COMMAND

    Annex (xylogic/Bay)

SYSTEMS AFFECTED

    Systems using above

PROBLEM

    Albert Nubdy  from Redes2  Security Team  posted following.   They
    have found  serveral DoS  attacks agaisnt  Annex terminal  servers
    from xylogics(bay).

    The first attack is about the ping program on the webserver.  They
    designed the /ping program to  take only 64 chars in  the hostname
    part.  They avoided from ppl to insert more than 64 by limiting it
    in the page on the webserver (/ping.html).  But if you do a:

        http://annex.server.here/ping?query=a lot of aaaaaa's here (more than 64)

    then annex server goes BOOM!.

    The second attack is with  the land attack. Maybe when  they tried
    the land attack on the annex servers they thought it didn't  work.
    But it does... The problem is  that when you do 1 land  attack the
    CPU  only  rises  a  50  percent.   Now  if  you do 2 land attacks
    consecutively then the annex server freezes because the CPU  rises
    to 100%.   You don't need  to make any  programs for this  because
    you only have to do a shell script that executes your land program
    at least two or three times.

    Matt Carter added following.   A simple 'strobe' will bring  a bay
    terminal server crashing to it's  knees.  Hell, lets go  something
    even simpler.  1 x  32k ping  packet ever  second at  a annex will
    crush it.  So, maybe you have something a bit beefier (i'm looking
    at micro annex els) fire 2 x 32k packets.

SOLUTION

    Bay announced that  an "X Release"  patch is available  to address
    both the PING attack (CR.81216) and the LAND DoS attack (CR.80603)
    for all currently shipping Remote Annex and Versalar Remote Access
    Concentrator platforms.  The  latest X releases may  be downloaded
    free of charge from:

    RA2000, RA4000, RA6100, RA6300, 5391, 5393:
        ftp://ftp-support.baynetworks.com/outgoing/RA/X5.4.22.tar.Z (UNIX)
        ftp://ftp-support.baynetworks.com/outgoing/RA/pX5_4_22.exe  (NT)

    5399 RAC, 8000 RAC:

        ftp://ftp-support.baynetworks.com/outgoing/RA/X6.0.1.tar.Z (UNIX)
        ftp://ftp-support.baynetworks.com/outgoing/RA/pX6_0_1.exe  (NT)

    In  addition,  the  next  release  of  the  Versalar Remote Access
    Concentrator software, versioned R6.1,  will also contain the  two
    aforementioned fixes.