Penetration Testing mailing list archives
FW: Port scan causing system crashes
From: "Brewis, Mark" <mark.brewis () eds com>
Date: Fri, 13 Jun 2003 15:24:03 +0100
-----Original Message----- From: Brewis, Mark Sent: Thursday, June 12, 2003 5:00 PM To: 'steve.x.jones () royalmail com' Subject: RE: Port scan causing system crashes Importance: High Steve, We can help with the HACMP Cluster issue. There are actually two problems with HACMP, not just the BUGTRAQ Vulnerability 3358. I never got round to writing up a vuln report for it, but it was reported to IBM and given the following code - IY23867. A pair of APAR's were produced to implement patches. The original fix, if I remember correctly, patched AIX. There was an additional issue, which caused a DoS, in the HA clustering component. Both elements need to be patched to prevent a simple connect scan killing the cluster. The issue was identified by IBM as a failure of the HACMP application, causing it to fail. This differs from the previous vulnerability, which caused the snmp daemon to crash the operating system. I remember that IBM were very good at getting a beta-patch out to us quickly, and were active in getting the APAR's out. "I checked on the status of IY23867. According to the result of my search, this APAR has already been shipped, although the ship date was not given (related info suggests the APAR did not ship until sometime after mid-February of this year [2002]). No fanfare accompanied its release, which is normal. There is an e-mail list that announces recent APARs, but one has to peruse the announcement thoroughly to see what APAR fixes what problem. You are welcome to make your announcement; we just ask that you mention that an APAR has been shipped that fixes the problem." If you go to: http://www.ibm.com/Search?v=11&lang=en&cc=us&q=IY23867&Search.x=44&Search.y= 10 http://www-1.ibm.com/support/docview.wss?uid=isg1IY23867 there are links to the various APAR's etc. The issue was identified by Mark Brewis and Will Wilkinson. Mark, Mark Brewis Security Consultant EDS Information Assurance Group Wavendon Tower Milton Keynes Buckinghamshire MK17 8LX. Tel: +44 (0)1908 28 4234/4013 Fax: +44 (0)1908 28 4393 E@: mark.brewis () eds com This email is confidential and intended solely for the use of the individual(s) to whom it is addressed. Any views or opinions presented are solely those of the author. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this mail is strictly prohibited. Precautions have been taken to minimise the risk of transmitting software viruses, but you must carry out your own virus checks on any attachment to this message. No liability can be accepted for any loss or damage caused by software viruses. -----Original Message----- From: steve.x.jones () royalmail com [mailto:steve.x.jones () royalmail com] Sent: Thursday, June 12, 2003 12:23 PM To: pen-test () securityfocus com Subject: Port scan causing system crashes Hello Please can you help? Has any-one else out there had issues with NMAP port scans (or any other port scanner) causing systems to crash? I use Nessus to baseline the security of our systems and have twice had problems caused by the NMAP port scan on clustered unix boxes running our enterprise applications. NOTE - it was the initial port scan that caused the problems, not the subsequent vulnerability assessment. I've done a quick Google search and found confirmation for one of the systems - BUGTRAQ Vulnerability 3358, "IBM HACMP Port Scan Denial of Service Vulnerability", the other was a bespoke app running on some HP UX boxes. Does any-one know of other systems that fall over with a simple port scan? Up til now I've been running port scans happily across our subnets to look for rogue FTP, SMTP, HTTP etc, obviously I'll have to take more care now... Thanks in advance for any help. Steve This email and any attachments are confidential and intended for the addressee only. If you are not the named recipient, you must not use, disclose, reproduce, copy or distribute the contents of this communication. If you have received this in error, please contact the sender and then delete this email from your system. --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Port scan causing system crashes, (continued)
- RE: Port scan causing system crashes OBrien, Brennan (Jun 12)
- Re: Port scan causing system crashes MARTIN M. Bénoni (Jun 12)
- RE: Port scan causing system crashes Whiteside, Larry [contractor] (Jun 12)
- Re: Port scan causing system crashes Clem Skorupka (Jun 12)
- Re: Port scan causing system crashes Renaud Deraison (Jun 12)
- Re: Port scan causing system crashes Clem Skorupka (Jun 12)
- Re: Port scan causing system crashes Clem Skorupka (Jun 12)
- RE: Port scan causing system crashes Steve Goldsby (ICS) (Jun 12)
- Re: Port scan causing system crashes Death Star (Jun 12)
- RE: Port scan causing system crashes Brass, Phil (ISS Atlanta) (Jun 12)
- Re: Port scan causing system crashes Kevin Pietersma (Jun 13)
- FW: Port scan causing system crashes Brewis, Mark (Jun 13)
- RE: Port scan causing system crashes Martin Walker (Jun 16)
- RE: Port scan causing system crashes Death Star (Jun 16)