From owner-freebsd-pf@FreeBSD.ORG Fri Jul 1 11:01:09 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 706AF16A41C for ; Fri, 1 Jul 2005 11:01:09 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE00A43D1D for ; Fri, 1 Jul 2005 11:01:08 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id j61B16px024666 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Fri, 1 Jul 2005 13:01:07 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id j61B16jf014480; Fri, 1 Jul 2005 13:01:06 +0200 (MEST) Date: Fri, 1 Jul 2005 13:01:05 +0200 From: Daniel Hartmeier To: BB Message-ID: <20050701110105.GS26761@insomnia.benzedrine.cx> References: <200506292155.j5TLt4cE008219@freefall.freebsd.org> <787dcac205063007324170b6e4@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <787dcac205063007324170b6e4@mail.gmail.com> User-Agent: Mutt/1.5.6i Cc: freebsd-pf@freebsd.org Subject: Re: Fwd: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-05:15.tcp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jul 2005 11:01:09 -0000 On Thu, Jun 30, 2005 at 09:32:27AM -0500, BB wrote: > I assume without upgrading the mighty pf would handle this ? Yes. The unpatched vulnerability can be exploited (to stall a connection) by spoofing only four (4) small packets, by choosing random sequence and timestamp values and their integer opposites[1]. Hence, exploiting it is relatively cheap, quick, and reliable. If you have pf in front of a peer, the attacker would have to successfully guess the proper sequence and acknowledgment numbers within small windows, which requires sending so many packets, it's considered unfeasible. If he could efficiently guess those numbers, he could simply RST the connection, or worse, inject payload, etc, anyway. Of course, if the other peer is unprotected, the attacker would send his spoofs there, and achieve the same effect. But if both are protected, the vulnerability is not exploitable. Daniel [1] http://downloads.securityfocus.com/vulnerabilities/exploits/tcp_paws.c