From owner-freebsd-security@FreeBSD.ORG  Thu May  1 18:51:44 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id C341A655
 for <freebsd-security@freebsd.org>; Thu,  1 May 2014 18:51:44 +0000 (UTC)
Received: from mail.tdx.com (mail.tdx.com [62.13.128.18])
 by mx1.freebsd.org (Postfix) with ESMTP id 6A60E1FF1
 for <freebsd-security@freebsd.org>; Thu,  1 May 2014 18:51:43 +0000 (UTC)
Received: from study64.tdx.co.uk (study64.tdx.co.uk [62.13.130.231])
 (authenticated bits=0)
 by mail.tdx.com (8.14.3/8.14.3/) with ESMTP id s41Ipbeo011730
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
 Thu, 1 May 2014 19:51:37 +0100 (BST)
Date: Thu, 01 May 2014 19:51:37 +0100
From: Karl Pielorz <kpielorz_lst@tdx.co.uk>
To: d@delphij.net, freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:08.tcp
Message-ID: <5E06BC0A5CFB26EDF20A7FC5@study64.tdx.co.uk>
In-Reply-To: <53629582.9010605@delphij.net>
References: <201404300435.s3U4ZAw1093717@freefall.freebsd.org>
 <7A880FB5C3D1DA39692881FE@study64.tdx.co.uk> <53629582.9010605@delphij.net>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 01 May 2014 18:51:44 -0000


--On 1 May 2014 11:42:10 -0700 Xin Li <delphij@delphij.net> wrote:

>> Does this require an established TCP session to be present? - i.e.
>> If you have a host which provides no external TCP sessions (i.e.
>> replies 'Connection Refused' / drops the initial SYN) would that
>> still be potentially exploitable?
>
> No.  An established TCP session is required.
>
>> What about boxes used as routers - that just forward the traffic
>> (and again, offer no TCP services directly themselves)?
>
> Routers themselves are not affected assuming that they merely forwards
> the traffic.

That's great - thanks for clarifying... We have a number of boxes that you 
can't (from the Internet) get a TCP session to, whilst they will still have 
to be patched [to protect them from our 'admin' networks] - we can use that 
mitigation to schedule a better patch install / reboot schedule,

Regards,

-Karl