Security hole in netcfg

______________________________________________________________________________

                        SuSE Security Announcement

	Package:  netcfg-x.x.x-x
	Date:     Tue Aug 25 07:10:09 MEST 1999
	Affected: all Unix systems using auth daemon w/o resource control
______________________________________________________________________________

A security hole was discovered in the package mentioned above.
Please update as soon as possible or disable the service if you are using
this software on your SuSE Linux installation(s).

Other Linux distributions or operating systems might be affected as
well, please contact your vendor for information about this issue.

Please note, that that we provide this information on as "as-is" basis only.
There is no warranty whatsoever and no liability for any direct, indirect or
incidental damage arising from this information or the installation of
the update package.
______________________________________________________________________________

1. Problem Description

  The way in.identd is started by inetd from a standard /etc/inetd.conf on
  a SuSE Linux distribution may be exploited to mount a Denial-of-Service
  attack against the system.

  When inetd starts in.identd with the "wait" flag and the "-w -t120"
  options, the in.identd will start to listen on the well known port
  while inetd deactivates its own listener for the time in.identd
  is alive.

2. Impact

  If many requests (say more than a hundred or so) are sent to the
  server at nearly the same time, in.identd will fork one child process
  for every request. This will eventually lead to a shortage of system
  resources and the computer will become unresponsive.

3. Solution

  To prevent the described vulnerability, change the start flag
  for in.identd in /etc/inetd.conf from "wait" to "nowait" and the
  in.identd options from "-w -t120 -e" to "-i -e".

  Many system administrators also decide not to run in.identd at all for
  security reasons, so this may a viable alternative in its own right.

______________________________________________________________________________

Webpage for patches:
        http://www.suse.de/patches/index.html

or try the following web pages for a list of mirrors:

        http://www.suse.de/ftp.html
        
______________________________________________________________________________

______________________________________________________________________________ SuSE Security Announcement Package: netcfg-x.x.x-x Date: Tue Aug 25 07:10:09 MEST 1999 Affected: all Unix systems using auth daemon w/o resource control ______________________________________________________________________________ A security hole was discovered in the package mentioned above. Please update as soon as possible or disable the service if you are using this software on your SuSE Linux installation(s). Other Linux distributions or operating systems might be affected as well, please contact your vendor for information about this issue. Please note, that that we provide this information on as "as-is" basis only. There is no warranty whatsoever and no liability for any direct, indirect or incidental damage arising from this information or the installation of the update package. ______________________________________________________________________________ 1. Problem Description The way in.identd is started by inetd from a standard /etc/inetd.conf on a SuSE Linux distribution may be exploited to mount a Denial-of-Service attack against the system. When inetd starts in.identd with the "wait" flag and the "-w -t120" options, the in.identd will start to listen on the well known port while inetd deactivates its own listener for the time in.identd is alive. 2. Impact If many requests (say more than a hundred or so) are sent to the server at nearly the same time, in.identd will fork one child process for every request. This will eventually lead to a shortage of system resources and the computer will become unresponsive. 3. Solution To prevent the described vulnerability, change the start flag for in.identd in /etc/inetd.conf from "wait" to "nowait" and the in.identd options from "-w -t120 -e" to "-i -e". Many system administrators also decide not to run in.identd at all for security reasons, so this may a viable alternative in its own right. ______________________________________________________________________________ Webpage for patches: http://www.suse.de/patches/index.html or try the following web pages for a list of mirrors: http://www.suse.de/ftp.html ______________________________________________________________________________

Get the Latest News & Insights

Security hole in netcfg

Summary

References

Related News

Get the Latest News & Insights

News

Advisories

HOWTOs

Features

About Us

Powered By