Re: FreeBSD Security Advisory FreeBSD-SA-04:04.tcp

From: Mike Tancsa (mike_at_sentex.net)
Date: 03/02/04

  • Next message: Darren Reed: "Re: IPFilter and FreeBSD (was Re: mbuf vulnerability)"
    Date: Tue, 02 Mar 2004 15:13:26 -0500
    To: Daniel Spielman <dan@dreadful.org>, freebsd-security@freebsd.org
    
    

    At 03:06 PM 02/03/2004, Daniel Spielman wrote:
    >is FreeBSD 5.2.1 affected by this exploit ?

    It would appear so based on

    http://docs.freebsd.org/cgi/mid.cgi?200403021724.i22HOk8W071644

             ---Mike

    >On Tue, 2 Mar 2004, FreeBSD Security Advisories wrote:
    >
    > > -----BEGIN PGP SIGNED MESSAGE-----
    > > Hash: SHA1
    > >
    > >
    > =============================================================================
    > > FreeBSD-SA-04:04.tcp Security Advisory
    > > The FreeBSD
    > Project
    > >
    > > Topic: many out-of-sequence TCP packets denial-of-service
    > >
    > > Category: core
    > > Module: kernel
    > > Announced: 2004-03-02
    > > Credits: iDEFENSE
    > > Affects: All FreeBSD releases
    > > Corrected: 2004-03-02 17:19:18 UTC (RELENG_4)
    > > 2004-03-02 17:24:46 UTC (RELENG_5_2, 5.2.1-RELEASE-p1)
    > > 2004-03-02 17:26:33 UTC (RELENG_4_9, 4.9-RELEASE-p3)
    > > 2004-03-02 17:27:47 UTC (RELENG_4_8, 4.8-RELEASE-p16)
    > > CVE Name: CAN-2004-0171
    > > FreeBSD only: NO
    > >
    > > I. Background
    > >
    > > The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
    > > provides a connection-oriented, reliable, sequence-preserving data
    > > stream service. When network packets making up a TCP stream (``TCP
    > > segments'') are received out-of-sequence, they are maintained in a
    > > reassembly queue by the destination system until they can be re-ordered
    > > and re-assembled.
    > >
    > > II. Problem Description
    > >
    > > FreeBSD does not limit the number of TCP segments that may be held in a
    > > reassembly queue.
    > >
    > > III. Impact
    > >
    > > A remote attacker may conduct a low-bandwidth denial-of-service attack
    > > against a machine providing services based on TCP (there are many such
    > > services, including HTTP, SMTP, and FTP). By sending many
    > > out-of-sequence TCP segments, the attacker can cause the target machine
    > > to consume all available memory buffers (``mbufs''), likely leading to
    > > a system crash.
    > >
    > > IV. Workaround
    > >
    > > It may be possible to mitigate some denial-of-service attacks by
    > > implementing timeouts at the application level.
    > >
    > > V. Solution
    > >
    > > Do one of the following:
    > >
    > > 1) Upgrade your vulnerable system to 4-STABLE, or to the RELENG_5_2,
    > > RELENG_4_9, or RELENG_4_8 security branch dated after the correction
    > > date.
    > >
    > > OR
    > >
    > > 2) Patch your present system:
    > >
    > > The following patch has been verified to apply to FreeBSD 4.x and 5.x
    > > systems.
    > >
    > > a) Download the relevant patch from the location below, and verify the
    > > detached PGP signature using your PGP utility.
    > >
    > > [FreeBSD 5.2]
    > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp52.patch
    > > # fetch
    > ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp52.patch.asc
    > >
    > > [FreeBSD 4.8, 4.9]
    > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp47.patch
    > > # fetch
    > ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp47.patch.asc
    > >
    > > b) Apply the patch.
    > >
    > > # cd /usr/src
    > > # patch < /path/to/patch
    > >
    > > c) Recompile your kernel as described in
    > > <URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
    > > system.
    > >
    > > VI. Correction details
    > >
    > > The following list contains the revision numbers of each file that was
    > > corrected in FreeBSD.
    > >
    > > Branch Revision
    > > Path
    > > - -------------------------------------------------------------------------
    > > RELENG_4
    > > src/UPDATING 1.73.2.90
    > > src/sys/conf/newvers.sh 1.44.2.33
    > > src/sys/netinet/tcp_input.c 1.107.2.40
    > > src/sys/netinet/tcp_subr.c 1.73.2.33
    > > src/sys/netinet/tcp_var.h 1.56.2.15
    > > RELENG_5_2
    > > src/UPDATING 1.282.2.9
    > > src/sys/conf/newvers.sh 1.56.2.8
    > > src/sys/netinet/tcp_input.c 1.217.2.2
    > > src/sys/netinet/tcp_subr.c 1.169.2.4
    > > src/sys/netinet/tcp_var.h 1.93.2.2
    > > RELENG_4_9
    > > src/UPDATING 1.73.2.89.2.4
    > > src/sys/conf/newvers.sh 1.44.2.32.2.4
    > > src/sys/netinet/tcp_input.c 1.107.2.38.2.1
    > > src/sys/netinet/tcp_subr.c 1.73.2.31.4.1
    > > src/sys/netinet/tcp_var.h 1.56.2.13.4.1
    > > RELENG_4_8
    > > src/UPDATING 1.73.2.80.2.19
    > > src/sys/conf/newvers.sh 1.44.2.29.2.17
    > > src/sys/netinet/tcp_input.c 1.107.2.37.2.1
    > > src/sys/netinet/tcp_subr.c 1.73.2.31.2.1
    > > src/sys/netinet/tcp_var.h 1.56.2.13.2.1
    > > - -------------------------------------------------------------------------
    > >
    > > VII. References
    > >
    > >
    > <URL:http://www.idefense.com/application/poi/display?id=78&type=vulnerabilities>
    > > -----BEGIN PGP SIGNATURE-----
    > > Version: GnuPG v1.2.4
    > >
    > > iD8DBQFAROKHFdaIBMps37IRAu9EAJ9VY70IDYdjr6GkKJCJCGyvBV3OcQCeIXwL
    > > UDTQ4rcO/SP2rFRZ0Mcj1iQ=
    > > =Gkct
    > > -----END PGP SIGNATURE-----
    > > _______________________________________________
    > > freebsd-security@freebsd.org mailing list
    > > http://lists.freebsd.org/mailman/listinfo/freebsd-security
    > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    > >
    >_______________________________________________
    >freebsd-security@freebsd.org mailing list
    >http://lists.freebsd.org/mailman/listinfo/freebsd-security
    >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Darren Reed: "Re: IPFilter and FreeBSD (was Re: mbuf vulnerability)"

    Relevant Pages

    • FreeBSD Security Advisory: FreeBSD-SA-01:13.sort
      ... such that they cannot be "subverted" by a symlink attack, ... as system management and reporting scripts). ... All released versions of FreeBSD prior to the correction date including ... Verify the detached PGP signature using your PGP utility. ...
      (FreeBSD-Security)
    • Re: FreeBSD Security Advisory FreeBSD-SA-04:04.tcp
      ... On Tue, 2 Mar 2004, FreeBSD Security Advisories wrote: ... When network packets making up a TCP stream (``TCP ... > a) Download the relevant patch from the location below, ... > VI. Correction details ...
      (FreeBSD-Security)
    • RE: FreeBSD Security Advisory FreeBSD-SA-02:13.openssh
      ... > The following patch has been verified to apply to FreeBSD 4.4-RELEASE, ... > may or may not apply to older, unsupported versions of FreeBSD. ... > Download the patch and the detached PGP signature from the following ... ># make depend && make all install ...
      (FreeBSD-Security)
    • Re: FreeBSD Security Advisory FreeBSD-SA-02:30.ktrace
      ... > When will this patch be merged into the security branches, ... > included with the tcpdump fix and the merge just not mentioned? ... Correction details ... FreeBSD: The Power To Serve - http://www.FreeBSD.org ...
      (FreeBSD-Security)