From owner-freebsd-security@freebsd.org Thu Feb 1 01:00:16 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9C336EC91EE for ; Thu, 1 Feb 2018 01:00:16 +0000 (UTC) (envelope-from brahma.gdb@gmail.com) Received: from mail-io0-x235.google.com (mail-io0-x235.google.com [IPv6:2607:f8b0:4001:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 30ED981065 for ; Thu, 1 Feb 2018 01:00:16 +0000 (UTC) (envelope-from brahma.gdb@gmail.com) Received: by mail-io0-x235.google.com with SMTP id p188so17263149ioe.12 for ; Wed, 31 Jan 2018 17:00:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=xYRfNbTxr6Ip9721CbXsqaDNcyfXf5n7ViFzYn8oOoo=; b=Xu/QbzW2GMt9rqFJWIsbA4eiZFPkal/aukVzvQ9Gr+PcyYN/xr1lFIZzxvqCBO3Ygv iVFvhuIm+B4vYCUHPgvjZVz6chhbdny/NnK526+WrX5PDOTnqkXUrd28jaMcwtl2kTV0 vf2DgRpkJZ5DK1s538x8hP+h5FmsHinQ95k9uHrK0f7PAgX1jvzGTp/IeC3yIprH3aOE B/gJ3XmVRqfAUOAeT6IJ979gnQR7iwq4fBp8qHr+G/wIS/8ujKyZVyOIoSsFliy4MsbB RRmK9qnyJQX6y9rqm7wpO4upJ2HQn2hczy0FG4+IpUDTsIHQTiGK1O+9ZwUm+DzKWPcF WAJw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=xYRfNbTxr6Ip9721CbXsqaDNcyfXf5n7ViFzYn8oOoo=; b=iwswM9+XhtcZD1P5GNrFHDF5d5Ohjd/s7Jq4XVOWYX7q8XSnrAn2Vi+cuoWAgKPLf1 Grh5AF52tslN78dOCDKRAMtSgLWsQn0rQxKboQNGDkeoMxbkKwUm1RqnSPEJ4qaZ9cgT JjRGYBJnsBMAD1eNKo34ObXd3zXaLwZCRU3saHT3XOPKue8fZaSLZ7102Dju7apFIamy Ivrhmi7ManXlqW4R9ME3rh9qEWKtoets6ZyK3CA9lTqXBQcykMTrWkaGBMBtyMDLw/Nd LSiFa4VIpsrJ0goV3LG0/PceQbRFKoqQ72XZ7QpY0YBV8Ehh9EwIzuIRCooLI44oJYRq Gxow== X-Gm-Message-State: AKwxytdtn5rlm8lPjKMmnsxZVPCjw5m/bav+VSu/UVJcYD/YgGRfElWH 4Sd1QNzdAvkn7fbSU188r58KUS4AJW81M2PQGL+Udc9K X-Google-Smtp-Source: AH8x225hP3BKe56JsXqwYuNqLDhJMwlavJyIfEfWFDtRpEMpWyDW9Enmjc8xNTu9Ipt0wdGc5IJxhcEmFv+bbFWMUWo= X-Received: by 10.107.176.14 with SMTP id z14mr21390931ioe.8.1517446815261; Wed, 31 Jan 2018 17:00:15 -0800 (PST) MIME-Version: 1.0 Received: by 10.79.46.85 with HTTP; Wed, 31 Jan 2018 17:00:14 -0800 (PST) In-Reply-To: <20180112074115.GB75633@server.rulingia.com> References: <44k1wnes1w.fsf@be-well.ilk.org> <20180112061425.GA75633@server.rulingia.com> <20180112074115.GB75633@server.rulingia.com> From: Brahmanand Reddy Date: Thu, 1 Feb 2018 06:30:14 +0530 Message-ID: Subject: Re: Need FreeBSD-SA-00:52(TCP uses weak initial sequence numbers) latest patch To: Peter Jeremy Cc: freebsd-security@freebsd.org X-Mailman-Approved-At: Thu, 01 Feb 2018 01:26:55 +0000 Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Feb 2018 01:00:16 -0000 Dear Peter/ Team, My final call on this thread, "RST not happens as quickly in 10.4 and 11 FreeBSD, like 9.2". it takes 10 to 15 seconds delay to reset and generate new ISN number on 80/443/ports. Example- # RST RST=TCP(sport=sport, dport=dport, flags='R', seq=SYNACK.ack, ack=0) send(ip/RST) * time.sleep(15*) SYN2=TCP(sport=sport,dport=dport,flags='S',seq=random.randint(1024,18576), ack=0) Kindly clarify and conclude, 1) it could be the expected behavior or any new enhancement causes this delay what are those.? 2) we have to be configure any thing like in 'sysctl.conf 'or corresponding fix is available ? Note: In 9.2 with out delay . i dint observed any issue. the standards say it must respond quickly with a RST. Sincerely, Brahma On Fri, Jan 12, 2018 at 1:11 PM, Peter Jeremy wrote: > On 2018-Jan-12 12:33:21 +0530, Brahmanand Reddy > wrote: > >TCP uses weak initial sequence numbers > >https://www.freebsd.org/security/advisories/FreeBSD- > SA-00%3A52.tcp-iss.asc > > As has been pointed out to you several times in this thread, that SA is > nearly 20 years old and there is no evidence that TCP on any recent FreeBSD > uses weak ISNs. > > >actually "arc4random()" will take care on https://github.com/freebsd/ > >freebsd/blob/master/sys/netinet/tcp_subr.c#L2374 > > Without studying the code in detail, that code appears to correctly use > arc4random() to initialise the ISN - which is as expected. > > > I suspecting 10.4 already having fix... but i didn't found on exactly > >which this problem from https://www.freebsd.org/security/patches/ > > Well, the original patch is > https://www.freebsd.org/security/patches/SA-00%3A52/ and was committed > as what is now https://svnweb.freebsd.org/base?view=revision&revision= > 66433 > Since that patch is integrated into the FreeBSD codebase, there's no need > to update the contents of https://www.freebsd.org/ > security/patches/SA-00%3A52/ > and it is not relevant to the current codebase. > > > i would like expecting where is the fix in 10,4 kernel. > > That code was re-written in r82122, retaining the use of arc4random() for > ISN initialisation. As a result, it's no longer possible to point at > specific code and say "that code fixes weak TCP ISNs". > > -- > Peter Jeremy >