FreeBSD Security Advisory FreeBSD-SA-05:15.tcp

From: FreeBSD Security Advisories (security-advisories_at_freebsd.org)
Date: 06/29/05

  • Next message: Colin Percival: "Re: Any status on timestamp vulnerability fix for 4.X?"
    Date: Wed, 29 Jun 2005 21:55:04 GMT
    To: FreeBSD Security Advisories <security-advisories@freebsd.org>
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    =============================================================================
    FreeBSD-SA-05:15.tcp Security Advisory
                                                              The FreeBSD Project

    Topic: TCP connection stall denial of service

    Category: core
    Module: inet
    Announced: 2005-06-29
    Credits: Noritoshi Demizu
    Affects: All FreeBSD releases.
    Corrected: 2005-06-29 21:38:48 UTC (RELENG_5, 5.4-STABLE)
                    2005-06-29 21:41:03 UTC (RELENG_5_4, 5.4-RELEASE-p3)
                    2005-06-29 21:42:33 UTC (RELENG_5_3, 5.3-RELEASE-p17)
                    2005-06-29 21:43:42 UTC (RELENG_4, 4.11-STABLE)
                    2005-06-29 21:45:14 UTC (RELENG_4_11, 4.11-RELEASE-p11)
                    2005-06-29 21:46:15 UTC (RELENG_4_10, 4.10-RELEASE-p16)
    CVE Name: CAN-2005-0356, CAN-2005-2068

    For general information regarding FreeBSD Security Advisories,
    including descriptions of the fields above, security branches, and the
    following sections, please visit
    <URL:http://www.freebsd.org/security/>.

    I. Background

    The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
    provides a connection-oriented, reliable, sequence-preserving data
    stream service. TCP timestamps are used to measure Round-Trip Time
    and in the Protect Against Wrapped Sequences (PAWS) algorithm. TCP
    packets with the SYN flag set are used during setup of new TCP
    connections.

    II. Problem Description

    Two problems have been discovered in the FreeBSD TCP stack.

    First, when a TCP packets containing a timestamp is received, inadequate
    checking of sequence numbers is performed, allowing an attacker to
    artificially increase the internal "recent" timestamp for a connection.

    Second, a TCP packet with the SYN flag set is accepted for established
    connections, allowing an attacker to overwrite certain TCP options.

    III. Impact

    Using either of the two problems an attacker with knowledge of the
    local and remote IP and port numbers associated with a connection
    can cause a denial of service situation by stalling the TCP connection.
    The stalled TCP connection my be closed after some time by the other
    host.

    IV. Workaround

    In some cases it may be possible to defend against these attacks by
    blocking the attack packets using a firewall. Packets used to effect
    either of these attacks would have spoofed source IP addresses.

    V. Solution

    Perform one of the following:

    1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the
    RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch
    dated after the correction date.

    2) To patch your present system:

    The following patches have been verified to apply to FreeBSD 4.10,
    4.11, 5.3, and 5.4 systems.

    a) Download the relevant patch from the location below, and verify the
    detached PGP signature using your PGP utility.

    [FreeBSD 4.x]
    # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:15/tcp4.patch
    # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:15/tcp4.patch.asc

    [FreeBSD 5.x]
    # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:15/tcp.patch
    # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:15/tcp.patch.asc

    b) Apply the patch.

    # cd /usr/src
    # patch < /path/to/patch

    c) Recompile your kernel as described in
    <URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
    system.

    VI. Correction details

    The following list contains the revision numbers of each file that was
    corrected in FreeBSD.

    Branch Revision
      Path
    - -------------------------------------------------------------------------
    RELENG_4
      src/sys/netinet/tcp_input.c 1.107.2.44
    RELENG_4_11
      src/UPDATING 1.73.2.91.2.12
      src/sys/conf/newvers.sh 1.44.2.39.2.15
      src/sys/netinet/tcp_input.c 1.107.2.41.4.3
    RELENG_4_10
      src/UPDATING 1.73.2.90.2.17
      src/sys/conf/newvers.sh 1.44.2.34.2.18
      src/sys/netinet/tcp_input.c 1.107.2.41.2.1
    RELENG_5
      src/sys/netinet/tcp_input.c 1.252.2.16
    RELENG_5_4
      src/UPDATING 1.342.2.24.2.12
      src/sys/conf/newvers.sh 1.62.2.18.2.8
      src/sys/netinet/tcp_input.c 1.252.2.14.2.1
    RELENG_5_3
      src/UPDATING 1.342.2.13.2.20
      src/sys/conf/newvers.sh 1.62.2.15.2.22
      src/sys/netinet/tcp_input.c 1.252.4.1
    - -------------------------------------------------------------------------

    VII. References

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0356
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2068
    http://www.kb.cert.org/vuls/id/637934

    The latest revision of this advisory is available at
    ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:15.tcp.asc
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (FreeBSD)

    iD8DBQFCwxe7FdaIBMps37IRAi39AJ9ss6PVEwloS4SlKEWi5S1hpHnzmACeJF7H
    rKmK2NtleJ98dTLWW4QLMn4=
    =6fBH
    -----END PGP SIGNATURE-----
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Colin Percival: "Re: Any status on timestamp vulnerability fix for 4.X?"

    Relevant Pages

    • [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-05:15.tcp
      ... For general information regarding FreeBSD Security Advisories, ... TCP timestamps are used to measure Round-Trip Time ... artificially increase the internal "recent" timestamp for a connection. ... allowing an attacker to overwrite certain TCP options. ...
      (freebsd-announce)
    • Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-14:19.tcp
      ... For general information regarding FreeBSD Security Advisories, ... New TCP connections are initiated using special SYN ... When a segment with the SYN flag for an already existing connection arrives, ... To update your vulnerable system via a source code patch: ...
      (FreeBSD-Security)
    • FreeBSD Security Advisory FreeBSD-SA-05:15.tcp
      ... For general information regarding FreeBSD Security Advisories, ... TCP timestamps are used to measure Round-Trip Time ... artificially increase the internal "recent" timestamp for a connection. ... allowing an attacker to overwrite certain TCP options. ...
      (Bugtraq)
    • Re: How secure is SSL emails?
      ... Dropping any connection with IP source routing might be safe ... authenticate TCP connections? ... >that connection has been leaked to the attacker. ...
      (sci.crypt)
    • Re: pending changes for TOE support
      ... TCP offload - that is the connection setup and teardown are handled by ... It would be preferable if FreeBSD could just see what the raw ...
      (freebsd-arch)