Date: Tue, 02 Mar 2004 15:13:26 -0500 From: Mike Tancsa <mike@sentex.net> To: Daniel Spielman <dan@dreadful.org>, freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-04:04.tcp Message-ID: <6.0.3.0.0.20040302151149.061fa9f8@209.112.4.2> In-Reply-To: <20040302120455.S38344@dreadful.org> References: <200403021955.i22Jtix2024059@freefall.freebsd.org> <20040302120455.S38344@dreadful.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 03:06 PM 02/03/2004, Daniel Spielman wrote: >is FreeBSD 5.2.1 affected by this exploit ? It would appear so based on http://docs.freebsd.org/cgi/mid.cgi?200403021724.i22HOk8W071644 ---Mike >On Tue, 2 Mar 2004, FreeBSD Security Advisories wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > > ============================================================================= > > FreeBSD-SA-04:04.tcp Security Advisory > > The FreeBSD > Project > > > > Topic: many out-of-sequence TCP packets denial-of-service > > > > Category: core > > Module: kernel > > Announced: 2004-03-02 > > Credits: iDEFENSE > > Affects: All FreeBSD releases > > Corrected: 2004-03-02 17:19:18 UTC (RELENG_4) > > 2004-03-02 17:24:46 UTC (RELENG_5_2, 5.2.1-RELEASE-p1) > > 2004-03-02 17:26:33 UTC (RELENG_4_9, 4.9-RELEASE-p3) > > 2004-03-02 17:27:47 UTC (RELENG_4_8, 4.8-RELEASE-p16) > > CVE Name: CAN-2004-0171 > > FreeBSD only: NO > > > > I. Background > > > > The Transmission Control Protocol (TCP) of the TCP/IP protocol suite > > provides a connection-oriented, reliable, sequence-preserving data > > stream service. When network packets making up a TCP stream (``TCP > > segments'') are received out-of-sequence, they are maintained in a > > reassembly queue by the destination system until they can be re-ordered > > and re-assembled. > > > > II. Problem Description > > > > FreeBSD does not limit the number of TCP segments that may be held in a > > reassembly queue. > > > > III. Impact > > > > A remote attacker may conduct a low-bandwidth denial-of-service attack > > against a machine providing services based on TCP (there are many such > > services, including HTTP, SMTP, and FTP). By sending many > > out-of-sequence TCP segments, the attacker can cause the target machine > > to consume all available memory buffers (``mbufs''), likely leading to > > a system crash. > > > > IV. Workaround > > > > It may be possible to mitigate some denial-of-service attacks by > > implementing timeouts at the application level. > > > > V. Solution > > > > Do one of the following: > > > > 1) Upgrade your vulnerable system to 4-STABLE, or to the RELENG_5_2, > > RELENG_4_9, or RELENG_4_8 security branch dated after the correction > > date. > > > > OR > > > > 2) Patch your present system: > > > > The following patch has been verified to apply to FreeBSD 4.x and 5.x > > systems. > > > > a) Download the relevant patch from the location below, and verify the > > detached PGP signature using your PGP utility. > > > > [FreeBSD 5.2] > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp52.patch > > # fetch > ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp52.patch.asc > > > > [FreeBSD 4.8, 4.9] > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp47.patch > > # fetch > ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp47.patch.asc > > > > b) Apply the patch. > > > > # cd /usr/src > > # patch < /path/to/patch > > > > c) Recompile your kernel as described in > > <URL:http://www.freebsd.org/handbook/kernelconfig.html>; and reboot the > > system. > > > > VI. Correction details > > > > The following list contains the revision numbers of each file that was > > corrected in FreeBSD. > > > > Branch Revision > > Path > > - ------------------------------------------------------------------------- > > RELENG_4 > > src/UPDATING 1.73.2.90 > > src/sys/conf/newvers.sh 1.44.2.33 > > src/sys/netinet/tcp_input.c 1.107.2.40 > > src/sys/netinet/tcp_subr.c 1.73.2.33 > > src/sys/netinet/tcp_var.h 1.56.2.15 > > RELENG_5_2 > > src/UPDATING 1.282.2.9 > > src/sys/conf/newvers.sh 1.56.2.8 > > src/sys/netinet/tcp_input.c 1.217.2.2 > > src/sys/netinet/tcp_subr.c 1.169.2.4 > > src/sys/netinet/tcp_var.h 1.93.2.2 > > RELENG_4_9 > > src/UPDATING 1.73.2.89.2.4 > > src/sys/conf/newvers.sh 1.44.2.32.2.4 > > src/sys/netinet/tcp_input.c 1.107.2.38.2.1 > > src/sys/netinet/tcp_subr.c 1.73.2.31.4.1 > > src/sys/netinet/tcp_var.h 1.56.2.13.4.1 > > RELENG_4_8 > > src/UPDATING 1.73.2.80.2.19 > > src/sys/conf/newvers.sh 1.44.2.29.2.17 > > src/sys/netinet/tcp_input.c 1.107.2.37.2.1 > > src/sys/netinet/tcp_subr.c 1.73.2.31.2.1 > > src/sys/netinet/tcp_var.h 1.56.2.13.2.1 > > - ------------------------------------------------------------------------- > > > > VII. References > > > > > <URL:http://www.idefense.com/application/poi/display?id=78&type=vulnerabilities>; > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.2.4 > > > > iD8DBQFAROKHFdaIBMps37IRAu9EAJ9VY70IDYdjr6GkKJCJCGyvBV3OcQCeIXwL > > UDTQ4rcO/SP2rFRZ0Mcj1iQ= > > =Gkct > > -----END PGP SIGNATURE----- > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.0.3.0.0.20040302151149.061fa9f8>