-----BEGIN PGP SIGNED MESSAGE----- Subject: Caldera Security Advisory SA-1997.33: Vulnerabilities in inetd Original report date: 21-Jun-1997 ("ping pong" vulnerability) Original report date: 26-Aug-1997 (inetd denial of service vulnerability) RPM build date: 03-Nov-1997 Advisory issue date: 18-Dec-1997 Topic: Vulnerabilities in "inetd" in netkit-base-0.10-1 I. Problem Description NOTE: Two different vulnerabilities are addressed in this advisory and corresponding update to the "inetd" daemon included in the netkit-base RPM. First issue: Sending a UDP datagram to the echo service with fake IP sender address and a source port of, for example, "echo" would cause the two hosts to ping-pong echo packets hence and forth. Doing this repeatedly would create a packet storm. Other builtin UDP services may be similarly vulnerable. This can be fixed by making inetd ignore all UDP with source port less than 512. Second issue: When inetd receives more than 40 connects per minute to any given service, it would shut down that service for 10 minutes. Inetd logs this condition to syslogd saying `Service xxx looping, terminated'. There's no easy fix for that (the experts are still working on that). If you experience this problem, you are either under attack, or (more likely) you are experiencing a load peak from legitimate usage. In the latter case, you can bump the max number of requests serviced per minute by modifying the inetd.conf description of the offending service: ftp stream tcp nowait.100 root /usr/sbin/tcpd in.ftpd -l ^^^^ .max parameter This increases the threshold to 100 requests per minute. In case of an outside attack, you should make sure to firewall all services that are not to be used from outside. Another problem that was discovered in this context was that inetd wouldn't serve more that one request per second on average. This release also fixes this bug. II. Impact Any machine with netkit-base-0.10-1 or earlier versions of NetKit-B may be vulnerable. Run 'rpm -q netkit-base' to determine which version you have installed. III. Solution Replace netkit-base-0.10-1 with the netkit-base-0.10-2. The source and binary RPMs can be found on Caldera's ftp site at: ftp://ftp.caldera.com/pub/openlinux/updates/1.1/current/RPMS/ and ftp://ftp.caldera.com/pub/openlinux/updates/1.1/current/SRPMS/ The MD5 checksum (from the "md5sum" command) for this package is: 453f0e790cccb9af8c18ed9bccf9f4e0 RPMS/netkit-base-0.10-2.i386.rpm 3ee21bbe8d17d57cb4eb638bd12c4b38 SRPMS/netkit-base-0.10-2.src.rpm Install the new package by executing: rpm -U netkit-base-0.10-2.i386.rpm You will then need to restart inetd. Do this by executing: /etc/rc.d/init.d/inet stop followed by: /etc/rc.d/init.d/inet start Note: this upgrade should be done from the console when no one else is logged in on the system. If you are still using a NetKit-B package, you should first upgrade to the netkit-*-0.10* packages. See Caldera's security advisory: "SA-1997.19 - September 22, 1997 Vulnerabilities in NetKit-B" for information concerning this issue. IV. References / Credits From: "D. Richard Hipp" To: support@caldera.com Date: Tue, 26 Aug 1997 14:51:54 -0400 Subject: Denial-of-service attack against INETD. Message-Id: <199708261851.OAA04649@tobit.hwaci.vnet.net> Some inetd fixes: Olaf Kirch From: Willy TARREAU To: BUGTRAQ@NETSPACE.ORG Date: Sat, 21 Jun 1997 23:58:16 +0200 Subject: Simple TCP service can hang a system Message-ID: <199706212158.XAA01904@aemiaif.ibp.fr> This and other Caldera security resources are located at: http://www.caldera.com/tech-ref/security/ This security alert closes Caldera's internal problem reports #936 and #978. V. PGP Signature This message was signed with the PGP key for . This key can be obtained from: ftp://ftp.caldera.com/pub/pgp-keys/ Or on an OpenLinux CDROM under: /OpenLinux/pgp-keys/ $Id: SA-1997.32,v 1.2 1997/12/18 22:49:42 ron Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNJmzbun+9R4958LpAQFM6gQAqnzeT9N3Ht4CQ9OL90M7azxcv6crIHtp I9j511vhYJSEb73Tjvt7RzFkmCoQmaCC9nGeiu3uGEePTVJ4fq6cBRLDmDVwGeoV W8NhzTs6UzicnXEh/BcMCDG57/IPnIBsnr0oickkhx2yoFVzf9ehAkMuBImCObNJ 6YY/Yk1jQsg= =yWzI -----END PGP SIGNATURE-----