TUCoPS :: HP/UX :: ciack018.htm

HP-UX - Security Vulnerability with PMTU Strategy
HP-UX - Security Vulnerability with PMTU Strategy Privacy and Legal Notice

CIAC INFORMATION BULLETIN

K-018: HP-UX - Security Vulnerability with PMTU Strategy

 January 25, 2000 17:00 GMT 
PROBLEM:       Hewlett-Packard's proprietary protocol for discovering the
               maximum path MTU for a connection is flawed.
PLATFORM:      HP-UX versions 10.30 and 11.0
DAMAGE:        A vulnerable machine could be used as an amplifier in a
               DoS (Denial-of-Service) attack.
SOLUTION:      Follow the instructions in the HP-UX Advisory listed below.

VULNERABILITY  The risk is low.  However, because the number of DoS
ASSESSMENT:    attempts and attacks has been on the rise, it is recommended
               that the following instructions in the attached Advisory from
               Hewlett-Packard be followed as soon as possible.


[ Begin Hewlett-Packard Security Advisory ] 



Document ID:  HPSBUX0001-110
Date Loaded:  20000123
      Title:  Security Vulnerability with PMTU strategy

-------------------------------------------------------------------------
    HEWLETT-PACKARD COMPANY SECURITY ADVISORY: #00110, 24 Jan 2000
-------------------------------------------------------------------------

The information in the following Security Advisory should be acted upon
as soon as possible.  Hewlett-Packard Company will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Advisory as soon as possible.

-------------------------------------------------------------------------
PROBLEM:  An HP-UX 10.30/11.00 system can be used as an IP traffic
          amplifier.  Small amounts of inbound traffic can result in
          larger amounts of outbound traffic.

PLATFORM: HP-UX release 10.30 and 11.00 only.

DAMAGE:   Depending upon the amount and nature of inbound traffic, an
          HP-UX 10.30/11.00 system can be used to flood a target system
          with IP packets which could result in a denial of service.

SOLUTION: Set the NDD parameter ip_pmtu_strategy to 1.

AVAILABILITY: This capability is already available.

-------------------------------------------------------------------------
I.
   A. Background
      HP provides a proprietary method for determining PMTU.  When
      traffic needs to be routed to a destination for which the optimum
      MTU has not been determined, ICMP packets are used to discover
      the MTU for that path while data traffic is shipped in parallel.
      This is the default strategy for determining PMTU.

   B. Recommended solution
      Reference ndd manpage (1M), /etc/rc.config.d/nddconf

      To ensure that this parameter is set each time the system
      is booted, add the following lines to /etc/rc.config.d/nddconf

      TRANSPORT_NAME[<index>]=ip
      NDD_NAME[<index>]=ip_pmtu_strategy
      NDD_VALUE[<index>]=1

      The value of <index> is an integer from 0 to 99.  The first
      parameter specified in the file should use an <index> of
      0, the second an <index> of 1, and so on.

      Once these changes have been made, execute the following
      command:

      /usr/bin/ndd -c

      This sets all of the options specified in the file
      /etc/rc.config.d/nddconf.

      To verify that the parameter is set correctly, use the following
      command.
                /usr/bin/ndd -get /dev/ip ip_pmtu_strategy

      This should report a value of 1.

      Another way to  change the ip_pmtu_strategy parameter on a running
      system is to use the following NDD command:

                /usr/bin/ndd -set /dev/ip ip_pmtu_strategy 1

      This setting will only last until the system is rebooted
      at which point the value of the parameter will be determined by the
      default value of 2 or whatever value is set in
      /etc/rc.config.d/nddconf

   C. To subscribe to automatically receive future NEW HP Security
      Bulletins from the HP IT Resource Center via electronic mail,
      do the following:

      Use your browser to get to the HP IT Resource Center page
      at:

        http://us-support.external.hp.com
        (for US, Canada, Asia-Pacific, & Latin-America)
        http://europe-support.external.hp.com     (for Europe)

      Under the Maintenance and Support Menu (Electronic Support Center):
        click on the "more..." link.  Then -

      To -subscribe- to future HP Security Bulletins, or
      To -review- bulletins already released
        click on "Support Information Digests" near the bottom of the
        page, under "Notifications".

      Login with your user ID and password (or register for one).
      (Remember to save the User ID assigned to you, and your password).

      On the "Support Information Digest Main" page:
      click on the "HP Security Bulletin Archive".

      Once in the archive the third link is to our current Security
      Patch Matrix.  Updated daily, this matrix categorizes security
      patches by platform/OS release, and by bulletin topic.

      The security patch matrix is also available via anonymous ftp:

      us-ffs.external.hp.com
      ~ftp/export/patches/hp-ux_patch_matrix

    E. To report new security vulnerabilities, send email to
       security-alert@hp.com.

       Please encrypt any exploit information using the security-alert
       PGP key, available from your local key server, or by sending a
       message with a -subject- (not body) of 'get key' (no quotes) to
       security-alert@hp.com.

      Permission is granted for copying and circulating this Advisory to
      Hewlett-Packard (HP) customers (or the Internet community) for the
      purpose of alerting them to problems, if and only if, the Advisory
      is not edited or changed in any way, is attributed to HP, and
      provided such reproduction and/or distribution is performed for
      non-commercial purposes.

      Any other use of this information is prohibited.  HP is not liable
      for any misuse of this information by any third party.
________________________________________________________________________
-----End of Document ID:  HPSBUX0001-110--------------------------------------





[ End Hewlett-Packard Security Advisory ]
CIAC wishes to acknowledge the contributions of Hewlett-Packard Corporation for the information contained in this bulletin.
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at: 
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     http://ciac.llnl.gov
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     ciac.llnl.gov
                     (same machine -- either one will work)
This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH