SecureXpert Labs Advisory SX-98.12.23-01 Widespread DoS vulnerability can crash systems or disable critical services Reported by: SecureXpert Labs (with additional information from the Bugtraq & FreeBSD Security mailing lists) WARNING: this item is based on early analysis and additional field reports. The subject matter is still the subject of active research by SecureXpert Labs and others. Due to the broad scope of the vulnerability described and its active exploitation on the Internet, this early information release is being made. Summary A popular security tool called "nmap" can generate unusual network traffic, which can be exploited to generate a wide variety of failures and crashes on numerous operating systems. Note: this family of vulnerabilities is NOT the same as that described in CERT Advisory CA-98.13 - TCP/IP Denial of Service. CERT CA-98.13 refers to a fragmentation-related bug in some IP stacks. The DoS vulnerabilities described herein are not fragmentation related. Description The port scanner tool nmap has "stealth scanning" capabilities, designed to avoid notice by Intrusion Detection systems. When these are used, nmap generates several types of unusual IP packets (e.g. unexpected FIN packets, "Christmas Tree" packets, etc.), and unusual sequences of packets (e.g. TCP connection setup with a SYN packet immediately followed by RST). Nmap is widely available (http://www.insecure.org/nmap). Built-in functionality in nmap allows it to be used to target large numbers of systems simultaneously. SecureXpert Labs has determined that nmap's "half-open" scanning mode ('nmap -sS') disables inetd on a number of operating systems, including certain Solaris versions (including 2.6) and some versions of Linux. Work at SecureXpert Labs has also demonstrated that this scanning mode also causes Microsoft Windows 98 to display a critical error ("Blue Screen"), subsequent to which the Windows 98 workstation loses all network connectivity. Independent reports also indicate that nmap scanning can cause similar failure of inetd on several additional operating systems, including HP-UX, AIX, SCO, and FreeBSD. Further reports indicate that the RPC portmapper may be affected on some systems. Additional reports indicate also that a different nmap scanning mode (UDP scanning with 'nmap -sU') crashes Cisco IOS version 12.0 (including 12.0T, 12.0S, etc.). It has also been reported that nmap with certain options can cause NeXTStep 3.3 systems to panic and reboot. Tests by SecureXpert Labs have confirmed the vulnerability of Solaris 2.6 and what appears to be a small number of older Linux versions. Cisco Systems has confirmed the Cisco IOS vulnerability. The FreeBSD, HP-UX, AIX, SCO, and NeXTStep reports have not yet been corroborated. The nature of this vulnerability leads SecureXpert Labs to believe that additional operating systems may also be vulnerable. At this stage in SecureXpert Labs' investigations, it appears that several of these attacks leave no trace in system logs, unless external Intrusion Detection systems are in place. SecureXpert Labs has notified the vendors of affected systems, and is working with them on further testing, fault isolation, and remediation. Risks a. Denial of Service through inetd failure Remote attackers can disable critical server processes on affected systems. Failure of the inetd process will commonly disable all ftp and telnet access to a system, as well as other services such as rlogin and rsh. In some less common cases, failure of inetd can disable processes such as BOOTP servers, Web servers, Radius or other authentication servers, etc. b. Denial of Service through portmapper failure Remote attackers can disabled critical servers on affected systems. Failure of the portmapper process will commonly disable NFS and NIS services, as well as other services on some systems. c. Denial of Service through kernel panics, hangs, and crashes If reports that nmap can cause kernel panics, hangs, or crashes are confirmed, all services on affected servers can be disabled by remote attackers. Vulnerable versions Further details on affected systems and versions will be provided as more information become available. Actions a. Determine if your systems are vulnerable, ether through your own testing with nmap or through the user of an external audit firm. (nmap is available from http://www.insecure.org/nmap/) b. Install vendor patches as they become available c. In the short term, critical systems can be defended through application proxies (or, in some cases, multi-level filters) deployed on non-vulnerable firewall platforms.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:25:57 PDT