|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
|
Hewlett-Packard Company Information for VU#498440
| Date Notified | 03/08/2001 |
| Date Modified | 08/02/2007 10:33:35 AM |
| Status Summary | Vulnerable |
Vendor StatementCurrent statement PGP Signed: 8/29/2002 8:51:54 PM
====================================================
The following tcp randomizations are now available:
HP-UX releases 11.00, 11.04, and 11.11 (11i):
- HP randomization
- RFC 1948 ISN randomization
For HP randomization on releases:
HP-UX 11.00: PHNE_22397 or subsequent,
HP-UX 11.11: default mode.
For RFC 1948 ISN randomization
HP-UX 11.00: PHNE_26771 or subsequent,
HP-UX 11.04: PHNE_26101 or subsequent,
HP-UX 11.11: PHNE_25644 or subsequent.
To enable tcp randomization on HP-UX 11.00, 11.04, and 11.11(11i):
- ----------------------------------------------------------------------
- --
HP randomization
HP-UX release 11.00:
Install PHNE_22397 or subsequent. The HP randomization will
then be the default tcp randomization.
NOTE: This patch has dependencies.
HP-UX release 11.11 (11i):
No patch is required. The HP randomization has always been
implemented in HP-UX 11.11 (11i) and is the default tcp
randomization.
RFC 1948 ISN randomization
HP-UX 11.00: Apply PHNE_26771 or subsequent.
HP-UX 11.04: Apply PHNE_26101 or subsequent.
HP-UX 11.11 (11i): Apply PHNE_25644 or subsequent.
Once the appropriate patch has been applied the RFC 1948 ISN
randomization can be enabled on HP-UX 11.00, 11.04 and 11.11
by executing the following command as root:
ndd -set /dev/tcp tcp_isn_passphrase <secret passphrase>
where <secret passphrase> is any length character
string. Only the first 32 characters will be
retained. If the passphrase is changed the system
should be rebooted.
NOTE: RFC 1948 ISN randomization is not available on
HP-UX release 10.20. Customers who want RFC 1948
ISN randomization should upgrade to HP-UX 11.X and
apply necessary patches as discussed herein.
For the the legacy 10.20 release:
- ---------------------------------
HP created a tunable kernel parameter that can enable two levels of
randomization. This randomization feature requires a TRANSPORT
patch
level of:
For S700 platform: PHNE_17096 or greater
For S800 platform: PHNE_17097 or greater
The tunable kernel parameter is set as follows using the "nettune"
program:
tcp_random_seq set to 0 (Standard TCP sequencing)
tcp_random_seq set to 1 (Random TCP sequencing)
tcp_random_seq set to 2 (Increased Random TCP sequencing)
and requires a reboot.
- --US-CERT AddendumPrevious statement issued 05/01/2001:
HP has been tracking tcp randomization issues over the years, and has to date implemented the following:
For 11.00 and 11.11 (11i):
_______________________________
For 11.00, if you want HP's solution for randomized ISN numbers then apply TRANSPORT patch PHNE_22397. Once you apply PHNE_22397, there's nothing more to do --- default is randomized ISNs.
(Note: PHNE_22397 has patch dependencies unrelated to ISN randomized ISN number modification listed in the dependency section, but they should still be also applied. One is a PHKL kernel patch dependency and the other STREAMS/UX minimum level patch dependency.)
The LR release of 11.11 (11i) has the same random ISN implementation as the patched 11.00.
For the the legacy 10.20 release
__________________________________
HP created a tunable kernel parameter that can enable two levels of randomization. This randomization feature requires a TRANSPORT patch level of:
For S700 platform: PHNE_17096 or greater
For S800 platform: PHNE_17097 or greater
The tunable kernel parameter is set as follows using the "nettune" program:
tcp_random_seq set to 0 (Standard TCP sequencing)
tcp_random_seq set to 1 (Random TCP sequencing)
tcp_random_seq set to 2 (Increased Random TCP sequencing)
and requires a reboot.
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
 |
