-- Corsaire Security Advisory -- Title: Tivoli Management Framework Endpoint DoS issue Date: 27.11.04 Application: Tivoli LCF prior to 41100 Environment: Various Author: Martin O'Neal [martin.oneal@corsaire.com] Audience: General release Reference: c041127-001 -- Scope -- The aim of this document is to clearly define an issue that exists with the IBM Tivoli product [1] that will allow a remote attacker to provoke a DoS condition. -- History -- Discovered: 27.11.04 (Martin O'Neal) Vendor notified: 30.11.04 NISCC notified: 10.12.04 Vendor release: 27.06.05 Document released: 08.07.05 -- Overview -- The Tivoli Management Framework Endpoint is installed on devices to be managed by the Tivoli environment. The LCF is the sub-component that provides networking interaction. If a connection is established to the LCF, but exits without sending any data, then the LCF process logs an error message and exits, denying access to valid management traffic. -- Analysis - The Tivoli Management Framework Endpoint accepts remote management traffic via the LCF subcomponent. If a connection is established, but no data is sent, then the LCF component logs an error message to the audit trail and exits. The IBM Flash Alert [2] that covers this issue, notes that the LCF "will wait 5 minutes before accepting new connections". In all the testing that was conducted by Corsaire this was not the case, and once the LCF stopped responding, it did so until the service was restarted. A successful attack against the LCF will result in log file entries similar to: Nov 28 13:04:09 1 lcfd Terminating for exception: net_recv: bad packet Nov 28 13:04:29 1 lcfd Clean Shutdown -- Recommendations -- IBM have provided a Flash Alert for this issue [2], however it is only available to IBM customers with a valid support contract. The Tivoli LCF component should be upgraded to a version that is not susceptible to this issue [3]. Additionally, IBM have added several new features to the LCF component to help defeat DoS attacks. These can be configured via the wep command: recvDataNumAttempts (default=10) recvDataQMaxNum (default=50) recvDataTimeout (default=2) -- CVE -- The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-2170 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardises names for security problems. -- References -- [1] http://www-306.ibm.com/software/tivoli/ [2] http://www-1.ibm.com/support/entdocview.wss?uid=swg21210334 [3] http://www-1.ibm.com/support/docview.wss?uid=swg24009815 -- Revision -- a. Initial release. b. Minor revisions. -- Distribution -- This security advisory may be freely distributed, provided that it remains unaltered and in its original form. -- Disclaimer -- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Corsaire accepts no responsibility for any damage caused by the use or misuse of this information. -- About Corsaire -- Corsaire are a leading information security consultancy, founded in 1997 in Guildford, Surrey, UK. Corsaire bring innovation, integrity and analytical rigour to every job, which means fast and dramatic security performance improvements. Our services centre on the delivery of information security planning, assessment, implementation, management and vulnerability research. A free guide to selecting a security assessment supplier is available at http://www.penetration-testing.com Copyright 2004 Corsaire Limited. All rights reserved.