※ 本文转录自 [Lan] 信箱 作者: [email protected] (TWCERT/CC Fellows) 标题: 【TWCERT/CC安全通报】TW-CA-2005-024-[Sun(sm) A 时间: Tue Mar 1 14:11:36 2005 -----BEGIN PGP SIGNED MESSAGE----- TW-CA-2005-024-[Sun(sm) Alert Notification #57673: Security Vulnerability With ARP Handling Could Cause System to Hang] ──────────────────────────────────────── TWCERT/CC发布日期：2005-03-01 原漏洞发布日期：2005-02-11 原漏洞最新更新日期：2005-02-14 通用安全漏洞编号： 分类：Dos 来源参考：Sun(sm) Alert Notification #57673 ──── 简述 ───────────────────────────────── ──── 说明 ───────────────────────────────── 系统接受到大量的特殊 ARP (7p) 网路封包 (称为 "ARP 风暴" 或 "ARP 飓风") 可能导致 系统悬滞。这些 ARP 封包可能由远端具特殊权限之使用者，透过进行阻断服务攻击或透过 错误的封包路由来产生这些封包。 ──── 影响平台 ─────────────────────────────── 此议题可能影响下列发行版本： SPARC 平台 ‧未安装 106541-39 修正档的 Solaris 7 ‧未安装 116965-05 修正档的 Solaris 8 ‧未安装 114344-09 修正档的 Solaris 9 x86 平台 ‧未安装 106542-39 修正档的 Solaris 7 ‧未安装 116966-05 修正档的 Solaris 8 ‧未安装 114345-08 修正档的 Solaris 9 ──── 修正方式 ─────────────────────────────── 暂时解决方法： 暂时解决方法为暂时将受影响的部分自系统中区隔开，直到找出发起 ARP 封包的源头或 ARP 封包停止为止。一旦系统不再受到封包攻击，便不会造成系统悬滞。 解决方法： 此议题已於下列版本中解决： SPARC 平台 ‧安装 106541-39 或更新版本修正档的 Solaris 7 ‧安装 116965-05 或更新版本修正档的 Solaris 8 ‧安装 114344-09 或更新版本修正档的 Solaris 9 x86 平台 ‧安装 106542-39 或更新版本修正档的 Solaris 7 ‧安装 116966-05 或更新版本修正档的 Solaris 8 ‧安装 114345-08 或更新版本修正档的 Solaris 9 ──── 影响结果 ─────────────────────────────── 系统将无法再提供网路服务，而且网路上会出现不寻常的大量 ARP 封包。 可以用 "root" 身份(从同一个网路区块的不同系统上)执行下列指令来验证您的 Solaris 系统是否遭受到 ARP 封包的攻击： # snoop -o <output-file> arp # snoop -i 大量如下的 ARP 广播，可能表示大量的 ARP 封包： 7 0.12578 123.456.0.22 -> (broadcast) ARP C Who is 123.456.0.254, 123.456.0.254 ? 15 0.10603 123.456.0.2 -> (broadcast) ARP C Who is 123.456.0.22, 123.456.0.22 ? ──── 联络TWCERT/CC ───────────────────────────── Tel: 886-7-5250211 FAX: 886-7-5250212 886-2-23563303 886-2-23924082 Email: [email protected] URL: http://www.cert.org.tw/ PGP key: http://www.cert.org.tw/eng/pgp.htm ──────────────────────────────────────── 附件：[Security Vulnerability With ARP Handling Could Cause System to Hang] ──── 原文 ───────────────────────────────── Sun(sm) Alert Notification * Sun Alert ID: 57673 * Synopsis: Security Vulnerability With ARP Handling Could Cause System to Hang * Category: Security, Availability * Product: Solaris * BugIDs: 4653899 * Avoidance: Patch, Workaround * State: Resolved * Date Released: 11-Feb-2005 * Date Closed: 11-Feb-2005 * Date Modified: 1. Impact A system receiving a very large number of specific arp(7P) network packets (an "arp storm" or "arp hurricane") could cause the system to hang. These ARP packets could result from a remote privileged user implementing a Denial of Service (DoS) or from a misconfigured (or broken) router inadvertently sending the packets. 2. Contributing Factors This issue can occur in the following releases: SPARC Platform * Solaris 7 without patch 106541-39 * Solaris 8 without patch 116965-05 * Solaris 9 without patch 114344-09 x86 Platform * Solaris 7 without patch 106542-39 * Solaris 8 without patch 116966-05 * Solaris 9 without patch 114345-08 3. Symptoms The system will be unable to provide networked services, and an unusually heavy amount of ARP traffic will be observed on the network. One way to verify a suspected flood of ARP packets to a specific Solaris system on the network is to run the following command as the "root" user (from another system on the same network segment): # snoop -o <output-file> arp # snoop -i A large number of ARP broadcasts such as: 7 0.12578 123.456.0.22 -> (broadcast) ARP C Who is 123.456.0.254, 123.456.0.254 ? 15 0.10603 123.456.0.2 -> (broadcast) ARP C Who is 123.456.0.22, 123.456.0.22 ? may indicate an ARP flood. Solution Summary 4. Relief/Workaround A temporary workaround would be to physically disconnect the affected segment from the system until the source can be determined, and the source of the flood of ARP packets stopped. Once the system stops processing the packet flood, the hang will no longer be in effect. 5. Resolution This issue is addressed in the following releases: SPARC Platform * Solaris 7 with patch 106541-39 or later * Solaris 8 with patch 116965-05 or later * Solaris 9 with patch 114344-09 or later x86 Platform * Solaris 7 with patch 106542-39 or later * Solaris 8 with patch 116966-05 or later * Solaris 9 with patch 114345-08 or later This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2005 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved. ──────────────────────────────────────── -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQEVAwUBQiQFkKcyQYefg2/NAQHs0gf/Qyy5lO5yEKmIdlHIr5occSYOAzIlIUGb kV48thwu9gDG6R5vl6r3ICpWcPFWuGGcxlioG/MVDNr0oPPdn7xceD1HNJqKQvhc y51RmDJ5EygKU5k/MTqfWZ5NLYEPkFGm+hHIkXd1bTs9B+Xgn7HNkAAyZAOlvao2 o9ApzbOM7n2UaQ0wcvhvQSXmcydqG395I8GN307Bj2fscm+cR2ip5UTL2RpMlVdN 3zWMbnMwBRD1ysvVnphrxc3Z7pxlx3hp1tJ+nIN8aHSxkUCI3azBTD4IPSZZG09V DlE2x92oyB7XKH0dKnws06pWZqdWdnc2meTBuCPfoAva3m4gWZn20Q== =JgxZ -----END PGP SIGNATURE----- -- Taiwan Computer Emergency Response Team Security Advisory mailing list. Mail to : [email protected] and include a line "subscribe advisory". Please visit http://www.cert.org.tw/. PGP key : http://www.cert.org.tw/eng/pgp.htm