Re: FreeBSD Security Advisory FreeBSD-SA-04:04.tcp

From: Mike Tancsa (mike_at_sentex.net)
Date: 03/02/04

  • Next message: Darren Reed: "Re: IPFilter and FreeBSD (was Re: mbuf vulnerability)"
    Date: Tue, 02 Mar 2004 15:13:26 -0500
    To: Daniel Spielman <dan@dreadful.org>, freebsd-security@freebsd.org
    
    

    At 03:06 PM 02/03/2004, Daniel Spielman wrote:
    >is FreeBSD 5.2.1 affected by this exploit ?

    It would appear so based on

    http://docs.freebsd.org/cgi/mid.cgi?200403021724.i22HOk8W071644

             ---Mike

    >On Tue, 2 Mar 2004, FreeBSD Security Advisories wrote:
    >
    > > -----BEGIN PGP SIGNED MESSAGE-----
    > > Hash: SHA1
    > >
    > >
    > =============================================================================
    > > FreeBSD-SA-04:04.tcp Security Advisory
    > > The FreeBSD
    > Project
    > >
    > > Topic: many out-of-sequence TCP packets denial-of-service
    > >
    > > Category: core
    > > Module: kernel
    > > Announced: 2004-03-02
    > > Credits: iDEFENSE
    > > Affects: All FreeBSD releases
    > > Corrected: 2004-03-02 17:19:18 UTC (RELENG_4)
    > > 2004-03-02 17:24:46 UTC (RELENG_5_2, 5.2.1-RELEASE-p1)
    > > 2004-03-02 17:26:33 UTC (RELENG_4_9, 4.9-RELEASE-p3)
    > > 2004-03-02 17:27:47 UTC (RELENG_4_8, 4.8-RELEASE-p16)
    > > CVE Name: CAN-2004-0171
    > > FreeBSD only: NO
    > >
    > > I. Background
    > >
    > > The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
    > > provides a connection-oriented, reliable, sequence-preserving data
    > > stream service. When network packets making up a TCP stream (``TCP
    > > segments'') are received out-of-sequence, they are maintained in a
    > > reassembly queue by the destination system until they can be re-ordered
    > > and re-assembled.
    > >
    > > II. Problem Description
    > >
    > > FreeBSD does not limit the number of TCP segments that may be held in a
    > > reassembly queue.
    > >
    > > III. Impact
    > >
    > > A remote attacker may conduct a low-bandwidth denial-of-service attack
    > > against a machine providing services based on TCP (there are many such
    > > services, including HTTP, SMTP, and FTP). By sending many
    > > out-of-sequence TCP segments, the attacker can cause the target machine
    > > to consume all available memory buffers (``mbufs''), likely leading to
    > > a system crash.
    > >
    > > IV. Workaround
    > >
    > > It may be possible to mitigate some denial-of-service attacks by
    > > implementing timeouts at the application level.
    > >
    > > V. Solution
    > >
    > > Do one of the following:
    > >
    > > 1) Upgrade your vulnerable system to 4-STABLE, or to the RELENG_5_2,
    > > RELENG_4_9, or RELENG_4_8 security branch dated after the correction
    > > date.
    > >
    > > OR
    > >
    > > 2) Patch your present system:
    > >
    > > The following patch has been verified to apply to FreeBSD 4.x and 5.x
    > > systems.
    > >
    > > a) Download the relevant patch from the location below, and verify the
    > > detached PGP signature using your PGP utility.
    > >
    > > [FreeBSD 5.2]
    > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp52.patch
    > > # fetch
    > ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp52.patch.asc
    > >
    > > [FreeBSD 4.8, 4.9]
    > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp47.patch
    > > # fetch
    > ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp47.patch.asc
    > >
    > > b) Apply the patch.
    > >
    > > # cd /usr/src
    > > # patch < /path/to/patch
    > >
    > > c) Recompile your kernel as described in
    > > <URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
    > > system.
    > >
    > > VI. Correction details
    > >
    > > The following list contains the revision numbers of each file that was
    > > corrected in FreeBSD.
    > >
    > > Branch Revision
    > > Path
    > > - -------------------------------------------------------------------------
    > > RELENG_4
    > > src/UPDATING 1.73.2.90
    > > src/sys/conf/newvers.sh 1.44.2.33
    > > src/sys/netinet/tcp_input.c 1.107.2.40
    > > src/sys/netinet/tcp_subr.c 1.73.2.33
    > > src/sys/netinet/tcp_var.h 1.56.2.15
    > > RELENG_5_2
    > > src/UPDATING 1.282.2.9
    > > src/sys/conf/newvers.sh 1.56.2.8
    > > src/sys/netinet/tcp_input.c 1.217.2.2
    > > src/sys/netinet/tcp_subr.c 1.169.2.4
    > > src/sys/netinet/tcp_var.h 1.93.2.2
    > > RELENG_4_9
    > > src/UPDATING 1.73.2.89.2.4
    > > src/sys/conf/newvers.sh 1.44.2.32.2.4
    > > src/sys/netinet/tcp_input.c 1.107.2.38.2.1
    > > src/sys/netinet/tcp_subr.c 1.73.2.31.4.1
    > > src/sys/netinet/tcp_var.h 1.56.2.13.4.1
    > > RELENG_4_8
    > > src/UPDATING 1.73.2.80.2.19
    > > src/sys/conf/newvers.sh 1.44.2.29.2.17
    > > src/sys/netinet/tcp_input.c 1.107.2.37.2.1
    > > src/sys/netinet/tcp_subr.c 1.73.2.31.2.1
    > > src/sys/netinet/tcp_var.h 1.56.2.13.2.1
    > > - -------------------------------------------------------------------------
    > >
    > > VII. References
    > >
    > >
    > <URL:http://www.idefense.com/application/poi/display?id=78&type=vulnerabilities>
    > > -----BEGIN PGP SIGNATURE-----
    > > Version: GnuPG v1.2.4
    > >
    > > iD8DBQFAROKHFdaIBMps37IRAu9EAJ9VY70IDYdjr6GkKJCJCGyvBV3OcQCeIXwL
    > > UDTQ4rcO/SP2rFRZ0Mcj1iQ=
    > > =Gkct
    > > -----END PGP SIGNATURE-----
    > > _______________________________________________
    > > freebsd-security@freebsd.org mailing list
    > > http://lists.freebsd.org/mailman/listinfo/freebsd-security
    > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    > >
    >_______________________________________________
    >freebsd-security@freebsd.org mailing list
    >http://lists.freebsd.org/mailman/listinfo/freebsd-security
    >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Darren Reed: "Re: IPFilter and FreeBSD (was Re: mbuf vulnerability)"