Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

           ESB-2004.0611 -- SGI Security Advisory 20040905-01-P
                  bsd.a kernel networking vulnerabilities
                             29 September 2004


        AusCERT Security Bulletin Summary

Product:                bsd.a kernel
Publisher:              SGI
Operating System:       IRIX
Impact:                 Denial of Service
                        Provide Misleading Information
                        Reduced Security
Access:                 Remote/Unauthenticated
CVE Names:              CVE-1999-0074 CAN-2004-0230 CAN-2004-0171
                        CAN-2004-0139 CAN-1999-0667
Original Bulletin URL:  ftp://patches.sgi.com/support/free/security/advisories/20040905-01-P.asc

- --------------------------BEGIN INCLUDED TEXT--------------------



                          SGI Security Advisory

Title:      bsd.a kernel networking vulnerabilities
Number:     20040905-01-P
Date:       September 28, 2004
Reference:  SGI BUG 910841, CVE CAN-2004-0171
Reference:  SGI BUG 913122, CVE CAN-1999-0667
Reference:  SGI BUG 913287, CVE CAN-2004-0230
Reference:  SGI BUG 913386, CVE CVE-1999-0074
Reference:  SGI BUG 916973, CVE CAN-2004-0139
Fixed in:   Patches 5728 5729 5737 & 5738

SGI provides this information freely to the SGI user community for its
consideration, interpretation, implementation and use.   SGI recommends
that this information be acted upon as soon as possible.

SGI provides the information in this Security Advisory on an "AS-IS"
basis only, and disclaims all warranties with respect thereto, express,
implied or otherwise, including, without limitation, any warranty of
merchantability or fitness for a particular purpose.  In no event shall
SGI be liable for any loss of profits, loss of business, loss of data or

for any indirect, special, exemplary, incidental or consequential
of any kind arising from your use of, failure to use or improper use of
any of the instructions or information in this Security Advisory.

- - -----------------------
- - --- Issue Specifics ---
- - -----------------------

It has been reported thru various channels that there are several
vulnerabilities affecting bsd.a kernel networking.

The bugs addressed by these patches are:

* 910841 no limit on TCP reassembly queue size

* 913122 IRIX can accept bogus ARP update

* 913287 Improve handling of RST/SYN packets

* 913386 ephemeral port selection should be more randomized

* 916973 t_unbind changes t_bind's behavior

There are several non-security fixes included in the patch.

SGI has investigated the issue and recommends the following steps for
resolving this issue.  It is HIGHLY RECOMMENDED that these measures
be implemented on ALL vulnerable SGI systems.

- - --------------
- - --- Impact ---
- - --------------
To determine the version of IRIX you are running, execute the following

  # /bin/uname -R

That will return a result similar to the following:

  # 6.5 6.5.19f

The first number ("6.5") is the release name, the second ("6.5.16f" in
case) is the extended release name.  The extended release name is the
"version" we refer to throughout this document.

- - ----------------
- - --- Solution ---
- - ----------------

SGI has provided a series of patches for these vulnerabilities and
recommends that all affected operating systems install the
appropriate patch.

OS Version     Vulnerable?     Patch #      Other Actions
- - ----------     -----------     -------      -------------
IRIX 3.x         unknown                        Note 1
IRIX 4.x         unknown                        Note 1
IRIX 5.x         unknown                        Note 1
IRIX 6.0.x       unknown                        Note 1
IRIX 6.1         unknown                        Note 1
IRIX 6.2         unknown                        Note 1
IRIX 6.3         unknown                        Note 1
IRIX 6.4         unknown                        Note 1
IRIX 6.5         unknown                        Note 2
IRIX 6.5.1       unknown                        Note 2
IRIX 6.5.2       unknown                        Note 2
IRIX 6.5.3       unknown                        Note 2
IRIX 6.5.4       unknown                        Note 2
IRIX 6.5.5       unknown                        Note 2
IRIX 6.5.6       unknown                        Note 2
IRIX 6.5.7       unknown                        Note 2
IRIX 6.5.8       unknown                        Note 2
IRIX 6.5.9       unknown                        Note 2
IRIX 6.5.10      unknown                        Note 2
IRIX 6.5.11      unknown                        Note 2
IRIX 6.5.12      unknown                        Note 2
IRIX 6.5.13      unknown                        Note 2
IRIX 6.5.14      unknown                        Note 2
IRIX 6.5.15      unknown                        Note 2
IRIX 6.5.16      unknown                        Note 2
IRIX 6.5.17m     unknown                        Note 2
IRIX 6.5.17f     unknown                        Note 2
IRIX 6.5.18m     unknown                        Note 2 & 3
IRIX 6.5.18f     unknown                        Note 2 & 3
IRIX 6.5.19m     unknown                        Note 2 & 3
IRIX 6.5.19f     unknown                        Note 2 & 3
IRIX 6.5.20m     unknown                        Note 2 & 3
IRIX 6.5.20f     unknown                        Note 2 & 3
IRIX 6.5.21m     unknown                        Notes 2 & 3
IRIX 6.5.21f     unknown                        Notes 2 & 3
IRIX 6.5.22      yes              5738          Notes 2 & 3
IRIX 6.5.23      yes              5737          Notes 2 & 3
IRIX 6.5.24      yes              5728          Notes 2 & 3
IRIX 6.5.25      yes              5729          Notes 2 & 3

     1) This version of the IRIX operating has been retired. Upgrade to
        an actively supported IRIX operating system.  See
        http://support.sgi.com for more information.

     2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact
        your SGI Support Provider or URL: http://support.sgi.com

     3) Install the required patch(es) based on your operating release.

                ##### Patch File Checksums ####

The actual patch will be a tar file containing the following files:
Filename:                 README.patch.5728
Algorithm #1 (sum -r):    35186 9 README.patch.5728
Algorithm #2 (sum):       13588 9 README.patch.5728
MD5 checksum:             283FF7F48211DE12A5F701CF63D294B0

Filename:                 patchSG0005728
Algorithm #1 (sum -r):    35786 3 patchSG0005728
Algorithm #2 (sum):       28432 3 patchSG0005728
MD5 checksum:             BD7D37EF3E7A533170D2B5C21FB9953A

Filename:                 patchSG0005728.eoe_sw
Algorithm #1 (sum -r):    13196 6051 patchSG0005728.eoe_sw
Algorithm #2 (sum):       14725 6051 patchSG0005728.eoe_sw
MD5 checksum:             565CAE6A954F429CD4C2A5532F8D466B

Filename:                 patchSG0005728.idb
Algorithm #1 (sum -r):    35935 13 patchSG0005728.idb
Algorithm #2 (sum):       6797 13 patchSG0005728.idb
MD5 checksum:             7C0105CA77139F0E614F7E5505F84495

Filename:                 README.patch.5729
Algorithm #1 (sum -r):    59517 8 README.patch.5729
Algorithm #2 (sum):       39107 8 README.patch.5729
MD5 checksum:             5B079FFE7C41D3AB8FDEDDC19DFEEADD

Filename:                 patchSG0005729
Algorithm #1 (sum -r):    22880 2 patchSG0005729
Algorithm #2 (sum):       57807 2 patchSG0005729
MD5 checksum:             E262646659E28A93193C6F4BA71CDBEE

Filename:                 patchSG0005729.eoe_sw
Algorithm #1 (sum -r):    40147 4498 patchSG0005729.eoe_sw
Algorithm #2 (sum):       56533 4498 patchSG0005729.eoe_sw
MD5 checksum:             3C4CAA38798B6ECF6A27D8F2A7B8179F

Filename:                 patchSG0005729.idb
Algorithm #1 (sum -r):    40084 11 patchSG0005729.idb
Algorithm #2 (sum):       44547 11 patchSG0005729.idb
MD5 checksum:             BA25A75A6B768611640AD4B81F0097B3

Filename:                 README.patch.5737
Algorithm #1 (sum -r):    33924 10 README.patch.5737
Algorithm #2 (sum):       35712 10 README.patch.5737
MD5 checksum:             8E7F5B9E6543C36993DA3BAE88F86161

Filename:                 patchSG0005737
Algorithm #1 (sum -r):    05158 4 patchSG0005737
Algorithm #2 (sum):       57426 4 patchSG0005737
MD5 checksum:             1452B04343D0565A3B7AE4C541E7EEE0

Filename:                 patchSG0005737.eoe_sw
Algorithm #1 (sum -r):    58680 6081 patchSG0005737.eoe_sw
Algorithm #2 (sum):       37111 6081 patchSG0005737.eoe_sw
MD5 checksum:             0ABFEC7A2ABE56C5A4620B2C274A303C

Filename:                 patchSG0005737.idb
Algorithm #1 (sum -r):    50788 13 patchSG0005737.idb
Algorithm #2 (sum):       38116 13 patchSG0005737.idb
MD5 checksum:             D42D48C2568C83171E9314CC81C998BC

Filename:                 README.patch.5738
Algorithm #1 (sum -r):    34257 9 README.patch.5738
Algorithm #2 (sum):       28325 9 README.patch.5738
MD5 checksum:             0BEF17F275BF3624EF05EF90FCD83233

Filename:                 patchSG0005738
Algorithm #1 (sum -r):    54456 4 patchSG0005738
Algorithm #2 (sum):       56616 4 patchSG0005738
MD5 checksum:             FBBE94737D658F28115B9B0265AFAF30

Filename:                 patchSG0005738.eoe_sw
Algorithm #1 (sum -r):    36099 12655 patchSG0005738.eoe_sw
Algorithm #2 (sum):       548 12655 patchSG0005738.eoe_sw
MD5 checksum:             7EE0C37FDE320B0B1602E7E792A741EF

Filename:                 patchSG0005738.idb
Algorithm #1 (sum -r):    08133 32 patchSG0005738.idb
Algorithm #2 (sum):       4380 32 patchSG0005738.idb
MD5 checksum:             6FF1955330B98978174A0132BD54B050

- - -------------
- - --- Links ---
- - -------------
Patches are available via the web, anonymous FTP and from your SGI
service/support provider.

SGI Security Advisories can be found at:
http://www.sgi.com/support/security/ and

SGI Security Patches can be found at:
http://www.sgi.com/support/security/ and

SGI patches for IRIX can be found at the following patch servers:
http://support.sgi.com/ and ftp://patches.sgi.com/

SGI freeware updates for IRIX can be found at:

SGI fixes for SGI open sourced code can be found on:

SGI patches and RPMs for Linux can be found at:
http://support.sgi.com/ or

SGI patches for Windows NT or 2000 can be found at:

IRIX 5.2-6.4 Recommended/Required Patch Sets can be found at:
http://support.sgi.com/ and ftp://patches.sgi.com/support/patchset/

IRIX 6.5 Maintenance Release Streams can be found at:

IRIX 6.5 Software Update CDs can be obtained from:

The primary SGI anonymous FTP site for security advisories and patches
is patches.sgi.com (  Security advisories and patches
are located under the URL ftp://patches.sgi.com/support/free/security/

For security and patch management reasons, ftp.sgi.com (mirrors
patches.sgi.com security FTP repository) lags behind and does not
do a real-time update.

- - -----------------------------------------
- - --- SGI Security Information/Contacts ---
- - -----------------------------------------

If there are questions about this document, email can be sent to


SGI provides security information and patches for use by the entire SGI
community.  This information is freely available to any person needing
the information and is available via anonymous FTP and the Web.

The primary SGI anonymous FTP site for security advisories and patches
is patches.sgi.com (  Security advisories and patches
are located under the URL ftp://patches.sgi.com/support/free/security/

The SGI Security Headquarters Web page is accessible at the URL:

For issues with the patches on the FTP sites, email can be sent to

For assistance obtaining or working with security patches, please
contact your SGI support provider.


SGI provides a free security mailing list service called wiretap and
encourages interested parties to self-subscribe to receive (via email)
all SGI Security Advisories when they are released. Subscribing to the
mailing list can be done via the Web
or by sending email to SGI as outlined below.

% mail wiretap-request@sgi.com
subscribe wiretap <YourEmailAddress>

In the example above, <YourEmailAddress> is the email address that you
wish the mailing list information sent to.  The word end must be on a
separate line to indicate the end of the body of the message. The
control-d (^d) is used to indicate to the mail program that you are
finished composing the mail message.


SGI provides a comprehensive customer World Wide Web site. This site is
located at http://www.sgi.com/support/security/ .


If there are general security questions on SGI systems, email can be
sent to security-info@sgi.com.

For reporting *NEW* SGI security issues, email can be sent to
security-alert@sgi.com or contact your SGI support provider.
A  support contract is not required for submitting a security report.


      This information is provided freely to all interested parties
      and may be redistributed provided that it is not altered in any
      way, SGI is appropriately credited and the document retains and
      includes its valid PGP signature.

Version: 2.6.2


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.

Comment: http://www.auscert.org.au/render.html?it=1967