SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   Arp Vendors:   Apple, FreeBSD
BSD arplookup() May Let Local Subnet Users Crash the System
SecurityTracker Alert ID:  1007777
SecurityTracker URL:  http://securitytracker.com/id/1007777
CVE Reference:   CVE-2003-0804   (Links to External Site)
Updated:  Sep 24 2003
Original Entry Date:  Sep 23 2003
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Mac OS X prior to 10.2.8; FreeBSD 5.1 and prior
Description:   A vulnerability was reported in the Mac OS X and other BSD-based operating systems. A remote user on a local subnet can consume all available operating system memory on the target system.

It is reported that a remote user on the local subnet can send a number of spoofed address resolution protocol (ARP) requests to the target system to cause kernel memory to become exhausted. As a result, denial of service conditions may occur. This is reportedly due to a flaw in the arplookup() function.

According to FreeBSD, various BSD-derived systems may be affected, as the vulnerable code dates well back to the CSRG branches.

Impact:   A remote user can cause the target system to crash.
Solution:   Individual BSD vendors are issuing fixes. The Apple Mac OS X fix is described below. For other BSD-based systems, see the Message History.

Apple has issued a fix as part of Mac OS X 10.2.8. The update is available via:

* Software Update pane in System Preferences

* Apple's Software Downloads web site

The following updates are available via the Apple Software Download site:

Mac OS X Client (updating from 10.2 - 10.2.5):
http://www.info.apple.com/kbnum/n120244
The download file is: "MacOSXUpdateCombo10.2.8.dmg"
The SHA-1 digest is: 47c4e354516d7d577c57389207e4207f2b9b2ea2

Mac OS X Client (updating from 10.2.6 - 10.2.7):
http://www.info.apple.com/kbnum/n120245
The download file is: "MacOSXUpdate10.2.8.dmg"
The SHA-1 digest is: 2fd24114274f9a1c59b2eb492301a90234215c73

Mac OS X Server (updating from 10.2 - 10.2.5):
http://www.info.apple.com/kbnum/n120246
The download file is: "MacOSXSrvrUpdCombo10.2.8.dmg"
The SHA-1 digest is: d87b3e7bd5668046f22b551ccf9bb75a4139e653

Mac OS X Server (updating from 10.2.6 - 10.2.7):
http://www.info.apple.com/kbnum/n120247
The download file is: "MacOSXServerUpdate10.2.8.dmg"
The SHA-1 digest is: 74ce19ab7488a41328bee2ba7156489f997abe7c

Cause:   Resource error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 24 2003 (FreeBSD Issues Fix) arplookup() May Let Local Subnet Users Crash the System
FreeBSD has released a fix.
Oct 5 2003 (OpenBSD Issues Fix) Re: BSD arplookup() May Let Local Subnet Users Crash the System
OpenBSD has issued a patch.



 Source Message Contents

Subject:  APPLE-SA-2003-09-22 Mac OS X 10.2.8


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2003-09-22 Mac OS X 10.2.8

Mac OS X 10.2.8 is now available.  It contains fixes for recent
vulnerabilities in:

OpenSSH:  Mac OS X 10.2.8 contains the patches to address CVE
    CAN-2003-0693, CAN-2003-0695, and CAN-2003-0682. On Mac OS X
    versions prior to 10.2.8, the vulnerability is limited to a denial
    of service from the possibility of causing sshd to crash. Each
    login session has its own sshd, so established connections are
    preserved up to the point where system resources are exhausted by
    an attack.

    To deliver the update in a rapid and reliable manner, only the
    patches for CVE IDs listed above were applied, and not the entire
    set of patches for OpenSSH 3.7.1.  Thus, the OpenSSH version in
    Mac OS X 10.2.8, as obtained via the "ssh -V" command, is:
       OpenSSH_3.4p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL
       0x0090609f

Sendmail:  Addresses CVE CAN-2003-0694 and CAN-2003-0681 to fix a
    buffer overflow in address parsing, as well as a potential buffer
    overflow in ruleset parsing.

fb_realpath():  Fixes CAN-2003-0466 which is an off-by-one error in
    the fb_realpath() function that may allow attackers to execute
    arbitrary code.

arplookup():  Fixes CAN-2003-0804.  The arplookup() function caches
    ARP requests for routes on a local link.  On a local subnet only,
    it is possible for an attacker to send a sufficient number of
    spoofed ARP requests which will exhaust kernel memory, leading to
    a denial of service.

Mac OS X 10.2.8 may be obtained from:

  * Software Update pane in System Preferences

  * Apple's Software Downloads web site:

    Mac OS X Client (updating from 10.2 - 10.2.5):
    http://www.info.apple.com/kbnum/n120244
    The download file is named: "MacOSXUpdateCombo10.2.8.dmg"
    Its SHA-1 digest is: 47c4e354516d7d577c57389207e4207f2b9b2ea2

    Mac OS X Client (updating from 10.2.6 - 10.2.7):
    http://www.info.apple.com/kbnum/n120245
    The download file is named: "MacOSXUpdate10.2.8.dmg"
    Its SHA-1 digest is: 2fd24114274f9a1c59b2eb492301a90234215c73

    Mac OS X Server (updating from 10.2 - 10.2.5):
    http://www.info.apple.com/kbnum/n120246
    The download file is named: "MacOSXSrvrUpdCombo10.2.8.dmg"
    Its SHA-1 digest is: d87b3e7bd5668046f22b551ccf9bb75a4139e653

    Mac OS X Server (updating from 10.2.6 - 10.2.7):
    http://www.info.apple.com/kbnum/n120247
    The download file is named: "MacOSXServerUpdate10.2.8.dmg"
    Its SHA-1 digest is: 74ce19ab7488a41328bee2ba7156489f997abe7c

Information will also be posted to the Apple Product Security web
site:
http://www.apple.com/support/security/security_updates.html

This message is signed with Apple's Product Security PGP key, and
details are available at:
http://www.apple.com/support/security/security_pgp.html

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQEVAwUBP29+U3eI0z6bzFr0AQJ7cQgAqJlSzUwo62mHLg1QonOHRHLOG93Q+69z
1qV563U8iMI9LxpbwFuo4YiIn1SJgf7C5fvFcONgYG1hOxXYjVAvLTbB+BBU+Ucm
2LHk5ktivzC+xnNrgDg1KUxfPgJKNngrARTvR2EiBoqSWPf8/b/nSpLmKY8al+F9
Ag+f/RDq6vi06kk0ZEJSosbMmsTeGAxm2zvclqn/a4eOrV5b0VhxjfUUXRZ5Gavw
VAfYVM5K2HvAnHCaow90YpI00nrD8zygzwebWVG8j7L9diOnmrfwUYpJx+17oZsV
OR0d5jRNN79H2QiGT+I+nyxOCK8AaUwPWR1IiLHlu+WDo/Z4csHlEg==
=Jxha
-----END PGP SIGNATURE-----
_______________________________________________
security-announce mailing list | security-announce@lists.apple.com
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-announce
Do not post admin requests to the list. They will be ignored.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC