TITLE: SSRT4696- HP Tru64 UNIX - Potential TCP Stack Denial of Service Vulnerabilities Copyright (c) Hewlett-Packard Company 2005. All rights reserved. PRODUCT: HP Tru64 UNIX [R] V5.1B SOURCE: Hewlett-Packard Company ECO INFORMATION: ECO Name: T64KIT0024744-V51BB24-ES-20050125 ECO Kit Approximate Size: 3.68MB Kit Applies To: HP Tru64 UNIX V5.1B-1/PK3 (BL24) ECO Kit CHECKSUMS: /usr/bin/sum results: 33308 3770 /usr/bin/cksum results: 3182702107 3860480 MD5 results: 31af82a7f612be63f1216f0dee87d5bc SHA1 results: ef9810ffb68499b28666085ef4156907620c8be9 ECO KIT SUMMARY: A dupatch-based, Early Release Patch kit exists for HP Tru64 UNIX V5.1B that contains solutions to the following problem(s): Two potential security vulnerabilities have been identified in the Transmission Control Protocol (TCP) on HP Tru64 UNIX systems. The potential vulnerabilities could be remotely exploitable, resulting in denial of service (DoS). SSRT4696 - TCP (Severity - High) The Patch Kit Installation Instructions and the Patch Summary and Release Notes documents provide patch kit installation and removal instructions and a summary of each patch. Please read these documents prior to installing patches on your system. The patches in this ERP kit will also be available in the next mainstream patch kit - HP Tru64 UNIX V5.1B-3/PK5. INSTALLATION NOTES: 1) Install this kit with the dupatch utility that is included in the patch kit. You may need to baseline your system if you have manually changed system files on your system. The dupatch utility provides the baselining capability. 2) The patch in this ERP kit does not have any file intersections with any other ERP available at this time for this product version. 3) This ERP kit will NOT install over any Customer Specific Patches (CSPs) which have file intersections with this ERP kit. Contact your normal Service Provider for assistance if the installation of this ERP kit is blocked by any of your installed CSPs. INSTALLATION PREREQUISITES: You must have installed HP Tru64 UNIX V5.1B-1/PK3 (BL24) prior to installing this Early Release Patch Kit. SUPERSEDE INFORMATION: T64KIT0024744-V51BB24-ES-20050125.tar replaces T64KIT0024529-V51BB24-ES-20041219.tar KNOWN PROBLEMS WITH THE PATCH KIT: None. RELEASE NOTES FOR T64KIT0024744-V51BB24-ES-20050125: Release Notes This document summarizes the contents and special instructions for the Tru64 UNIX V5.1B patches contained in this kit. For information about installing or removing patches, baselining, and general patch management, see the Patch Kit Installation Instructions document. 1 Release Notes This Early Release Patch Kit Distribution contains: - fixes that resolve the problem(s) reported in: o 221-2-1290 221-2-359 * for Tru64 UNIX V5.1B T64V51BB24AS0003-20030929.tar (BL24) This kit includes a patch which requires system reboot. The patches in this kit are being released early for general customer use. Refer to the Release Notes for a summary of each patch and installation prerequisites. Patches in this kit are installed by running dupatch from the directory in which the kit was untarred. For example, as root on the target system: > mkdir -p /tmp/CSPkit1 > cd /tmp/CSPkit1 > > tar -xpvf DUV40D13-C0044900-1285-20000328.tar > cd patch_kit > ./dupatch 2 Special Instructions SPECIAL INSTRUCTIONS for Tru64 UNIX V5.1B Patch C984.05 The industry standard TCP specification (RFC793) has a vulnerability whereby established TCP connections can be reset by an attacker using the TCP RST (Reset) or SYN (Synchronize) flags. These packets need to have source and destination IP addresses that match the established connection as well as the same source and destination TCP ports. The fact that TCP sessions can be reset by sending suitable RST and SYN packets is a design feature of TCP. According to RFC 793, a RST or SYN attack is only possible when the source IP address and TCP port can be forged or "spoofed." In that case TCP sessions, including Telnet, SSH, SFTP and HTTP may be disconnected without warning. TCP sessions that have been disconnected can be re-established. Normally, a TCP SYN packet (request for a new connection) that arrives on a server using a matching IP address, port number, and matching sequence number for an existing connection causes a TCP RST packet to be returned to the client. An attacker can guess the proper sequence number, along with the port and IP addresses, to cause an existing connection to be terminated with a TCP RST. When a client is rebooted without closing an old connection to the server, a subsequent attempt to connect to the server that matches the old connection tuple and sequence number will require a TCP RST in order to purge the old (stale) connection. HP has addressed these potential vulnerabilities, called TCP RST attack and TCP SYN attack, by providing two new kernel tunable variables, tcp_rst_win (TCP RST window) and tcp_syn_win (TCP SYN window). The tcp_rst_win and tcp_syn_win variables mitigate the TCP reset attack by reducing the window sizes in which a TCP RST/SYN packet will be accepted by the HP Tru64 UNIX system. Set the tunable values as follows: a) tcp_rst_win tcp_rst_win = -1 (default) Retains existing TCP behavior with respect to reset packets. tcp_rst_win = 2048 Provides a level of protection that significantly reduces the size of the TCP reset window while allowing for common TCP client/server sequence number variations. This allows a reset packet to be accepted by the HP Tru64 UNIX system when the remote machine has unacknowledged outstanding packets of up to a total of 2048 bytes. tcp_rst_win = 0 Provides maximum security against the potential DoS condition. Setting tcp_rst_win to 0 provides the highest level of protection without migrating to an IPSec environment. This setting restricts the acceptance of a reset packet to the current sequence number and may result in the rejection of valid reset packets where sent data packets have not been acknowledged. b) tcp_syn_win WARNING: by setting tcp_syn_win down to 2048 or less, the probability increases that a rebooted client will not be able to re-connect to a former server. For this reason, setting tcp_syn_win to any value other than the default value of -1 is not recommended. The client connection attempt could time out, but then work as expected when trying it again at a later time. tcp_syn_win = -1 (default) Retains existing TCP behavior with respect to SYN packets. tcp_syn_win = 2048 Provides a level of protection that significantly reduces the size of the TCP syn window while allowing for common TCP client/server sequence number variations. This will allow a SYN packet to be accepted by the HP Tru64 UNIX system when the remote machine as unacknowledged outstanding packets of up to a total of 2048 bytes. tcp_syn_win = 0 This setting should not be used without evidence of an active SYN attack. When a client attempts to establish a new connection to the server, the IP addresses and often the port numbers are the same, and the sequence number can sometimes fall within the existing (stale) sequence number space of the old connection. A TCP RESET packet is sent to purge the stale connection from the server and allow the client to establish a new connection. The "tcp_syn_win = 0" setting may cause a valid SYN to fail at resetting an established connection, as evidenced by a rebooted client failing to connect during initial attempts to re-establish previous socket connections. Customers who are extremely sensitive to this security issue should implement IPSec, available in HP Tru64 UNIX 5.1A and 5.1B. Tru64 UNIX customers running V4.0F and V4.0G can receive maximum available protection with tcp_rst_win to 0 and tcp_syn_win to 0. To implement the new kernel tunable variables, customers should first install the ERP appropriate for for their verson and patch kit. Following the ERP installation, customers can adjust the tunable variables as described below. The TCP RST window variable (tcp_rst_win) can be adjusted using the "sysconfig" and "sysconfigdb" commands: # sysconfig -q inet tcp_rst_win inet: tcp_rst_win = -1 # sysconfig -r inet tcp_rst_win=2048 tcp_rst_win: reconfigured # sysconfig -q inet tcp_rst_win inet: tcp_rst_win = 2048 # sysconfig -q inet tcp_rst_win > /tmp/tcp_rst_win_merge # sysconfigdb -m -f /tmp/tcp_rst_win_merge inet # sysconfigdb -l inet inet: tcp_rst_win = 2048 Similarly, the TCP SYN window variable (tcp_syn_win) can be adjusted using the "sysconfig" and "sysconfigdb" commands: # sysconfig -q inet tcp_syn_win inet: tcp_syn_win = -1 # sysconfig -r inet tcp_syn_win=2048 tcp_syn_win: reconfigured # sysconfig -q inet tcp_syn_win inet: tcp_syn_win = 2048 # sysconfig -q inet tcp_syn_win > /tmp/tcp_syn_win_merge # sysconfigdb -m -f /tmp/tcp_syn_win_merge inet # sysconfigdb -l inet inet: tcp_syn_win = 2048 3 Summary of CSPatches contained in this kit Tru64 UNIX V5.1B PatchId Summary Of Fix ---------------------------------------- C984.05 ERP for Security Problem SSRT4696, TCP 4 Additional information from Engineering None 5 Affected system files This patch delivers the following files: Tru64 UNIX V5.1B Patch C984.05 ./sys/BINARY/inet.mod CHECKSUM: 04798 558 SUBSET: OSFBIN540 [R] UNIX is a registered trademark in the United States and other countries licensed exclusively through X/Open Company Limited. Copyright Hewlett-Packard Company 2005. All Rights reserved. This software is proprietary to and embodies the confidential technology of Hewlett-Packard Company. Possession, use, or copying of this software and media is authorized only pursuant to a valid written license from Hewlett-Packard or an authorized sublicensor. This ECO has not been through an exhaustive field test process. Due to the experimental stage of this ECO/workaround, Hewlett-Packard makes no representations regarding its use or performance. The customer shall have the sole responsibility for adequate protection and back-up data used in conjunction with this ECO/workaround.