-----BEGIN PGP SIGNED MESSAGE-----

Subject: Caldera Security Advisory SA-1997.33: Vulnerabilities in inetd

Original report date:  21-Jun-1997 ("ping pong" vulnerability)
Original report date:  26-Aug-1997 (inetd denial of service vulnerability)
RPM build date:    03-Nov-1997
Advisory issue date:  18-Dec-1997

Topic: Vulnerabilities in "inetd" in netkit-base-0.10-1


I. Problem Description

  NOTE: Two different vulnerabilities are addressed in this advisory
  and corresponding update to the "inetd" daemon included in the
  netkit-base RPM.

  First issue: Sending a UDP datagram to the echo service with
  fake IP sender address and a source port of, for example,
  "echo" would cause the two hosts to ping-pong echo packets hence
  and forth.  Doing this repeatedly would create a packet storm.
  Other builtin UDP services may be similarly vulnerable.

  This can be fixed by making inetd ignore all UDP with source
  port less than 512.

  Second issue: When inetd receives more than 40 connects per
  minute to any given service, it would shut down that service
  for 10 minutes. Inetd logs this condition to syslogd saying
  `Service xxx looping, terminated'.

  There's no easy fix for that (the experts are still working on
  that). If you experience this problem, you are either under
  attack, or (more likely) you are experiencing a load peak
  from legitimate usage.  In the latter case, you can bump the
  max number of requests serviced per minute by modifying the
  inetd.conf description of the offending service:
  
  ftp stream tcp nowait.100 root /usr/sbin/tcpd in.ftpd -l
           ^^^^ .max parameter
    
  This increases the threshold to 100 requests per minute.

  In case of an outside attack, you should make sure to firewall
  all services that are not to be used from outside.

  Another problem that was discovered in this context was that inetd
  wouldn't serve more that one request per second on average. This
  release also fixes this bug.


II. Impact

  Any machine with netkit-base-0.10-1 or earlier versions
  of NetKit-B may be vulnerable.  Run 'rpm -q netkit-base'
  to determine which version you have installed.


III. Solution

        Replace netkit-base-0.10-1 with the netkit-base-0.10-2.  The
  source and binary RPMs can be found on Caldera's ftp site at:

        ftp://ftp.caldera.com/pub/openlinux/updates/1.1/current/RPMS/

                and

        ftp://ftp.caldera.com/pub/openlinux/updates/1.1/current/SRPMS/

        The MD5 checksum (from the "md5sum" command) for this package is:

  453f0e790cccb9af8c18ed9bccf9f4e0  RPMS/netkit-base-0.10-2.i386.rpm
  3ee21bbe8d17d57cb4eb638bd12c4b38  SRPMS/netkit-base-0.10-2.src.rpm

  Install the new package by executing:

    rpm -U netkit-base-0.10-2.i386.rpm

  You will then need to restart inetd.  Do this by executing:

    /etc/rc.d/init.d/inet stop

  followed by:

    /etc/rc.d/init.d/inet start

  Note: this upgrade should be done from the console when no one
  else is logged in on the system.

  If you are still using a NetKit-B package, you should first
  upgrade to the netkit-*-0.10* packages.  See Caldera's security
  advisory:

    "SA-1997.19 - September 22, 1997 Vulnerabilities in NetKit-B"

  for information concerning this issue.


IV. References / Credits

  From:    "D. Richard Hipp" <drh@tobit.hwaci.vnet.net>
  To:    support@caldera.com
  Date:    Tue, 26 Aug 1997 14:51:54 -0400
  Subject:  Denial-of-service attack against INETD.
  Message-Id:  <199708261851.OAA04649@tobit.hwaci.vnet.net>

  Some inetd fixes: Olaf Kirch <okir@caldera.de>

  From:    Willy TARREAU <tarreau@AEMIAIF.IBP.FR>
  To:    BUGTRAQ@NETSPACE.ORG
  Date:    Sat, 21 Jun 1997 23:58:16 +0200
  Subject:  Simple TCP service can hang a system
  Message-ID:  <199706212158.XAA01904@aemiaif.ibp.fr>

  This and other Caldera security resources are located at:

    http://www.caldera.com/tech-ref/security/

  This security alert closes Caldera's internal problem reports #936
  and #978.


V. PGP Signature

  This message was signed with the PGP key for <security@caldera.com>.

  This key can be obtained from:
    ftp://ftp.caldera.com/pub/pgp-keys/

  Or on an OpenLinux CDROM under:
    /OpenLinux/pgp-keys/

  $Id: SA-1997.32,v 1.2 1997/12/18 22:49:42 ron Exp $

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNJmzbun+9R4958LpAQFM6gQAqnzeT9N3Ht4CQ9OL90M7azxcv6crIHtp
I9j511vhYJSEb73Tjvt7RzFkmCoQmaCC9nGeiu3uGEePTVJ4fq6cBRLDmDVwGeoV
W8NhzTs6UzicnXEh/BcMCDG57/IPnIBsnr0oickkhx2yoFVzf9ehAkMuBImCObNJ
6YY/Yk1jQsg=
=yWzI
-----END PGP SIGNATURE-----