CERT advisory for denial-of-service

CERT advisory for denial-of-service

Post by D J Hawkey » Thu, 24 Dec 1998 04:00:00

Hello All.

Below is a CERT advisory about Denial of Service vulnerability in some
TCP/IP stacks, notably BSD-derived systems.

If I recall correctly, QNX's is BSD-derived.
Are we safe against this? From what version forward?


CERT Advisory CA-98-13-tcp-denial-of-service

   Original Issue Date: December 21, 1998

   Last Revised

Topic: Vulnerability in Certain TCP/IP Implementations

Affected Systems

   Some systems with BSD-derived TCP/IP stacks. See Appendix A for a
   complete list of affected systems.


   Intruders can disrupt service or crash systems with vulnerable TCP/IP
   stacks. No special access is required, and intruders can use
   source-address spoofing to conceal their true location.

I. Description

   By carefully constructing a sequence of packets with certain
   characteristics, an intruder can cause vulnerable systems to crash,
   hang, or behave in unpredictable ways. This vulnerability is similar
   in its effect to other denial-of-service vulnerabilities, including
   the ones described in


   Specifically, intruders can use this vulnerability in conjunction with
   IP-source-address spoofing to make it difficult or impossible to know
   their location. They can also use the vulnerability in conjunction
   with broadcast packets to affect a large number of vulnerable machines
   with a small number of packets.

II. Impact

   Any remote user can crash or hang a vulnerable machine, or cause the
   system to behave in unpredictable ways.

III. Solution

A. Install a patch from your vendor.

   Appendix A contains input from vendors who have provided information
   for this advisory. We will update the appendix as we receive more
   information. If you do not see your vendor's name, the CERT/CC did not
   hear from that vendor. Please contact your vendor directly.

B. Configure your router or firewall to help prevent source-address spoofing.

   We encourage sites to configure their routers or firewalls to reduce
   the ability of intruders to use source-address spoofing. Currently,
   the best method to reduce the number of IP-spoofed packets exiting
   your network is to install filtering on your routers that requires
   packets leaving your network to have a source address from your
   internal network. This type of filter prevents a source IP-spoofing
   attack from your site by filtering all outgoing packets that contain a
   source address of a different network.

   A detailed description of this type of filtering is available in RFC
   2267, "Network Ingress Filtering: Defeating Denial of Service Attacks
   which employ IP Source Address Spoofing" by Paul Ferguson of Cisco
   Systems, Inc. and Daniel Senie of Blazenet, Inc. We recommend it to
   both Internet Service Providers and sites that manage their own
   routers. The document is currently available at


   Note that this type of filtering does not protect a site from the
   attack itself, but it does reduce the ability of intruders to conceal
   their location, thereby discouraging attacks.

Appendix A - Vendor Information

   Berkeley Software Design, Inc. (BSDI)

   BSDI's current release BSD/OS 4.0 is not vulnerable to this problem.
   BSD/OS 3.1 is vulnerable and a patch (M310-049) is available from
   BSDI's WWW server at http://www.bsdi.com/support/patches or via our
   ftp server from the directory

   Cisco Systems

   Cisco is not vulnerable.

   Compaq Computer Corporation

   SOURCE: (c) Copyright 1994, 1995, 1996, 1997, 1998 Compaq Computer

   All rights reserved.

   SOURCE: Compaq Computer Corporation
   Compaq Services
   Software Security Response Team USA

   This reported problem is not present for the as shipped, Compaq's
   Digital ULTRIX or Compaq's Digital UNIX Operating Systems Software.

     - Compaq Computer Corporation

   Data General Corporation

   We are investigating. We will provide an update when our investigation
   is complete.

   FreeBSD, Inc.

   FreeBSD 2.2.8 is not vulnerable.
   FreeBSD versions prior to 2.2.8 are vulnerable.
   FreeBSD 3.0 is also vulnerable.
   FreeBSD 3.0-current as of 1998/11/12 is not vulnerable.

   A patch is available at


   Regarding this vulnerability, Fujitsu's UXP/V operating system is not

   Hewlett-Packard Company

   HP is not vulnerable.

   IBM Corporation

   AIX is not vulnerable.

   IBM and AIX are registered trademarks of International Business
   Machines Corporation.

   Livingston Enterprises, Inc.

   Livingston systems are not vulnerable.

   Computer Associates International

   CA systems are not vulnerable.

   Microsoft Corporation

   Microsoft is not vulnerable.

   NEC Corporation

   NEC Corporation EWS-UX, UP-UX and UX/4800 Unix systems are not
   vulnerable to this problem.


   Security fixes for this problem are now available for 2.3 and 2.4.

   For 2.3, see


   For our 2.4 release which is available on CD on Dec 1, see


   The bug is fixed in our -current source tree.

   Sun Microsystems, Inc.

   We have confirmed that SunOS and Solaris are not vulnerable to the DOS

   Wind River Systems, Inc.

   We've taken a look at our networking code and have determined that
   this is not a problem in the currently shipping version of the VxWorks


   The vulnerability was originally discovered by Joel Boutros of the
   Enterprise Security Services team of Cambridge Technology Partners.
   Guido van Rooij of FreeBSD, Inc., provided an analysis of the
   vulnerability and information regarding its scope and extent.

   This document is available from:




     CTC Distribution Direct, LLC        http://pluto.ctcdist.com/

       UNIX Systems Administrator        http://www.visi.com/~hawkeyd/


1. Test Suites for CERT SNMP Advisory


I'm looking for test suites to determine if an agent is vulnerable to the
CERT advisories

VU#854306 (Multiple vulnerabilities in SNMPv1 request handling)
VU#107186 (Multiple vulnerabilities in SNMPv1 trap handling).

I'm aware of the test suite developed by the OUSPG used to deliver their
alert and SimpleSoft's SimpleSleuth.  Are there any other products

Mary Castro
Lucent Technologies        phone: 978-960-3996
1600 Osgood St.            fax:      978-960-6329

N. Andover, MA 01845

Remove <nospam> to e-mail me.

2. OS/2 & NT Peer-to-Peer?

3. does cert advisory affect SNMP trap generators ?

4. Is this a sign of a modem retraining....

5. CERT Advisory CA-96.03 - Vulnerability in Kerberos 4 Key Server

6. Setting up an iMac recording studio

7. CERT(sm) Advisory CA-96.03 - Vulnerability in Kerberos 4 Key Server

8. Microsoft money file

9. Denial of Service condition in vxworks ftpd/3com nbx

10. Looking to verify Denial of Service attack in VxWorks

11. Can VxWorks withstand Denial of Service attacks?

12. Denial of Service Security Bulletin MS02-48

13. SPAM as Denial of Service Attack on Hotmail Today