Many machines still vulnerable to ip fragment attacks

[andrew () DAVIEL ORG (Andrew Daviel)]

A recent security scan at a research lab revealed a disturbing fact - a
large number (about 25%) of networked devices are still vulnerable to the
3-year-old land/teardrop exploits.

These included things like HP printers, PLCs (programmable logic
controllers), various flavours of Microsoft operating systems (a 50%
survival rate), older systems such as Digital Ultrix, RTOSs (real-time
operating systems) etc. etc.

Some of these devices were being used in sensitive control applications
(though not safety-related systems).

I suspect that this situation is not that unusual - sites may keep their
webservers and other machines in the DMZ updated and fairly secure, but
not have the resources to constantly update everything else as well.

Some networked devices are essentially "black boxes" - the TCP stack
is held in read-only memory with no update capability. Such devices may
have a much longer service life at one software revision compared
to traditional computers. Such devices may find their way into
sensitive areas such as process control, patient monitoring, alarm systems
etc.

Suggestions:

Sensitive networks should be placed  behind a local dedicated firewall,
not just a corporate or site firewall.

Purchasing approval of networked devices should be subject to
passing a security/vulnerability check.

Existing networked devices in service be (carefully!) tested for
DoS resistance. TCP stack hangs or crashes should not place control
software in an unsafe state.

Andrew Daviel
Vancouver, Canada