COMMAND

    kernel (ping)

SYSTEMS AFFECTED

    Berkeley Software Design, Inc. (BSDI),
    Computer Associates, Intl. (products for NCR),
    Cray Research,
    Digital Equipment Corporation,
    Free BSD, Inc.,
    Hewlett-Packard Company,
    IBM Corporation,
    Linux Systems,
    NEC Corporation,
    Open Software Foundation (OSF),
    The Santa Cruz Operation, Inc. (SCO),
    Sun Microsystems, Inc.

PROBLEM

    The TCP/IP specification (the basis for many protocols used on the
    Internet) allows for a maximum  packet size of up to  65536 octets
    (1 octet = 8 bits of  data), containing a minimum of 20  octets of
    IP  header  information   and  0  or   more  octets  of   optional
    information, with the rest of  the packet being data. It  is known
    that  some  systems  will  react  in an unpredictable fashion when
    receiving  oversized  IP  packets.  Reports  indicate  a  range of
    reactions including crashing, freezing, and rebooting.

    In  particular,  the  reports  received  by  the CERT Coordination
    Center  indicate  that  Internet  Control  Message Protocol (ICMP)
    packets issued via  the "ping" command  have been used  to trigger
    this behavior. ICMP is a  subset of the TCP/IP suite  of protocols
    that transmits  error and  control messages  between systems.  Two
    specific instances of the ICMP are the ICMP ECHO_REQUEST and  ICMP
    ECHO_RESPONSE  datagrams.  These  two  instances  can be used by a
    local host to determine whether  a remote system is reachable  via
    the network; this is commonly achieved using the "ping" command.

    Discussion in  public forums  has centered  around the  use of the
    "ping" command  to construct  oversized ICMP  datagrams (which are
    encapsulated within  an IP  packet). Many  ping implementations by
    default send  ICMP datagrams  consisting only  of the  8 octets of
    ICMP header  information but  allow the  user to  specify a larger
    packet  size  if  desired.    Systems  receiving  oversized   ICMP
    datagrams may  crash, freeze,  or reboot,  resulting in  denial of
    service.  More about this problem can be found at Security Bugware
    (under Most UNIXes, kernel #?)  or You can read information  about
    this vulnerability on Mike Bremford's Web page.

        http://www.sophist.demon.co.uk/ping/index.html

SOLUTION

    Install a patch from  your vendor (at this  moment only Sun is  in
    trouble with patches).