FreeBSD Security Advisory FreeBSD-SA-05:15.tcp

From: FreeBSD Security Advisories (
Date: 06/29/05

  • Next message: Colin Percival: "Re: Any status on timestamp vulnerability fix for 4.X?"
    Date: Wed, 29 Jun 2005 21:55:04 GMT
    To: FreeBSD Security Advisories <>

    Hash: SHA1

    FreeBSD-SA-05:15.tcp Security Advisory
                                                              The FreeBSD Project

    Topic: TCP connection stall denial of service

    Category: core
    Module: inet
    Announced: 2005-06-29
    Credits: Noritoshi Demizu
    Affects: All FreeBSD releases.
    Corrected: 2005-06-29 21:38:48 UTC (RELENG_5, 5.4-STABLE)
                    2005-06-29 21:41:03 UTC (RELENG_5_4, 5.4-RELEASE-p3)
                    2005-06-29 21:42:33 UTC (RELENG_5_3, 5.3-RELEASE-p17)
                    2005-06-29 21:43:42 UTC (RELENG_4, 4.11-STABLE)
                    2005-06-29 21:45:14 UTC (RELENG_4_11, 4.11-RELEASE-p11)
                    2005-06-29 21:46:15 UTC (RELENG_4_10, 4.10-RELEASE-p16)
    CVE Name: CAN-2005-0356, CAN-2005-2068

    For general information regarding FreeBSD Security Advisories,
    including descriptions of the fields above, security branches, and the
    following sections, please visit

    I. Background

    The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
    provides a connection-oriented, reliable, sequence-preserving data
    stream service. TCP timestamps are used to measure Round-Trip Time
    and in the Protect Against Wrapped Sequences (PAWS) algorithm. TCP
    packets with the SYN flag set are used during setup of new TCP

    II. Problem Description

    Two problems have been discovered in the FreeBSD TCP stack.

    First, when a TCP packets containing a timestamp is received, inadequate
    checking of sequence numbers is performed, allowing an attacker to
    artificially increase the internal "recent" timestamp for a connection.

    Second, a TCP packet with the SYN flag set is accepted for established
    connections, allowing an attacker to overwrite certain TCP options.

    III. Impact

    Using either of the two problems an attacker with knowledge of the
    local and remote IP and port numbers associated with a connection
    can cause a denial of service situation by stalling the TCP connection.
    The stalled TCP connection my be closed after some time by the other

    IV. Workaround

    In some cases it may be possible to defend against these attacks by
    blocking the attack packets using a firewall. Packets used to effect
    either of these attacks would have spoofed source IP addresses.

    V. Solution

    Perform one of the following:

    1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the
    RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch
    dated after the correction date.

    2) To patch your present system:

    The following patches have been verified to apply to FreeBSD 4.10,
    4.11, 5.3, and 5.4 systems.

    a) Download the relevant patch from the location below, and verify the
    detached PGP signature using your PGP utility.

    [FreeBSD 4.x]
    # fetch
    # fetch

    [FreeBSD 5.x]
    # fetch
    # fetch

    b) Apply the patch.

    # cd /usr/src
    # patch < /path/to/patch

    c) Recompile your kernel as described in
    <URL:> and reboot the

    VI. Correction details

    The following list contains the revision numbers of each file that was
    corrected in FreeBSD.

    Branch Revision
    - -------------------------------------------------------------------------
      src/UPDATING 1.342.
      src/UPDATING 1.342.
    - -------------------------------------------------------------------------

    VII. References

    The latest revision of this advisory is available at
    Version: GnuPG v1.4.1 (FreeBSD)

    -----END PGP SIGNATURE-----
    _______________________________________________ mailing list
    To unsubscribe, send any mail to ""

  • Next message: Colin Percival: "Re: Any status on timestamp vulnerability fix for 4.X?"