On Fri Feb 11 2000 Puchatek (puchatekat_private) wrote: > I've just tested this on NW 5.0 with sp4a and BM 3.5 sp1. Conection to > port 2000 is refused and server doesnt give Short Term MAlloc errors. > IMHO sp4a patched this error... After playing around with this beast for about a week, this is NOT as simple as it appears. We checked out BM 3.5 sp1 and there are still issues, but we'll get into that. We wanted to clear a few things up (why doesn't someone from Novell post about this?!?!?!): First, our test environment: NetWare 5.0 NetWare 5.0 SP4a Novell Border Manager 3.0 Novell Border Manager 3.0 SP 2 CSATPXY2.EXE **it appears you need this to really put this issue to rest** We *think* NetWare 5.1 cleans this up - we're testing that now. ------------------------------------------------------------ Short version: Port 2000 is used by CSATPXY, which as we understand it is used by the DNS/DHCP management console to view the audit logs. If you telnet to port 2000 and/or pump a lot of garbage to it, the server eventually pukes. Odd, but whatever... (An official Novell explanation for what CSATPXY.NLM actually does is documented in Novell TID# 2953101. This document explains why the port is left in a listen state, and explains how to have the NLM listen on another port, however, all attempts to assign to a different port on my test server failed; it always resorted to port 2000.) Ok, so put to put this thing to rest you have to: -apply NetWare 5.0 SP4a -apply Border Manager patch (in our case 3.0 SP 2, for 3.5 it's SP 1) -apply CSATPXY2.EXE (Novell TID 2955744) -and for those that really want to be safe: go in, blow away the default filter rule sets (use filtcfg) and blow away any rules allowing external access to port 2000. *THIS IS ENABLED BY DEFAULT* IOHO, this is the safest bet because lord know what other unknown goodies Novell provides with this CSTPXY thing. (Dumb question? - Why is this enabled on the outside of the firewall by default?!?!?) ------------------------------------------------------------ Long version: Tests Performed: Patches Not Applied Installed Novell 5.0 with no other products and opened a Telnet session over port 2000 (for some real fun "telnet 127.0.0.1 19 | nc <target IP> 2000") we received the following response: Where xxx.xxx.xxx.xxx is our Novell Server [pottedmeat@ foodproducts]$ telnet xxx.xxx.xxx.xxx 2000 Trying xxx.xxx.xxx.xxx... Unable to connect to remote host: Connection refused. Installed Border Manager 3.0, filtering all traffic, in and out. Tested ping in and out to verify filter, all seemed blocked. Opened a Telnet session over port 2000, received the following response: [pottedmeat@ foodproducts]$ telnet xxx.xxx.xxx.xxx 2000 Trying xxx.xxx.xxx.xxx... Connected to xxx.xxx.xxx.xxx. Escape character is '^]'. After you have enterred a few lines, the server starts to have problems: 1-27-2000 9:34:47 am: SERVER-5.0-830 [nmID=2000A] > Short Term Memory Allocator is out of Memory. > 1 attempts to get more memory failed. This will continue indefinitely until the server is restarted. After about 10 minutes the number of attempts had equated to about 147000000. This in effect held the server processor utilization at about 58%-60%. (Pentium Pro 200Mhz with 128MB RAM). Note: Non-Default fully restrictive Border Manager filters *WERE* in place at this time. Patches Applied Applied NetWare 5.0 Service Pack 4a and tested with the same results. Applied Border Manager 3.0 Service Pack 2.0 and tested once again, with the same results. These patches brought the CSATPXY.NLM to the following date and time. CSATPXY.NLM 13869 12-9-1998 5:56:54 am CSATPXY.NLM Applied Per Novell TID 2955744 this issue has been resolved. This document contains link to file csatpxy2.exe Abstract "Update to resolve a potential abend issue with CSATPXY.NLM and it's port 2000 listener. This is applicable for BorderManager 3.0, 3.5 and DNS/DHCP services and runs on NetWare 4.11 through 5.x. This is the CSATPXY.NLM that was released in NetWare 5.1. Download this file and follow the instructions below. Installation Instructions 1. Extract this file to a temporary directory. 2. Rename the CSATPXY.NLM which exists in SYS:SYSTEM. 3. Copy the new CSATPXY.NLM from the temporary directory, to SYS:SYSTEM. 4. Restart the server Issue If a connection is made to port 2000, where CSATPXY.NLM is listening, and improper data is entered, CSATPXY may attempt to allocate a large amount of RAM, eventually causing the server to crash. This version of CSATPXY.NLM will now only allow 100K to be allocated at a time. It is also recommended that, if Packet Filtering is running on your server, you modify the filters to not allow connections to port 2000 on your public interface. " Once this file had been patched, we were no longer able to break through the Border Manager's port filter (the firewall actually did it's job), as well, if I tried to Telnet to this port from internal (also could be filtered through firewall) I received the following message: [pottedmeat@ foodproducts]$ telnet xxx.xxx.xxx.xxx 2000 Trying xxx.xxx.xxx.xxx... Connected to xxx.xxx.xxx.xxx. Escape character is '^]'. <typed in a bunch of garbage> Connection closed by foreign host. At this time, the server console would report the error as follows: Invalid Reply Data Length-##########. Connection closed. In short, without this Update you are not only exposed internally, but externally as well. For completeness, I verified that this file was indeed the same as rolled out in the NetWare 5.1 distribution, and as stated by Novell it was. Other Relevent Documents: DNSDHCP Audit/Event logs will not run.--------TID#2942493 Relevent if instead of patching the CSATPXY.NLM you unload it! CSATPXY.NLM abends the server. References new CSATPXY.NLM file Hope this helps, Kevin Novak Neohapsis
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:36:30 PDT