-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SGI Security Advisory
Title : IP denial-of-service fixes and tunings
Number : 20030201-01-P
Date : February 12, 2003
Reference: CERT CA-2001-09
Reference: CVE-1999-0077 CAN-2001-0328
Reference: SGI BUGS 836110 866901 822734 829671 860748 862151 864775
Fixed in : IRIX 6.5.19 or patches 4765-4770, 4859-4862
______________________________________________________________________________
- -----------------------
- --- Issue Specifics ---
- -----------------------
It's been reported that there are multiple networking related
vulnerabilities in certain versions of IRIX:
o Statistical Weaknesses in TCP/IP Initial Sequence Numbers
http://www.cert.org/advisories/CA-2001-09.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0077
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0328
o Denial of Service attack involving clients sending packets with very
small MSS values
http://www.securityfocus.com/archive/1/195457
o IGMP report suppression Denial of Service
http://www.cs.ucsb.edu/~krishna/igmp_dos/
o Non-root users could influence interface settings that they shouldn't
be able to change.
o We added two new systune variables to disable additional types
of broadcast probes.
Non-security related fixes included with these patches,
o Always immediately ACK packets with PSH flag set to improve performance
with GigE networking.
o Permit the use of select() with sockets using the STP protocol in
the IRIX m-stream
SGI has investigated the issue and recommends the following steps for
neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be
implemented on ALL vulnerable SGI systems.
These issues have been corrected in patches and in IRIX 6.5.19.
- --------------
- --- Impact ---
- --------------
The above vulnerabilities are kernel-level, and naturally the kernel is
installed by default on IRIX 6.5 systems as part of eoe.sw.base.
To determine the version of IRIX you are running, execute the following
command:
# /bin/uname -R
That will return a result similar to the following:
# 6.5 6.5.16f
The first number ("6.5") is the release name, the second ("6.5.16f" in this
case) is the extended release name. The extended release name is the
"version" we refer to throughout this document.
- ----------------------------
- --- Temporary Workaround ---
- ----------------------------
There is no effective workaround available for these problems. SGI
recommends either upgrading to IRIX 6.5.19, or installing the appropriate
patch from the listing below.
- ----------------
- --- Solution ---
- ----------------
SGI has provided a series of patches for these vulnerabilities. Our
recommendation is to upgrade to IRIX 6.5.19 when available, or install the
appropriate patch.
OS Version Vulnerable? Patch # Other Actions
---------- ----------- ------- -------------
IRIX 3.x unknown Note 1
IRIX 4.x unknown Note 1
IRIX 5.x unknown Note 1
IRIX 6.0.x unknown Note 1
IRIX 6.1 unknown Note 1
IRIX 6.2 unknown Note 1
IRIX 6.3 unknown Note 1
IRIX 6.4 unknown Note 1
IRIX 6.5 yes Notes 2 & 3
IRIX 6.5.1 yes Notes 2 & 3
IRIX 6.5.2 yes Notes 2 & 3
IRIX 6.5.3 yes Notes 2 & 3
IRIX 6.5.4 yes Notes 2 & 3
IRIX 6.5.5 yes Notes 2 & 3
IRIX 6.5.6 yes Notes 2 & 3
IRIX 6.5.7 yes Notes 2 & 3
IRIX 6.5.8 yes Notes 2 & 3
IRIX 6.5.9 yes Notes 2 & 3
IRIX 6.5.10 yes Notes 2 & 3
IRIX 6.5.11 yes Notes 2 & 3
IRIX 6.5.12 yes Notes 2 & 3
IRIX 6.5.13 yes Notes 2 & 3
IRIX 6.5.14m yes 4765 Notes 2,4 & 5
IRIX 6.5.14f yes 4766 Notes 2,4 & 5
IRIX 6.5.15m yes 4767 Notes 2,4 & 5
IRIX 6.5.15f yes 4768 Notes 2,4 & 5
IRIX 6.5.16m yes 4769 Notes 2,4 & 5
IRIX 6.5.16f yes 4770 Notes 2,4 & 5
IRIX 6.5.17m yes 4859 Notes 2,4 & 5
IRIX 6.5.17f yes 4860 Notes 2,4 & 5
IRIX 6.5.18m yes 4861 Notes 2,4 & 5
IRIX 6.5.18f yes 4862 Notes 2,4 & 5
IRIX 6.5.19 no
NOTES
1) This version of the IRIX operating has been retired. Upgrade to an
actively supported IRIX operating system. See
http://support.sgi.com/irix/news/index.html#policy for more
information.
2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your
SGI Support Provider or URL: http://support.sgi.com/irix/swupdates/
3) Upgrade to IRIX 6.5.19
4) Install the appropriate patch or upgrade to IRIX 6.5.19
5) Note that for several of these fixes, you have to systune variables to
non-default settings to provide the added protection. Documentation
on how to use the new systunes is in the file /var/sysgen/mtune/bsd.
- ------------------------
- --- Acknowledgments ----
- ------------------------
SGI wishes to thank Michal Zalewski, Krishna Ramachandran, Darren Reed,
Rob Warnock, FIRST, UCSB, and the users of the Internet Community at
large for their assistance in this matter.
##### Patch File Checksums ####
The actual patch will be a tar file containing the following files:
Filename: README.patch.4765
Algorithm #1 (sum -r): 00851 8 README.patch.4765
Algorithm #2 (sum): 50531 8 README.patch.4765
MD5 checksum: EEF9775971EB60E31FF3EE99C3F48D05
Filename: patchSG0004765
Algorithm #1 (sum -r): 61582 2 patchSG0004765
Algorithm #2 (sum): 37142 2 patchSG0004765
MD5 checksum: 79F0A0E99AC82540FB447D147C68DF23
Filename: patchSG0004765.eoe_sw
Algorithm #1 (sum -r): 49197 8682 patchSG0004765.eoe_sw
Algorithm #2 (sum): 52920 8682 patchSG0004765.eoe_sw
MD5 checksum: AA3ABF4FB89EC7214D3F812EF8266F58
Filename: patchSG0004765.idb
Algorithm #1 (sum -r): 33635 8 patchSG0004765.idb
Algorithm #2 (sum): 28804 8 patchSG0004765.idb
MD5 checksum: 48ADB895BB57E67339D8E4C03EDF7071
Filename: README.patch.4766
Algorithm #1 (sum -r): 46520 8 README.patch.4766
Algorithm #2 (sum): 45333 8 README.patch.4766
MD5 checksum: 391B328808E4F94A27305D92634EAAE6
Filename: patchSG0004766
Algorithm #1 (sum -r): 40678 2 patchSG0004766
Algorithm #2 (sum): 37866 2 patchSG0004766
MD5 checksum: 8589BD3E333441A8F051E8BDAAB1F461
Filename: patchSG0004766.eoe_sw
Algorithm #1 (sum -r): 27708 8719 patchSG0004766.eoe_sw
Algorithm #2 (sum): 43291 8719 patchSG0004766.eoe_sw
MD5 checksum: 8619F9B9BABC2240723593F886C6E9DA
Filename: patchSG0004766.idb
Algorithm #1 (sum -r): 42539 8 patchSG0004766.idb
Algorithm #2 (sum): 28701 8 patchSG0004766.idb
MD5 checksum: EBFD5C60C84081AAB256F62A7D515991
Filename: README.patch.4767
Algorithm #1 (sum -r): 17974 8 README.patch.4767
Algorithm #2 (sum): 50521 8 README.patch.4767
MD5 checksum: 695AAF2AC022DF5548F6A08BABB8C19C
Filename: patchSG0004767
Algorithm #1 (sum -r): 50741 2 patchSG0004767
Algorithm #2 (sum): 36840 2 patchSG0004767
MD5 checksum: D40046A218262CE6C4525315574D7A93
Filename: patchSG0004767.eoe_sw
Algorithm #1 (sum -r): 06411 8634 patchSG0004767.eoe_sw
Algorithm #2 (sum): 65220 8634 patchSG0004767.eoe_sw
MD5 checksum: F311806DECAFCBE257C847BA3B90E234
Filename: patchSG0004767.idb
Algorithm #1 (sum -r): 23118 8 patchSG0004767.idb
Algorithm #2 (sum): 28772 8 patchSG0004767.idb
MD5 checksum: 59C5EDC63D888EBCD9678AA094E4AE36
Filename: README.patch.4768
Algorithm #1 (sum -r): 07449 8 README.patch.4768
Algorithm #2 (sum): 45329 8 README.patch.4768
MD5 checksum: 574EF632903897A79F2EC30EBDB749BD
Filename: patchSG0004768
Algorithm #1 (sum -r): 12854 2 patchSG0004768
Algorithm #2 (sum): 37926 2 patchSG0004768
MD5 checksum: 300D477270517404F21EBBC4EC1F9AF1
Filename: patchSG0004768.eoe_sw
Algorithm #1 (sum -r): 19153 8695 patchSG0004768.eoe_sw
Algorithm #2 (sum): 56318 8695 patchSG0004768.eoe_sw
MD5 checksum: 0F31ACA7E678DEFFC62B4470D286C168
Filename: patchSG0004768.idb
Algorithm #1 (sum -r): 10022 8 patchSG0004768.idb
Algorithm #2 (sum): 28960 8 patchSG0004768.idb
MD5 checksum: 001968D21CDAA04CF8F00929F56993D2
Filename: README.patch.4769
Algorithm #1 (sum -r): 31126 8 README.patch.4769
Algorithm #2 (sum): 50564 8 README.patch.4769
MD5 checksum: 82E480DAC43FCEED64BC15B8D9D57DEA
Filename: patchSG0004769
Algorithm #1 (sum -r): 03843 2 patchSG0004769
Algorithm #2 (sum): 36640 2 patchSG0004769
MD5 checksum: FB989211A29CF7D7ED37B20859CDC749
Filename: patchSG0004769.eoe_sw
Algorithm #1 (sum -r): 06936 8684 patchSG0004769.eoe_sw
Algorithm #2 (sum): 19463 8684 patchSG0004769.eoe_sw
MD5 checksum: 0DBAEF3ABE22AF89768A36BEBE7DB6B0
Filename: patchSG0004769.idb
Algorithm #1 (sum -r): 52255 8 patchSG0004769.idb
Algorithm #2 (sum): 28982 8 patchSG0004769.idb
MD5 checksum: CD7BDCADDC43DFCF70718701F2CB31DB
Filename: README.patch.4770
Algorithm #1 (sum -r): 47848 8 README.patch.4770
Algorithm #2 (sum): 45283 8 README.patch.4770
MD5 checksum: 62420BDB0901E3508DC24357A753F808
Filename: patchSG0004770
Algorithm #1 (sum -r): 37174 2 patchSG0004770
Algorithm #2 (sum): 37555 2 patchSG0004770
MD5 checksum: 9BEC0D64A1A37ADC457F5899B59C4924
Filename: patchSG0004770.eoe_sw
Algorithm #1 (sum -r): 39864 8731 patchSG0004770.eoe_sw
Algorithm #2 (sum): 60323 8731 patchSG0004770.eoe_sw
MD5 checksum: 8EF0379361DF58C8D1A7F1EF90BF8957
Filename: patchSG0004770.idb
Algorithm #1 (sum -r): 11481 8 patchSG0004770.idb
Algorithm #2 (sum): 28643 8 patchSG0004770.idb
MD5 checksum: 70C4D90A919D2FDC543923004923956F
Filename: README.patch.4859
Algorithm #1 (sum -r): 00935 8 README.patch.4859
Algorithm #2 (sum): 45233 8 README.patch.4859
MD5 checksum: FB019BC6CF6D404FF65C1961C5916D34
Filename: patchSG0004859
Algorithm #1 (sum -r): 48316 2 patchSG0004859
Algorithm #2 (sum): 37273 2 patchSG0004859
MD5 checksum: A4F76A969A96443ECE4EF81F03E42929
Filename: patchSG0004859.eoe_sw
Algorithm #1 (sum -r): 05200 8682 patchSG0004859.eoe_sw
Algorithm #2 (sum): 24603 8682 patchSG0004859.eoe_sw
MD5 checksum: B4E67351627AF9BD2518E130403E1F5C
Filename: patchSG0004859.idb
Algorithm #1 (sum -r): 12558 8 patchSG0004859.idb
Algorithm #2 (sum): 28929 8 patchSG0004859.idb
MD5 checksum: 2EBD54044AD96AF6E3130F7E4A831F83
Filename: README.patch.4860
Algorithm #1 (sum -r): 08551 8 README.patch.4860
Algorithm #2 (sum): 40311 8 README.patch.4860
MD5 checksum: A083EF36545E7806C503ECDC4205B30C
Filename: patchSG0004860
Algorithm #1 (sum -r): 38690 2 patchSG0004860
Algorithm #2 (sum): 37973 2 patchSG0004860
MD5 checksum: EF53D09FE2F5920C4A2FE48498F526F3
Filename: patchSG0004860.eoe_sw
Algorithm #1 (sum -r): 18758 8729 patchSG0004860.eoe_sw
Algorithm #2 (sum): 50084 8729 patchSG0004860.eoe_sw
MD5 checksum: 49663754DA52A65D1F3955EC3F61D200
Filename: patchSG0004860.idb
Algorithm #1 (sum -r): 00608 8 patchSG0004860.idb
Algorithm #2 (sum): 28685 8 patchSG0004860.idb
MD5 checksum: 89FDF54A20EBDB47F159B5B372098699
Filename: README.patch.4861
Algorithm #1 (sum -r): 55419 8 README.patch.4861
Algorithm #2 (sum): 34686 8 README.patch.4861
MD5 checksum: F67AB6C309E5CB6C14AD328FA5DAFAF9
Filename: patchSG0004861
Algorithm #1 (sum -r): 33127 2 patchSG0004861
Algorithm #2 (sum): 34079 2 patchSG0004861
MD5 checksum: 3A2E13F4214A7DE2EDC6A541AB2C884F
Filename: patchSG0004861.eoe_sw
Algorithm #1 (sum -r): 14812 8693 patchSG0004861.eoe_sw
Algorithm #2 (sum): 65234 8693 patchSG0004861.eoe_sw
MD5 checksum: 57FB55C1100BE5B07200B8AA8952F3AA
Filename: patchSG0004861.idb
Algorithm #1 (sum -r): 48910 8 patchSG0004861.idb
Algorithm #2 (sum): 28671 8 patchSG0004861.idb
MD5 checksum: 23689B4F2FEF2DE6CC4F9B80F4A2B3EA
Filename: README.patch.4862
Algorithm #1 (sum -r): 36366 8 README.patch.4862
Algorithm #2 (sum): 34677 8 README.patch.4862
MD5 checksum: 5F9EC05279B801B70BD80E4AF7265861
Filename: patchSG0004862
Algorithm #1 (sum -r): 49813 2 patchSG0004862
Algorithm #2 (sum): 35382 2 patchSG0004862
MD5 checksum: 69692CEF25EE7AE774DACB8E62AB1DEC
Filename: patchSG0004862.eoe_sw
Algorithm #1 (sum -r): 29451 8746 patchSG0004862.eoe_sw
Algorithm #2 (sum): 17026 8746 patchSG0004862.eoe_sw
MD5 checksum: 4BE770442C8DFD31AC54CCFF35F89E44
Filename: patchSG0004862.idb
Algorithm #1 (sum -r): 04107 8 patchSG0004862.idb
Algorithm #2 (sum): 28768 8 patchSG0004862.idb
MD5 checksum: AEBF11906A3322B410F93CD9F26594B1
- -------------
- --- Links ---
- -------------
SGI Security Advisories can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/advisories/
SGI Security Patches can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/patches/
SGI patches for IRIX can be found at the following patch servers:
http://support.sgi.com/irix/ and ftp://patches.sgi.com/
SGI freeware updates for IRIX can be found at:
http://freeware.sgi.com/
SGI fixes for SGI open sourced code can be found on:
http://oss.sgi.com/projects/
SGI patches and RPMs for Linux can be found at:
http://support.sgi.com/linux/ or
http://oss.sgi.com/projects/sgilinux-combined/download/security-fixes/
SGI patches for Windows NT or 2000 can be found at:
http://support.sgi.com/nt/
IRIX 5.2-6.4 Recommended/Required Patch Sets can be found at:
http://support.sgi.com/irix/ and ftp://patches.sgi.com/support/patchset/
IRIX 6.5 Maintenance Release Streams can be found at:
http://support.sgi.com/colls/patches/tools/relstream/index.html
IRIX 6.5 Software Update CDs can be obtained from:
http://support.sgi.com/irix/swupdates/
The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com (216.32.174.211). Security advisories and patches are
located under the URL ftp://patches.sgi.com/support/free/security/
For security and patch management reasons, ftp.sgi.com (mirrors
patches.sgi.com security FTP repository) lags behind and does not do a
real-time update.
- -----------------------------------------
- --- SGI Security Information/Contacts ---
- -----------------------------------------
If there are questions about this document, email can be sent to
security-info@sgi.com.
------oOo------
SGI provides security information and patches for use by the entire SGI
community. This information is freely available to any person needing the
information and is available via anonymous FTP and the Web.
The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com (216.32.174.211). Security advisories and patches are
located under the URL ftp://patches.sgi.com/support/free/security/
The SGI Security Headquarters Web page is accessible at the URL:
http://www.sgi.com/support/security/
For issues with the patches on the FTP sites, email can be sent to
security-info@sgi.com.
For assistance obtaining or working with security patches, please
contact your SGI support provider.
------oOo------
SGI provides a free security mailing list service called wiretap and
encourages interested parties to self-subscribe to receive (via email) all
SGI Security Advisories when they are released. Subscribing to the mailing
list can be done via the Web
(http://www.sgi.com/support/security/wiretap.html) or by sending email to
SGI as outlined below.
% mail wiretap-request@sgi.com
subscribe wiretap <YourEmailAddress such as zedwatch@sgi.com >
end
^d
In the example above, <YourEmailAddress> is the email address that you wish
the mailing list information sent to. The word end must be on a separate
line to indicate the end of the body of the message. The control-d (^d) is
used to indicate to the mail program that you are finished composing the
mail message.
------oOo------
SGI provides a comprehensive customer World Wide Web site. This site is
located at http://www.sgi.com/support/security/ .
------oOo------
If there are general security questions on SGI systems, email can be sent to
security-info@sgi.com.
For reporting *NEW* SGI security issues, email can be sent to
security-alert@sgi.com or contact your SGI support provider. A support
contract is not required for submitting a security report.
______________________________________________________________________________
This information is provided freely to all interested parties
and may be redistributed provided that it is not altered in any
way, SGI is appropriately credited and the document retains and
includes its valid PGP signature.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBPkqMrbQ4cFApAP75AQHPSQQAt3JYa7juK9ppEKHM7hOXV31NSwaaWD5N
dOMA2NZa29XtzXVXCoofoS8pL9qDj3g6rLyHjhJkya2pRBfpJVV4jh8pmohJSdML
gg0aNSCEpo4Q9YWg9HKJq/TMSQdyMBfjbF8CkS+j6ZFtmDoNJ3TUqzEy69sNO/ys
XhSS7OQBNGM=
=WVnw
-----END PGP SIGNATURE-----
