COMMAND

    kernel

SYSTEMS AFFECTED

    NetBSD 1.4.x on SPARC and Alpha

PROBLEM

    Following is based  on NHC Research  Advisory.  It  is possible to
    cause  a  kernel  panic  on  systems  running  NetBSD by sending a
    packet remotely with an unaligned IP Timestamp option.

    Affected  configurations  are  NetBSD  1.4.x  on  SPARC  and Alpha
    platforms were tested  and found to  be vulnerable.   Any platform
    where a page fault is caused by an unaligned memory access  should
    also be  vulnerable.   Unaffected configurations  are NetBSD 1.4.x
    on arm32  and x86  platforms were  tested and  found to not panic.
    However, this  is only  because these  (and a  few other untested)
    platforms do not page fault on unaligned memory accesses.

    This was originally reported to the NetBSD Security Alerts mailing
    list on  March 1,  2000, which  was before  the release  of NetBSD
    1.4.2.

    How to reproduce?

        1. Download, compile, and  install libnet. It can  be obtained
           from http://www.packetfactory.net
        2. Download and compile the ISIC suite of utilities.  They are
           at http://expert.cc.purdue.edu/~frantzen
        3. After compiling the isic utilities, run the following  from
           your shell of choice:

            icmpsic -s source -d dest -r 31337 -k 218504 -p 218505

           where source  is the  source IP  address (spoofed addresses
           work just fine), and dest  is the IP address of  the NetBSD
           machine.

    For whatever reason, Linux mangles this packet before sending  it.
    NHC have found that it does work correctly when sent from  FreeBSD
    x86, NetBSD x86,  and NetBSD arm32.   On the vulnerable  platforms
    tested (listed above),  a kernel panic  results from an  unaligned
    memory access.   Because of the  ability to spoof  the packet, and
    the relative  small packet  size, an  attacker could  easily crash
    many NetBSD machines on a given subnet with minimal effort.

SOLUTION

    1.4.2 is ok.