-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                  ESB-2003.0083 -- SGI Security Advisory
                  IP denial-of-service fixes and tunings
                             13 February 2003

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                IRIX prior to 6.5.19
Vendor:                 SGI
Operating System:       IRIX
Impact:                 Denial of Service
                        Access Privileged Data
                        Inappropriate Access
Access Required:        Remote

Ref:                    ESB-2001.179

Comment: CVE Id: CVE-1999-0077
                 CAN-2001-0328

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________
                          SGI Security Advisory

Title    : IP denial-of-service fixes and tunings
Number   : 20030201-01-P
Date     : February 12, 2003
Reference: CERT CA-2001-09
Reference: CVE-1999-0077 CAN-2001-0328
Reference: SGI BUGS 836110 866901 822734 829671 860748 862151 864775
Fixed in : IRIX 6.5.19 or patches 4765-4770, 4859-4862
______________________________________________________________________________

- - -----------------------
- - --- Issue Specifics ---
- - -----------------------

It's been reported that there are multiple networking related
vulnerabilities in certain versions of IRIX:

  o  Statistical Weaknesses in TCP/IP Initial Sequence Numbers
     http://www.cert.org/advisories/CA-2001-09.html
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0077
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0328

  o  Denial of Service attack involving clients sending packets with very
     small MSS values
     http://www.securityfocus.com/archive/1/195457

  o  IGMP report suppression Denial of Service
     http://www.cs.ucsb.edu/~krishna/igmp_dos/

  o  Non-root users could influence interface settings that they shouldn't
     be able to change.

  o  We added two new systune variables to disable additional types
     of broadcast probes.

Non-security related fixes included with these patches,

  o Always immediately ACK packets with PSH flag set to improve performance
    with GigE networking.

  o Permit the use of select() with sockets using the STP protocol in
    the IRIX m-stream


SGI has investigated the issue and recommends the following steps for
neutralizing the exposure.  It is HIGHLY RECOMMENDED that these measures be
implemented on ALL vulnerable SGI systems.

These issues have been corrected in patches and in IRIX 6.5.19.


- - --------------
- - --- Impact ---
- - --------------

The above vulnerabilities are kernel-level, and naturally the kernel is
installed by default on IRIX 6.5 systems as part of eoe.sw.base.

To determine the version of IRIX you are running, execute the following
command:

  # /bin/uname -R

That will return a result similar to the following:

  # 6.5 6.5.16f

The first number ("6.5") is the release name, the second ("6.5.16f" in this
case) is the extended release name.  The extended release name is the
"version" we refer to throughout this document.


- - ----------------------------
- - --- Temporary Workaround ---
- - ----------------------------

There is no effective workaround available for these problems.  SGI
recommends either upgrading to IRIX 6.5.19, or installing the appropriate
patch from the listing below.


- - ----------------
- - --- Solution ---
- - ----------------

SGI has provided a series of patches for these vulnerabilities. Our
recommendation is to upgrade to IRIX 6.5.19 when available, or install the
appropriate patch.

   OS Version     Vulnerable?     Patch #      Other Actions
   ----------     -----------     -------      -------------
   IRIX 3.x        unknown                     Note 1
   IRIX 4.x        unknown                     Note 1
   IRIX 5.x        unknown                     Note 1
   IRIX 6.0.x      unknown                     Note 1
   IRIX 6.1        unknown                     Note 1
   IRIX 6.2        unknown                     Note 1
   IRIX 6.3        unknown                     Note 1
   IRIX 6.4        unknown                     Note 1
   IRIX 6.5          yes                       Notes 2 & 3
   IRIX 6.5.1        yes                       Notes 2 & 3
   IRIX 6.5.2        yes                       Notes 2 & 3
   IRIX 6.5.3        yes                       Notes 2 & 3
   IRIX 6.5.4        yes                       Notes 2 & 3
   IRIX 6.5.5        yes                       Notes 2 & 3
   IRIX 6.5.6        yes                       Notes 2 & 3
   IRIX 6.5.7        yes                       Notes 2 & 3
   IRIX 6.5.8        yes                       Notes 2 & 3
   IRIX 6.5.9        yes                       Notes 2 & 3
   IRIX 6.5.10       yes                       Notes 2 & 3
   IRIX 6.5.11       yes                       Notes 2 & 3
   IRIX 6.5.12       yes                       Notes 2 & 3
   IRIX 6.5.13       yes                       Notes 2 & 3
   IRIX 6.5.14m      yes            4765       Notes 2,4 & 5
   IRIX 6.5.14f      yes            4766       Notes 2,4 & 5
   IRIX 6.5.15m      yes            4767       Notes 2,4 & 5
   IRIX 6.5.15f      yes            4768       Notes 2,4 & 5
   IRIX 6.5.16m      yes            4769       Notes 2,4 & 5
   IRIX 6.5.16f      yes            4770       Notes 2,4 & 5
   IRIX 6.5.17m      yes            4859       Notes 2,4 & 5
   IRIX 6.5.17f      yes            4860       Notes 2,4 & 5
   IRIX 6.5.18m      yes            4861       Notes 2,4 & 5
   IRIX 6.5.18f      yes            4862       Notes 2,4 & 5
   IRIX 6.5.19        no


   NOTES

     1) This version of the IRIX operating has been retired. Upgrade to an
        actively supported IRIX operating system.  See
        http://support.sgi.com/irix/news/index.html#policy for more
        information.

     2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your
        SGI Support Provider or URL: http://support.sgi.com/irix/swupdates/

     3) Upgrade to IRIX 6.5.19

     4) Install the appropriate patch or upgrade to IRIX 6.5.19

     5) Note that for several of these fixes, you have to systune variables to
        non-default settings to provide the added protection. Documentation
        on how to use the new systunes is in the file /var/sysgen/mtune/bsd.


- - ------------------------
- - --- Acknowledgments ----
- - ------------------------

SGI wishes to thank Michal Zalewski, Krishna Ramachandran, Darren Reed,
Rob Warnock, FIRST, UCSB, and the users of the Internet Community at
large for their assistance in this matter.


                ##### Patch File Checksums ####

The actual patch will be a tar file containing the following files:

Filename:                 README.patch.4765
Algorithm #1 (sum -r):    00851 8 README.patch.4765
Algorithm #2 (sum):       50531 8 README.patch.4765
MD5 checksum:             EEF9775971EB60E31FF3EE99C3F48D05

Filename:                 patchSG0004765
Algorithm #1 (sum -r):    61582 2 patchSG0004765
Algorithm #2 (sum):       37142 2 patchSG0004765
MD5 checksum:             79F0A0E99AC82540FB447D147C68DF23

Filename:                 patchSG0004765.eoe_sw
Algorithm #1 (sum -r):    49197 8682 patchSG0004765.eoe_sw
Algorithm #2 (sum):       52920 8682 patchSG0004765.eoe_sw
MD5 checksum:             AA3ABF4FB89EC7214D3F812EF8266F58

Filename:                 patchSG0004765.idb
Algorithm #1 (sum -r):    33635 8 patchSG0004765.idb
Algorithm #2 (sum):       28804 8 patchSG0004765.idb
MD5 checksum:             48ADB895BB57E67339D8E4C03EDF7071

Filename:                 README.patch.4766
Algorithm #1 (sum -r):    46520 8 README.patch.4766
Algorithm #2 (sum):       45333 8 README.patch.4766
MD5 checksum:             391B328808E4F94A27305D92634EAAE6

Filename:                 patchSG0004766
Algorithm #1 (sum -r):    40678 2 patchSG0004766
Algorithm #2 (sum):       37866 2 patchSG0004766
MD5 checksum:             8589BD3E333441A8F051E8BDAAB1F461

Filename:                 patchSG0004766.eoe_sw
Algorithm #1 (sum -r):    27708 8719 patchSG0004766.eoe_sw
Algorithm #2 (sum):       43291 8719 patchSG0004766.eoe_sw
MD5 checksum:             8619F9B9BABC2240723593F886C6E9DA

Filename:                 patchSG0004766.idb
Algorithm #1 (sum -r):    42539 8 patchSG0004766.idb
Algorithm #2 (sum):       28701 8 patchSG0004766.idb
MD5 checksum:             EBFD5C60C84081AAB256F62A7D515991

Filename:                 README.patch.4767
Algorithm #1 (sum -r):    17974 8 README.patch.4767
Algorithm #2 (sum):       50521 8 README.patch.4767
MD5 checksum:             695AAF2AC022DF5548F6A08BABB8C19C

Filename:                 patchSG0004767
Algorithm #1 (sum -r):    50741 2 patchSG0004767
Algorithm #2 (sum):       36840 2 patchSG0004767
MD5 checksum:             D40046A218262CE6C4525315574D7A93

Filename:                 patchSG0004767.eoe_sw
Algorithm #1 (sum -r):    06411 8634 patchSG0004767.eoe_sw
Algorithm #2 (sum):       65220 8634 patchSG0004767.eoe_sw
MD5 checksum:             F311806DECAFCBE257C847BA3B90E234

Filename:                 patchSG0004767.idb
Algorithm #1 (sum -r):    23118 8 patchSG0004767.idb
Algorithm #2 (sum):       28772 8 patchSG0004767.idb
MD5 checksum:             59C5EDC63D888EBCD9678AA094E4AE36

Filename:                 README.patch.4768
Algorithm #1 (sum -r):    07449 8 README.patch.4768
Algorithm #2 (sum):       45329 8 README.patch.4768
MD5 checksum:             574EF632903897A79F2EC30EBDB749BD

Filename:                 patchSG0004768
Algorithm #1 (sum -r):    12854 2 patchSG0004768
Algorithm #2 (sum):       37926 2 patchSG0004768
MD5 checksum:             300D477270517404F21EBBC4EC1F9AF1

Filename:                 patchSG0004768.eoe_sw
Algorithm #1 (sum -r):    19153 8695 patchSG0004768.eoe_sw
Algorithm #2 (sum):       56318 8695 patchSG0004768.eoe_sw
MD5 checksum:             0F31ACA7E678DEFFC62B4470D286C168

Filename:                 patchSG0004768.idb
Algorithm #1 (sum -r):    10022 8 patchSG0004768.idb
Algorithm #2 (sum):       28960 8 patchSG0004768.idb
MD5 checksum:             001968D21CDAA04CF8F00929F56993D2

Filename:                 README.patch.4769
Algorithm #1 (sum -r):    31126 8 README.patch.4769
Algorithm #2 (sum):       50564 8 README.patch.4769
MD5 checksum:             82E480DAC43FCEED64BC15B8D9D57DEA

Filename:                 patchSG0004769
Algorithm #1 (sum -r):    03843 2 patchSG0004769
Algorithm #2 (sum):       36640 2 patchSG0004769
MD5 checksum:             FB989211A29CF7D7ED37B20859CDC749

Filename:                 patchSG0004769.eoe_sw
Algorithm #1 (sum -r):    06936 8684 patchSG0004769.eoe_sw
Algorithm #2 (sum):       19463 8684 patchSG0004769.eoe_sw
MD5 checksum:             0DBAEF3ABE22AF89768A36BEBE7DB6B0

Filename:                 patchSG0004769.idb
Algorithm #1 (sum -r):    52255 8 patchSG0004769.idb
Algorithm #2 (sum):       28982 8 patchSG0004769.idb
MD5 checksum:             CD7BDCADDC43DFCF70718701F2CB31DB

Filename:                 README.patch.4770
Algorithm #1 (sum -r):    47848 8 README.patch.4770
Algorithm #2 (sum):       45283 8 README.patch.4770
MD5 checksum:             62420BDB0901E3508DC24357A753F808

Filename:                 patchSG0004770
Algorithm #1 (sum -r):    37174 2 patchSG0004770
Algorithm #2 (sum):       37555 2 patchSG0004770
MD5 checksum:             9BEC0D64A1A37ADC457F5899B59C4924

Filename:                 patchSG0004770.eoe_sw
Algorithm #1 (sum -r):    39864 8731 patchSG0004770.eoe_sw
Algorithm #2 (sum):       60323 8731 patchSG0004770.eoe_sw
MD5 checksum:             8EF0379361DF58C8D1A7F1EF90BF8957

Filename:                 patchSG0004770.idb
Algorithm #1 (sum -r):    11481 8 patchSG0004770.idb
Algorithm #2 (sum):       28643 8 patchSG0004770.idb
MD5 checksum:             70C4D90A919D2FDC543923004923956F

Filename:                 README.patch.4859
Algorithm #1 (sum -r):    00935 8 README.patch.4859
Algorithm #2 (sum):       45233 8 README.patch.4859
MD5 checksum:             FB019BC6CF6D404FF65C1961C5916D34

Filename:                 patchSG0004859
Algorithm #1 (sum -r):    48316 2 patchSG0004859
Algorithm #2 (sum):       37273 2 patchSG0004859
MD5 checksum:             A4F76A969A96443ECE4EF81F03E42929

Filename:                 patchSG0004859.eoe_sw
Algorithm #1 (sum -r):    05200 8682 patchSG0004859.eoe_sw
Algorithm #2 (sum):       24603 8682 patchSG0004859.eoe_sw
MD5 checksum:             B4E67351627AF9BD2518E130403E1F5C

Filename:                 patchSG0004859.idb
Algorithm #1 (sum -r):    12558 8 patchSG0004859.idb
Algorithm #2 (sum):       28929 8 patchSG0004859.idb
MD5 checksum:             2EBD54044AD96AF6E3130F7E4A831F83

Filename:                 README.patch.4860
Algorithm #1 (sum -r):    08551 8 README.patch.4860
Algorithm #2 (sum):       40311 8 README.patch.4860
MD5 checksum:             A083EF36545E7806C503ECDC4205B30C

Filename:                 patchSG0004860
Algorithm #1 (sum -r):    38690 2 patchSG0004860
Algorithm #2 (sum):       37973 2 patchSG0004860
MD5 checksum:             EF53D09FE2F5920C4A2FE48498F526F3

Filename:                 patchSG0004860.eoe_sw
Algorithm #1 (sum -r):    18758 8729 patchSG0004860.eoe_sw
Algorithm #2 (sum):       50084 8729 patchSG0004860.eoe_sw
MD5 checksum:             49663754DA52A65D1F3955EC3F61D200

Filename:                 patchSG0004860.idb
Algorithm #1 (sum -r):    00608 8 patchSG0004860.idb
Algorithm #2 (sum):       28685 8 patchSG0004860.idb
MD5 checksum:             89FDF54A20EBDB47F159B5B372098699

Filename:                 README.patch.4861
Algorithm #1 (sum -r):    55419 8 README.patch.4861
Algorithm #2 (sum):       34686 8 README.patch.4861
MD5 checksum:             F67AB6C309E5CB6C14AD328FA5DAFAF9

Filename:                 patchSG0004861
Algorithm #1 (sum -r):    33127 2 patchSG0004861
Algorithm #2 (sum):       34079 2 patchSG0004861
MD5 checksum:             3A2E13F4214A7DE2EDC6A541AB2C884F

Filename:                 patchSG0004861.eoe_sw
Algorithm #1 (sum -r):    14812 8693 patchSG0004861.eoe_sw
Algorithm #2 (sum):       65234 8693 patchSG0004861.eoe_sw
MD5 checksum:             57FB55C1100BE5B07200B8AA8952F3AA

Filename:                 patchSG0004861.idb
Algorithm #1 (sum -r):    48910 8 patchSG0004861.idb
Algorithm #2 (sum):       28671 8 patchSG0004861.idb
MD5 checksum:             23689B4F2FEF2DE6CC4F9B80F4A2B3EA

Filename:                 README.patch.4862
Algorithm #1 (sum -r):    36366 8 README.patch.4862
Algorithm #2 (sum):       34677 8 README.patch.4862
MD5 checksum:             5F9EC05279B801B70BD80E4AF7265861

Filename:                 patchSG0004862
Algorithm #1 (sum -r):    49813 2 patchSG0004862
Algorithm #2 (sum):       35382 2 patchSG0004862
MD5 checksum:             69692CEF25EE7AE774DACB8E62AB1DEC

Filename:                 patchSG0004862.eoe_sw
Algorithm #1 (sum -r):    29451 8746 patchSG0004862.eoe_sw
Algorithm #2 (sum):       17026 8746 patchSG0004862.eoe_sw
MD5 checksum:             4BE770442C8DFD31AC54CCFF35F89E44

Filename:                 patchSG0004862.idb
Algorithm #1 (sum -r):    04107 8 patchSG0004862.idb
Algorithm #2 (sum):       28768 8 patchSG0004862.idb
MD5 checksum:             AEBF11906A3322B410F93CD9F26594B1


- - -------------
- - --- Links ---
- - -------------

SGI Security Advisories can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/advisories/

SGI Security Patches can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/patches/

SGI patches for IRIX can be found at the following patch servers:
http://support.sgi.com/irix/ and ftp://patches.sgi.com/

SGI freeware updates for IRIX can be found at:
http://freeware.sgi.com/

SGI fixes for SGI open sourced code can be found on:
http://oss.sgi.com/projects/

SGI patches and RPMs for Linux can be found at:
http://support.sgi.com/linux/ or
http://oss.sgi.com/projects/sgilinux-combined/download/security-fixes/

SGI patches for Windows NT or 2000 can be found at:
http://support.sgi.com/nt/

IRIX 5.2-6.4 Recommended/Required Patch Sets can be found at:
http://support.sgi.com/irix/ and ftp://patches.sgi.com/support/patchset/

IRIX 6.5 Maintenance Release Streams can be found at:
http://support.sgi.com/colls/patches/tools/relstream/index.html

IRIX 6.5 Software Update CDs can be obtained from:
http://support.sgi.com/irix/swupdates/

The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com (216.32.174.211).  Security advisories and patches are
located under the URL ftp://patches.sgi.com/support/free/security/

For security and patch management reasons, ftp.sgi.com (mirrors
patches.sgi.com security FTP repository) lags behind and does not do a
real-time update.


- - -----------------------------------------
- - --- SGI Security Information/Contacts ---
- - -----------------------------------------

If there are questions about this document, email can be sent to
security-info@sgi.com.

                      ------oOo------

SGI provides security information and patches for use by the entire SGI
community.  This information is freely available to any person needing the
information and is available via anonymous FTP and the Web.

The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com (216.32.174.211).  Security advisories and patches are
located under the URL ftp://patches.sgi.com/support/free/security/

The SGI Security Headquarters Web page is accessible at the URL:
http://www.sgi.com/support/security/

For issues with the patches on the FTP sites, email can be sent to
security-info@sgi.com.

For assistance obtaining or working with security patches, please
contact your SGI support provider.

                      ------oOo------

SGI provides a free security mailing list service called wiretap and
encourages interested parties to self-subscribe to receive (via email) all
SGI Security Advisories when they are released. Subscribing to the mailing
list can be done via the Web
(http://www.sgi.com/support/security/wiretap.html) or by sending email to
SGI as outlined below.

% mail wiretap-request@sgi.com
subscribe wiretap <YourEmailAddress such as zedwatch@sgi.com >
end
^d

In the example above, <YourEmailAddress> is the email address that you wish
the mailing list information sent to.  The word end must be on a separate
line to indicate the end of the body of the message. The control-d (^d) is
used to indicate to the mail program that you are finished composing the
mail message.


                      ------oOo------

SGI provides a comprehensive customer World Wide Web site. This site is
located at http://www.sgi.com/support/security/ .

                      ------oOo------

If there are general security questions on SGI systems, email can be sent to
security-info@sgi.com.

For reporting *NEW* SGI security issues, email can be sent to
security-alert@sgi.com or contact your SGI support provider.  A support
contract is not required for submitting a security report.

______________________________________________________________________________
      This information is provided freely to all interested parties
      and may be redistributed provided that it is not altered in any
      way, SGI is appropriately credited and the document retains and
      includes its valid PGP signature.

- -----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBPkqMrbQ4cFApAP75AQHPSQQAt3JYa7juK9ppEKHM7hOXV31NSwaaWD5N
dOMA2NZa29XtzXVXCoofoS8pL9qDj3g6rLyHjhJkya2pRBfpJVV4jh8pmohJSdML
gg0aNSCEpo4Q9YWg9HKJq/TMSQdyMBfjbF8CkS+j6ZFtmDoNJ3TUqzEy69sNO/ys
XhSS7OQBNGM=
=WVnw
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBPku2Fih9+71yA2DNAQGl+wP/XAOnGqVHyJ4s0bg7vgdK+yYHqnnM52/H
xVtFa05py4dvTvmtwLKIPdE9oz8v5BBeGB4sjNEpz1wyKowqNVNiCFOk7rYC9QrW
UvTMxOnIi3tcBgz6+82XGYYSBYYfr/WP3kgsipV5+Ipt3Sa2qv2lESYCrLGsugM3
qrh+TQc36Pg=
=Lwr8
-----END PGP SIGNATURE-----