn_win
inet:
tcp_syn_win = -1
# sysconfig -r inet tcp_syn_win=2048
tcp_syn_win: reconfigured
# sysconfig -q inet tcp_syn_win
inet:
tcp_syn_win = 2048
# sysconfig -q inet tcp_syn_win > /tmp/tcp_syn_win_merge
# sysconfigdb -m -f /tmp/tcp_syn_win_merge inet
# sysconfigdb -l inet
inet:
tcp_syn_win = 2048
3 Summary of CSPatches contained in this kit
Tru64 UNIX V5.1A
PatchId Summary Of Fix
----------------------------------------
C1604.06 ERP for Security Problem SSRT4696, TCP
4 Additional information from Engineering
None
5 Affected system files
This patch delivers the following files:
Tru64 UNIX V5.1A
Patch C1604.06
./sys/BINARY/inet.mod
CHECKSUM: 03562 535
SUBSET: OSFBIN520
[R] UNIX is a registered trademark in the United States and other countries
licensed exclusively through X/Open Company Limited.
Copyright Hewlett-Packard Company 2005. All Rights reserved.
This software is proprietary to and embodies the confidential technology
of Hewlett-Packard Company. Possession, use, or copying of this
software and media is authorized only pursuant to a valid written license
from Hewlett-Packard or an authorized sublicensor.
This ECO has not been through an exhaustive field test process.
Due to the experimental stage of this ECO/workaround, Hewlett-Packard
makes no representations regarding its use or performance. The
customer shall have the sole responsibility for adequate protection
and back-up data used in conjunction with this ECO/workaround.
|
Printable version
