FreeBSD Security Advisory FreeBSD-SA-03:03.syncookies

From: FreeBSD Security Advisories (security-advisories@freebsd.org)
Date: 02/24/03

  • Next message: snsadv@lac.co.jp: "[SNS Advisory No.62] Webmin/Usermin Session ID Spoofing Vulnerability "Episode 2""
    Date: Mon, 24 Feb 2003 05:05:36 -0800 (PST)
    From: FreeBSD Security Advisories <security-advisories@freebsd.org>
    To: Bugtraq <bugtraq@securityfocus.com>
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    =============================================================================
    FreeBSD-SA-03:03.syncookies Security Advisory
                                                              The FreeBSD Project

    Topic: Brute force attack on SYN cookies

    Category: core
    Module: sys_netinet
    Announced: 2003-02-24
    Credits: Mike Silbersack <silby@FreeBSD.org>
    Affects: FreeBSD 4.5-RELEASE
                    FreeBSD 4.6-RELEASE prior to 4.6.2-RELEASE-p9
                    FreeBSD 4.7-RELEASE prior to 4.7-RELEASE-p6
                    FreeBSD 4.7-STABLE prior to the correction date
                    FreeBSD 5.0-RELEASE prior to 5.0-RELEASE-p3
    Corrected: 2003-02-23 19:04:58 UTC (RELENG_4)
                    2003-02-23 20:18:48 UTC (RELENG_5_0)
                    2003-02-23 20:19:29 UTC (RELENG_4_7)
                    2003-02-24 02:42:06 UTC (RELENG_4_6)
    FreeBSD only: YES

    I. Background

    SYN cookies are a technique used to mitigate the effects of SYN flood
    attacks by choosing initial TCP sequence numbers (ISNs) that can be
    verified cryptographically. FreeBSD implements this technique in the
    TCP stack (where it is referred to as `syncookies') by default.

    II. Problem Description

    The FreeBSD syncookie implementation protects the generated ISN using
    a MAC that is keyed on one of several internal secret keys which are
    rotated periodically. However, the keys are only 32 bits in length,
    allowing brute force attacks on the secrets to be feasible.

    III. Impact

    Once a syncookie key has been recovered, an attacker may construct
    valid ISNs until the key is rotated (typically up to four seconds).
    The ability to construct a valid ISN may be used to spoof a TCP
    connection in exactly the same way as in the well-known ISN prediction
    attacks (see `References'). Spoofing may allow an attacker to bypass
    IP-based access control lists such as those implemented by
    tcp_wrappers and many firewalls. Similarly, SMTP and other
    connections may be forged, increasing the difficulty of tracing
    abusers. Recovery of a syncookie key will also allow the attacker to
    reset TCP connections initiated within the same 31.25ms window.

    IV. Workaround

    syncookies may be disabled using the `net.inet.tcp.syncookies'
    sysctl(8). Execute the following command as root:

      # sysctl net.inet.tcp.syncookies=0

    To disable syncookies at system startup time, add the following line
    to sysctl.conf(5):

      net.inet.tcp.syncookies=0

    V. Solution

    1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_4_7
    (4.7-RELEASE-p6), RELENG_4_6 (4.6.2-RELEASE-p9), or RELENG_5_0
    (5.0-RELEASE-p3) security branch dated after the correction date.

    2) To patch your present system:

    The following patch has been verified to apply to FreeBSD 4.6, 4.7, and
    5.0 systems.

    a) Download the relevant patch from the location below, and verify the
    detached PGP signature using your PGP utility.

    # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:03/syncookie.patch
    # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:03/syncookie.patch.asc

    b) Apply the patch.

    # cd /usr/src
    # patch < /path/to/patch

    c) Recompile your kernel as described in
    <URL: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html >
    and reboot the system.

    VI. Correction details

    The following list contains the revision numbers of each file that was
    corrected in FreeBSD.

    Path Revision
      Branch
    - -------------------------------------------------------------------------
    src/sys/conf/newvers.sh
      RELENG_5_0 1.48.2.4
      RELENG_4_7 1.44.2.26.2.8
      RELENG_4_6 1.44.2.23.2.26
    src/sys/netinet/tcp_syncache.c
      RELENG_4 1.5.2.13
      RELENG_5_0 1.28.2.3
      RELENG_4_7 1.5.2.8.2.1
      RELENG_4_6 1.5.2.6.2.2
    - -------------------------------------------------------------------------

    VII. References

    <URL: http://cr.yp.to/syncookies.html >
    <URL: http://www.cert.org/advisories/CA-2001-09.html >
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (FreeBSD)

    iD8DBQE+Whc6FdaIBMps37IRAgP9AJ4npQ6fYrxATBWOx8AdlKA/03GsggCcC4Br
    GBDcKjEcnHInChHZVuXYg58=
    =LfP+
    -----END PGP SIGNATURE-----



    Relevant Pages

    • RE: realpath(3) et al
      ... IBM has a stack smashing protection patch for GCC 3.3 on ... FreeBSD 4.8 available at ... > yes, it stops the current attacks, but the underlying problem that an ... > attacker can change the flow of program execution remains; ...
      (FreeBSD-Security)
    • Re: NTP security hole CVE-2013-5211?
      ... Two months after this vulnerability was announced, we're still seeing attempts to use the NTP "monitor" query to execute and amplify DDoS attacks. ... restrict default kod nomodify notrap nopeer noquery ... We've tested this configuration on our servers and it successfully prevents the latest patches of FreeBSD 9.x and 10.0 from participating in a DDoS attack, either as a relay or as an amplifier. ...
      (FreeBSD-Security)
    • RE: hijacking TCP connections on FreeBSD
      ... attacks nor injection attacks can adequately interrupt the packet stream. ... hijacking TCP connections on FreeBSD ... Is it possible to hijack established tcp connections on FreeBSD? ...
      (Vuln-Dev)
    • Re: sshit runs out of semaphores
      ... FreeBSD 7.0 p1. ... Could not create semaphore set: ... am also seeing 'slow fire' attacks, where an IP is repeated every 2 ... keep the IP for however many days you set it for so a repeat even hours later ...
      (freebsd-questions)