[UNIX] FreeBSD Memory Buffer Exhaustion DoS Vulnerability
From: SecuriTeam (support_at_securiteam.com)
Date: 03/10/04
- Previous message: SecuriTeam: "[NT] Spider Sales Shopping Cart Multiple Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 10 Mar 2004 18:02:35 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
FreeBSD Memory Buffer Exhaustion DoS Vulnerability
------------------------------------------------------------------------
SUMMARY
" <http://www.freebsd.org/> FreeBSD is an advanced operating system for
x86 compatible, AMD64, Alpha, IA-64, PC-98 and UltraSPARC architectures.
It is derived from BSD, the version of UNIX developed at the University of
California, Berkeley". Remote exploitation of a denial of service (DoS)
vulnerability in FreeBSD's memory buffers (mbufs) could allow attackers to
launch a DoS attack.
DETAILS
Vulnerable Systems:
* FreeBSD has stated that all versions are affected.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0171>
CAN-2004-0171
FreeBSD does not limit the number of TCP segments that may be held in a
reassembly queue.
By sending many out-of-sequence packets, a low bandwidth denial of service
attack is possible against FreeBSD. When the targeted system runs out of
memory buffers (mbufs), it is no longer able to accept or create new
connections.
Exploitation of this vulnerability requires that the targeted system has
at least one open TCP port. The DoS will last until the port is closed,
either by the attacker or the target machine.
Workaround:
"It may be possible to mitigate some denial-of-service attacks by
implementing timeouts at the application level."
Vendor Status:
* Upgrade your vulnerable system to 4-STABLE, or to the RELENG_5_2,
RELENG_4_9, or RELENG_4_8 security branch dated after the correction date.
OR
* Patch your present system:
The following patch has been verified to apply to FreeBSD 4.x and 5.x
systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 5.2] # fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/tcp52.patch # fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/tcp52.patch.asc
[FreeBSD 4.8, 4.9] # fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/tcp47.patch # fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/tcp47.patch.asc
b) Apply the patch: # cd /usr/src # patch < /path/to/patch
c) Recompile your kernel as described in
<http://www.freebsd.org/handbook/kernelconfig.html>
http://www.freebsd.org/handbook/kernelconfig.html and reboot the system.
Disclosure Timeline:
January 22, 2004 Exploit acquired by iDEFENSE
February 17, 2004 iDEFENSE clients notified
February 18, 2004 Initial vendor notification
February 18, 2004 Initial vendor response
March 02, 2004 Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by <mailto:labs@idefense.com> iDEFENSE.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=78&type=vulnerabilities&flashstatus=true> http://www.idefense.com/application/poi/display?id=78&type=vulnerabilities&flashstatus=true
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] Spider Sales Shopping Cart Multiple Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
