=========================================================================== SCO Security Bulletin 98:01 February 24, 1998 IP-based Denial of Service Attacks --------------------------------------------------------------------------- I. Description Recently, many denial of service attacks have been described which attempt to exploit bugs in various vendors' TCP/IP implementations to crash or hang systems with Internet connectivity. This security bulletin is intended to clarify which of those attacks may affect SCO operating systems - patches have been made available where necessary. 1. Fragmenting packets with invalid sizes Exploits have been distributed under the names "teardrop", "bonk" and "newtear". Not vulnerable: - SCO Open Desktop/Open Server 3.0 - SCO CMW+ 3.0 - SCO OpenServer 5.0 - SCO UnixWare 2.1 2. Spoofed self-connect packets Exploits have been distributed under than names "land" and "latierra". Vulnerable: - SCO Open Desktop/Open Server 3.0 - SCO CMW+ 3.0 - SCO OpenServer 5.0 - SCO UnixWare 2.1 System Security Enhancement SSE010 should be applied to these systems to protect against this attack. 3. Unexpected Out of Band Data An exploit has been distributed under the name "winnuke". Not vulnerable: - SCO Open Desktop/Open Server 3.0 - SCO CMW+ 3.0 - SCO UnixWare 2.1 Vulnerable: - SCO OpenServer 5.0 System Security Enhancement SSE010 should be applied to OpenServer 5.0 to protect against this attack. II. Impact Anyone connected to the Internet may be able to hang or crash your Internet-connected system. Exploit programs are widely available. III. Solution SCO is providing interim patches to address this issue in the form of a System Security Enhancement (SSE) package. The SSE package includes patches for all operating systems listed above as vulnerable. For OpenServer 5.0.0 and OpenServer 5.0.2, the forthcoming SLS OSS468 will include these fixes - if OSS468 is installed, SSE010 is not required. SSE010 should not be installed after OSS468 as it will nullify other fixes contained in OSS468. For OpenServer 5.0.4, the forthcoming SLS OSS469 will include these fixes - if OSS469 is installed, SSE010 is not required. SSE010 should not be installed after OSS469 as it will nullify other fixes contained in OSS469. SSE010 is available for Internet download via anonymous ftp, and from the SCOFORUM on Compuserve. You can download the SSE package as follows: Anonymous ftp (World Wide Web URL): ftp://ftp.sco.COM/SSE/sse010.ltr (cover letter, ASCII text) ftp://ftp.sco.COM/SSE/sse010.tar.Z (new binaries, compressed tar file) Compuserve: GO SCOFORUM, and search Library 11 (SLS/SSE Files) for these filenames: SSE010.LTR (cover letter, ASCII text) SSE010.TAZ (new binaries, compressed tar file) Checksums (sum -r): 61746 9 sse010.ltr 39053 396 sse010.tar.Z IV. Updates This bulletin is available for anonymous ftp download from ftp://ftp.sco.COM/SSE/security_bulletins/SB.98:01a, and will be updated as new information becomes available. V. Further Information: If you have further questions, contact your support provider. If you need to contact SCO, please send electronic mail to support@sco.COM, or contact SCO as follows. USA/Canada: 6am-5pm Pacific Time (PST/PDT) ----------- 1-800-347-4381 (voice) 1-408-427-5443 (fax) Pacific Rim, Asia, and Latin American customers: 6am-5pm Pacific ------------------------------------------------ Time (PST/PDT) 1-408-425-4726 (voice) 1-408-427-5443 (fax) Europe, Middle East, Africa: 9am-5:30pm UK Time (GMT/BST) ---------------------------- +44 (0)1923 816344 (voice) +44 (0)1923 817781 (fax)