[SecureXpert Labs Advisory SX-98.12.23-01] Widespread DoS

[rreiner () FSCINTERNET COM (Richard Reiner)]

SecureXpert Labs Advisory SX-98.12.23-01

Widespread DoS vulnerability can crash systems or disable critical services

Reported by: SecureXpert Labs
(with additional information from the Bugtraq & FreeBSD Security mailing
lists)


WARNING: this item is based on early analysis and additional field
reports.  The subject matter is still the subject of active research by
SecureXpert Labs and others.  Due to the broad scope of the vulnerability
described and its active exploitation on the Internet, this early
information release is being made.


Summary

A popular security tool called "nmap" can generate unusual network traffic,
which can be exploited to generate a wide variety of failures and crashes
on numerous operating systems.

Note: this family of vulnerabilities is NOT the same as that described in
CERT Advisory CA-98.13 - TCP/IP Denial of Service.  CERT CA-98.13 refers to
a fragmentation-related bug in some IP stacks.  The DoS vulnerabilities
described herein are not fragmentation related.


Description

The port scanner tool nmap has "stealth scanning" capabilities, designed to
avoid notice by Intrusion Detection systems.  When these are used, nmap
generates several types of unusual IP packets (e.g. unexpected FIN packets,
"Christmas Tree" packets, etc.), and unusual sequences of packets (e.g. TCP
connection setup with a SYN packet immediately followed by RST).  Nmap is
widely available (http://www.insecure.org/nmap).  Built-in functionality in
nmap allows it to be used to target large numbers of systems
simultaneously.

SecureXpert Labs has determined that nmap's "half-open" scanning mode
('nmap -sS') disables inetd on a number of operating systems, including
certain Solaris versions (including 2.6) and some versions of Linux.  Work
at SecureXpert Labs has also demonstrated that this scanning mode also
causes Microsoft Windows 98 to display a critical error ("Blue Screen"),
subsequent to which the Windows 98 workstation loses all network
connectivity.

Independent reports also indicate that nmap scanning can cause similar
failure of inetd on several additional operating systems, including HP-UX,
AIX, SCO, and FreeBSD.  Further reports indicate that the RPC portmapper
may be affected on some systems.  Additional reports indicate also that a
different nmap scanning mode (UDP scanning with 'nmap -sU') crashes Cisco
IOS version 12.0 (including 12.0T, 12.0S, etc.). It has also been reported
that nmap with certain options can cause NeXTStep 3.3 systems to panic and
reboot.

Tests by SecureXpert Labs have confirmed the vulnerability of Solaris 2.6
and what appears to be a small number of older Linux versions. Cisco
Systems has confirmed the Cisco IOS vulnerability. The FreeBSD, HP-UX, AIX,
SCO, and NeXTStep reports have not yet been corroborated.

The nature of this vulnerability leads SecureXpert Labs to believe that
additional operating systems may also be vulnerable.

At this stage in SecureXpert Labs' investigations, it appears that several
of these attacks leave no trace in system logs, unless external Intrusion
Detection systems are in place.

SecureXpert Labs has notified the vendors of affected systems, and is
working with them on further testing, fault isolation, and remediation.


Risks

a. Denial of Service through inetd failure
Remote attackers can disable critical server processes on affected systems.
Failure of the inetd process will commonly disable all ftp and telnet
access to a system, as well as other services such as rlogin and rsh.  In
some less common cases, failure of inetd can disable processes such as
BOOTP servers, Web servers, Radius or other authentication servers, etc.

b. Denial of Service through portmapper failure
Remote attackers can disabled critical servers on affected systems.
Failure of the portmapper process will commonly disable NFS and NIS
services, as well as other services on some systems.

c. Denial of Service through kernel panics, hangs, and crashes
If reports that nmap can cause kernel panics, hangs, or crashes are
confirmed, all services on affected servers can be disabled by remote
attackers.


Vulnerable versions

Further details on affected systems and versions will be provided as more
information become available.


Actions

a. Determine if your systems are vulnerable, ether through your own testing
with nmap or through the user of an external audit firm. (nmap is available
from http://www.insecure.org/nmap/)

b. Install vendor patches as they become available

c. In the short term, critical systems can be defended through application
proxies (or, in some cases, multi-level filters) deployed on non-vulnerable
firewall platforms.