-----BEGIN PGP SIGNED MESSAGE-----
Subject: Caldera Security Advisory SA-1997.33: Vulnerabilities in inetd
Original report date: 21-Jun-1997 ("ping pong" vulnerability)
Original report date: 26-Aug-1997 (inetd denial of service vulnerability)
RPM build date: 03-Nov-1997
Advisory issue date: 18-Dec-1997
Topic: Vulnerabilities in "inetd" in netkit-base-0.10-1
I. Problem Description
NOTE: Two different vulnerabilities are addressed in this advisory
and corresponding update to the "inetd" daemon included in the
netkit-base RPM.
First issue: Sending a UDP datagram to the echo service with
fake IP sender address and a source port of, for example,
"echo" would cause the two hosts to ping-pong echo packets hence
and forth. Doing this repeatedly would create a packet storm.
Other builtin UDP services may be similarly vulnerable.
This can be fixed by making inetd ignore all UDP with source
port less than 512.
Second issue: When inetd receives more than 40 connects per
minute to any given service, it would shut down that service
for 10 minutes. Inetd logs this condition to syslogd saying
`Service xxx looping, terminated'.
There's no easy fix for that (the experts are still working on
that). If you experience this problem, you are either under
attack, or (more likely) you are experiencing a load peak
from legitimate usage. In the latter case, you can bump the
max number of requests serviced per minute by modifying the
inetd.conf description of the offending service:
ftp stream tcp nowait.100 root /usr/sbin/tcpd in.ftpd -l
^^^^ .max parameter
This increases the threshold to 100 requests per minute.
In case of an outside attack, you should make sure to firewall
all services that are not to be used from outside.
Another problem that was discovered in this context was that inetd
wouldn't serve more that one request per second on average. This
release also fixes this bug.
II. Impact
Any machine with netkit-base-0.10-1 or earlier versions
of NetKit-B may be vulnerable. Run 'rpm -q netkit-base'
to determine which version you have installed.
III. Solution
Replace netkit-base-0.10-1 with the netkit-base-0.10-2. The
source and binary RPMs can be found on Caldera's ftp site at:
ftp://ftp.caldera.com/pub/openlinux/updates/1.1/current/RPMS/
and
ftp://ftp.caldera.com/pub/openlinux/updates/1.1/current/SRPMS/
The MD5 checksum (from the "md5sum" command) for this package is:
453f0e790cccb9af8c18ed9bccf9f4e0 RPMS/netkit-base-0.10-2.i386.rpm
3ee21bbe8d17d57cb4eb638bd12c4b38 SRPMS/netkit-base-0.10-2.src.rpm
Install the new package by executing:
rpm -U netkit-base-0.10-2.i386.rpm
You will then need to restart inetd. Do this by executing:
/etc/rc.d/init.d/inet stop
followed by:
/etc/rc.d/init.d/inet start
Note: this upgrade should be done from the console when no one
else is logged in on the system.
If you are still using a NetKit-B package, you should first
upgrade to the netkit-*-0.10* packages. See Caldera's security
advisory:
"SA-1997.19 - September 22, 1997 Vulnerabilities in NetKit-B"
for information concerning this issue.
IV. References / Credits
From: "D. Richard Hipp" <drh@tobit.hwaci.vnet.net>
To: support@caldera.com
Date: Tue, 26 Aug 1997 14:51:54 -0400
Subject: Denial-of-service attack against INETD.
Message-Id: <199708261851.OAA04649@tobit.hwaci.vnet.net>
Some inetd fixes: Olaf Kirch <okir@caldera.de>
From: Willy TARREAU <tarreau@AEMIAIF.IBP.FR>
To: BUGTRAQ@NETSPACE.ORG
Date: Sat, 21 Jun 1997 23:58:16 +0200
Subject: Simple TCP service can hang a system
Message-ID: <199706212158.XAA01904@aemiaif.ibp.fr>
This and other Caldera security resources are located at:
http://www.caldera.com/tech-ref/security/
This security alert closes Caldera's internal problem reports #936
and #978.
V. PGP Signature
This message was signed with the PGP key for <security@caldera.com>.
This key can be obtained from:
ftp://ftp.caldera.com/pub/pgp-keys/
Or on an OpenLinux CDROM under:
/OpenLinux/pgp-keys/
$Id: SA-1997.32,v 1.2 1997/12/18 22:49:42 ron Exp $
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNJmzbun+9R4958LpAQFM6gQAqnzeT9N3Ht4CQ9OL90M7azxcv6crIHtp
I9j511vhYJSEb73Tjvt7RzFkmCoQmaCC9nGeiu3uGEePTVJ4fq6cBRLDmDVwGeoV
W8NhzTs6UzicnXEh/BcMCDG57/IPnIBsnr0oickkhx2yoFVzf9ehAkMuBImCObNJ
6YY/Yk1jQsg=
=yWzI
-----END PGP SIGNATURE-----