From: Brewis, Mark (mark.brewis@eds.com)
Date: Fri Jun 13 2003 - 10:24:03 EDT
-----Original Message-----
From: Brewis, Mark
Sent: Thursday, June 12, 2003 5:00 PM
To: 'steve.x.jones@royalmail.com'
Subject: RE: Port scan causing system crashes
Importance: High
Steve,
We can help with the HACMP Cluster issue. There are actually two problems
with HACMP, not just the BUGTRAQ Vulnerability 3358. I never got round to
writing up a vuln report for it, but it was reported to IBM and given the
following code - IY23867. A pair of APAR's were produced to implement
patches. The original fix, if I remember correctly, patched AIX. There was
an additional issue, which caused a DoS, in the HA clustering component.
Both elements need to be patched to prevent a simple connect scan killing
the cluster.
The issue was identified by IBM as a failure of the HACMP application,
causing it to fail. This differs from the previous vulnerability, which
caused the snmp daemon to crash the operating system.
I remember that IBM were very good at getting a beta-patch out to us
quickly, and were active in getting the APAR's out.
"I checked on the status of IY23867. According to the result of my search,
this APAR has already been shipped, although the ship date was not given
(related info suggests the APAR did not ship until sometime after
mid-February of this year [2002]). No fanfare accompanied its release, which
is
normal. There is an e-mail list that announces recent APARs, but one has to
peruse the announcement thoroughly to see what APAR fixes what problem.
You are welcome to make your announcement; we just ask that you mention
that an APAR has been shipped that fixes the problem."
If you go to:
http://www.ibm.com/Search?v=11&lang=en&cc=us&q=IY23867&Search.x=44&Search.y=
10
http://www-1.ibm.com/support/docview.wss?uid=isg1IY23867
there are links to the various APAR's etc.
The issue was identified by Mark Brewis and Will Wilkinson.
Mark,
Mark Brewis
Security Consultant
EDS
Information Assurance Group
Wavendon Tower
Milton Keynes
Buckinghamshire
MK17 8LX.
Tel: +44 (0)1908 28 4234/4013
Fax: +44 (0)1908 28 4393
E@: mark.brewis@eds.com
This email is confidential and intended solely for the use of the
individual(s) to whom it is addressed. Any views or opinions presented are
solely those of the author. If you are not the intended recipient, be
advised that you have received this email in error and that any use,
dissemination, forwarding, printing, or copying of this mail is strictly
prohibited.
Precautions have been taken to minimise the risk of transmitting software
viruses, but you must carry out your own virus checks on any attachment to
this message. No liability can be accepted for any loss or damage caused by
software viruses.
-----Original Message-----
From: steve.x.jones@royalmail.com [mailto:steve.x.jones@royalmail.com]
Sent: Thursday, June 12, 2003 12:23 PM
To: pen-test@securityfocus.com
Subject: Port scan causing system crashes
Hello
Please can you help? Has any-one else out there had issues with NMAP port
scans
(or any other port scanner) causing systems to crash?
I use Nessus to baseline the security of our systems and have twice had
problems
caused by the NMAP port scan on clustered unix boxes running our enterprise
applications. NOTE - it was the initial port scan that caused the problems,
not
the subsequent vulnerability assessment.
I've done a quick Google search and found confirmation for one of the
systems -
BUGTRAQ Vulnerability 3358, "IBM HACMP Port Scan Denial of Service
Vulnerability",
the other was a bespoke app running on some HP UX boxes.
Does any-one know of other systems that fall over with a simple port scan?
Up til now I've been running port scans happily across our subnets to look
for
rogue FTP, SMTP, HTTP etc, obviously I'll have to take more care now...
Thanks in advance for any help.
Steve
This email and any attachments are confidential and intended for the
addressee
only. If you are not the named recipient, you must not use, disclose,
reproduce,
copy or distribute the contents of this communication. If you have
received this
in error, please contact the sender and then delete this email from your
system.
---------------------------------------------------------------------------
----------------------------------------------------------------------------
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:34 EDT