【TWCERT/CC安全通報】TW-CA-2005-024-[Sun(sm) Alert Notification
※ 本文轉錄自 [Lan] 信箱
作者: twcert@cert.org.tw (TWCERT/CC Fellows)
標題: 【TWCERT/CC安全通報】TW-CA-2005-024-[Sun(sm) A
時間: Tue Mar 1 14:11:36 2005
-----BEGIN PGP SIGNED MESSAGE-----
TW-CA-2005-024-[Sun(sm) Alert Notification #57673: Security Vulnerability With
ARP Handling Could Cause System to Hang]
────────────────────────────────────────
TWCERT/CC發布日期:2005-03-01
原漏洞發布日期:2005-02-11
原漏洞最新更新日期:2005-02-14
通用安全漏洞編號:
分類:Dos
來源參考:Sun(sm) Alert Notification #57673
──── 簡述 ─────────────────────────────────
──── 說明 ─────────────────────────────────
系統接受到大量的特殊 ARP (7p) 網路封包 (稱為 "ARP 風暴" 或 "ARP 颶風") 可能導致
系統懸滯。這些 ARP 封包可能由遠端具特殊權限之使用者,透過進行阻斷服務攻擊或透過
錯誤的封包路由來產生這些封包。
──── 影響平台 ───────────────────────────────
此議題可能影響下列發行版本:
SPARC 平台
‧未安裝 106541-39 修正檔的 Solaris 7
‧未安裝 116965-05 修正檔的 Solaris 8
‧未安裝 114344-09 修正檔的 Solaris 9
x86 平台
‧未安裝 106542-39 修正檔的 Solaris 7
‧未安裝 116966-05 修正檔的 Solaris 8
‧未安裝 114345-08 修正檔的 Solaris 9
──── 修正方式 ───────────────────────────────
暫時解決方法:
暫時解決方法為暫時將受影響的部分自系統中區隔開,直到找出發起 ARP 封包的源頭或
ARP 封包停止為止。一旦系統不再受到封包攻擊,便不會造成系統懸滯。
解決方法:
此議題已於下列版本中解決:
SPARC 平台
‧安裝 106541-39 或更新版本修正檔的 Solaris 7
‧安裝 116965-05 或更新版本修正檔的 Solaris 8
‧安裝 114344-09 或更新版本修正檔的 Solaris 9
x86 平台
‧安裝 106542-39 或更新版本修正檔的 Solaris 7
‧安裝 116966-05 或更新版本修正檔的 Solaris 8
‧安裝 114345-08 或更新版本修正檔的 Solaris 9
──── 影響結果 ───────────────────────────────
系統將無法再提供網路服務,而且網路上會出現不尋常的大量 ARP 封包。
可以用 "root" 身份(從同一個網路區塊的不同系統上)執行下列指令來驗證您的
Solaris 系統是否遭受到 ARP 封包的攻擊:
# snoop -o <output-file> arp
# snoop -i
大量如下的 ARP 廣播,可能表示大量的 ARP 封包:
7 0.12578 123.456.0.22 -> (broadcast) ARP C Who is 123.456.0.254, 123.456.0.254 ?
15 0.10603 123.456.0.2 -> (broadcast) ARP C Who is 123.456.0.22, 123.456.0.22 ?
──── 聯絡TWCERT/CC ─────────────────────────────
Tel: 886-7-5250211 FAX: 886-7-5250212
886-2-23563303 886-2-23924082
Email: twcert@cert.org.tw
URL: http://www.cert.org.tw/
PGP key: http://www.cert.org.tw/eng/pgp.htm
────────────────────────────────────────
附件:[Security Vulnerability With ARP Handling Could Cause System to Hang]
──── 原文 ─────────────────────────────────
Sun(sm) Alert Notification
* Sun Alert ID: 57673
* Synopsis: Security Vulnerability With ARP Handling Could Cause System
to Hang
* Category: Security, Availability
* Product: Solaris
* BugIDs: 4653899
* Avoidance: Patch, Workaround
* State: Resolved
* Date Released: 11-Feb-2005
* Date Closed: 11-Feb-2005
* Date Modified:
1. Impact
A system receiving a very large number of specific arp(7P) network packets
(an "arp storm" or "arp hurricane") could cause the system to hang. These
ARP packets could result from a remote privileged user implementing a Denial
of Service (DoS) or from a misconfigured (or broken) router inadvertently
sending the packets.
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform
* Solaris 7 without patch 106541-39
* Solaris 8 without patch 116965-05
* Solaris 9 without patch 114344-09
x86 Platform
* Solaris 7 without patch 106542-39
* Solaris 8 without patch 116966-05
* Solaris 9 without patch 114345-08
3. Symptoms
The system will be unable to provide networked services, and an unusually
heavy amount of ARP traffic will be observed on the network.
One way to verify a suspected flood of ARP packets to a specific Solaris
system on the network is to run the following command as the "root" user
(from another system on the same network segment):
# snoop -o <output-file> arp
# snoop -i
A large number of ARP broadcasts such as:
7 0.12578 123.456.0.22 -> (broadcast) ARP C Who is 123.456.0.254,
123.456.0.254 ?
15 0.10603 123.456.0.2 -> (broadcast) ARP C Who is 123.456.0.22,
123.456.0.22 ?
may indicate an ARP flood.
Solution Summary
4. Relief/Workaround
A temporary workaround would be to physically disconnect the affected
segment from the system until the source can be determined, and the source
of the flood of ARP packets stopped. Once the system stops processing the
packet flood, the hang will no longer be in effect.
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
* Solaris 7 with patch 106541-39 or later
* Solaris 8 with patch 116965-05 or later
* Solaris 9 with patch 114344-09 or later
x86 Platform
* Solaris 7 with patch 106542-39 or later
* Solaris 8 with patch 116966-05 or later
* Solaris 9 with patch 114345-08 or later
This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2005 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.
────────────────────────────────────────
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4
iQEVAwUBQiQFkKcyQYefg2/NAQHs0gf/Qyy5lO5yEKmIdlHIr5occSYOAzIlIUGb
kV48thwu9gDG6R5vl6r3ICpWcPFWuGGcxlioG/MVDNr0oPPdn7xceD1HNJqKQvhc
y51RmDJ5EygKU5k/MTqfWZ5NLYEPkFGm+hHIkXd1bTs9B+Xgn7HNkAAyZAOlvao2
o9ApzbOM7n2UaQ0wcvhvQSXmcydqG395I8GN307Bj2fscm+cR2ip5UTL2RpMlVdN
3zWMbnMwBRD1ysvVnphrxc3Z7pxlx3hp1tJ+nIN8aHSxkUCI3azBTD4IPSZZG09V
DlE2x92oyB7XKH0dKnws06pWZqdWdnc2meTBuCPfoAva3m4gWZn20Q==
=JgxZ
-----END PGP SIGNATURE-----
--
Taiwan Computer Emergency Response Team Security Advisory mailing list.
Mail to : Majordomo@cert.org.tw and include a line "subscribe advisory".
Please visit http://www.cert.org.tw/.
PGP key : http://www.cert.org.tw/eng/pgp.htm
NetSecurity 近期熱門文章
PTT數位生活區 即時熱門文章
