Date: Tue, 16 Sep 2014 10:03:59 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r45614 - in head/share: security/advisories security/patches/SA-14:19 xml Message-ID: <201409161003.s8GA3xFV071776@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Tue Sep 16 10:03:58 2014 New Revision: 45614 URL: http://svnweb.freebsd.org/changeset/doc/45614 Log: Add SA-14:19.tcp. Added: head/share/security/advisories/FreeBSD-SA-14:19.tcp.asc (contents, props changed) head/share/security/patches/SA-14:19/ head/share/security/patches/SA-14:19/tcp.patch (contents, props changed) head/share/security/patches/SA-14:19/tcp.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml Added: head/share/security/advisories/FreeBSD-SA-14:19.tcp.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-14:19.tcp.asc Tue Sep 16 10:03:58 2014 (r45614) @@ -0,0 +1,147 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-14:19.tcp Security Advisory + The FreeBSD Project + +Topic: Denial of Service in TCP packet processing + +Category: core +Module: inet +Announced: 2014-09-16 +Credits: Jonathan Looney (Juniper SIRT) +Affects: All supported versions of FreeBSD. +Corrected: 2014-09-16 09:48:35UTC (stable/10, 10.1-PRERELEASE) + 2014-09-16 09:48:35 UTC (stable/10, 10.1-BETA1-p1) + 2014-09-16 09:50:19 UTC (releng/10.0, 10.0-RELEASE-p9) + 2014-09-16 09:49:11 UTC (stable/9, 9.3-STABLE) + 2014-09-16 09:50:19 UTC (releng/9.3, 9.3-RELEASE-p2) + 2014-09-16 09:50:19 UTC (releng/9.2, 9.2-RELEASE-p12) + 2014-09-16 09:50:19 UTC (releng/9.1, 9.1-RELEASE-p19) + 2014-09-16 09:49:11 UTC (stable/8, 8.4-STABLE) + 2014-09-16 09:50:19 UTC (releng/8.4, 8.4-RELEASE-p16) +CVE Name: CVE-2004-0230 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:http://security.FreeBSD.org/>. + +I. Background + +The Transmission Control Protocol (TCP) of the TCP/IP protocol suite +provides a connection-oriented, reliable, sequence-preserving data +stream service. New TCP connections are initiated using special SYN +flag in a datagram. Sequencing of data is controlled by 32-bit sequence +numbers, that start with a random value and are increased using modulo +2**32 arithmetic. TCP endpoints maintain a window of expected, and +thus allowed, sequence numbers for a connection. + +II. Problem Description + +When a segment with the SYN flag for an already existing connection arrives, +the TCP stack tears down the connection, bypassing a check that the +sequence number in the segment is in the expected window. + +III. Impact + +An attacker who has the ability to spoof IP traffic can tear down a +TCP connection by sending only 2 packets, if they know both TCP port +numbers. In case one of the two port numbers is unknown, a successful +attack requires less than 2**17 packets spoofed, which can be +generated within less than a second on a decent connection to the +Internet. + +IV. Workaround + +It is possible to defend against these attacks with stateful traffic +inspection using a firewall. This can be done by enabling pf(4) on +the system and creating states for every connection. Even a default +ruleset to allow all traffic would be sufficient to mitigate this +issue. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/SA-14:19/tcp.patch +# fetch http://security.FreeBSD.org/patches/SA-14:19/tcp.patch.asc +# gpg --verify tcp.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:http://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r271668 +releng/8.4/ r271669 +stable/9/ r271668 +releng/9.1/ r271669 +releng/9.2/ r271669 +releng/9.3/ r271669 +stable/10/ r271667 +releng/10.0/ r271669 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0230>; + +The latest revision of this advisory is available at +<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:19.tcp.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJUGAnEAAoJEO1n7NZdz2rnHEkP/0fVx7U6l/YKVWToejpCxMLa +TS9ng0kN5GEkyYPTHbK3Pb5T2b4zhpDlhRVTDtwkP+00VXAGIAC6GiQl2QBAApgv +68cla+TU+gh2I03XxIl+eWHu4EWaYa0v2vDqL0n/XNLvcZVD3R0CC+6HHUbKm46t +dQg4olCdXdHkZleclvuYGjd+W8JfC17Xe3xshNKq7BV05XWqXrKoqxfxot8Cnxyx +n4MePoiNYn13iO5OpEWf2J6BS1JJ1M/L0CAAKGcNitD8dYMdKNEfn6tpPXHNIWGH +vUI0sD2rPRs3OWbK6Y3xmakCPK8MXjSyFNvJ2NkuU6dYdKBNHYswh46F9XP0cSDc +K5wB36R/mx5ky05HBCpAjiGh2X67Y6QtQiBq5ESltodAp1Sl966fgLnNKyIgeHr5 +51QNCXDdc7S7pE9daA/uiIEZVKH8eKYGHP53zN/tiTDVWy7yTEBIW4lhJVkHIAAt +VBvLB0efr47z6IZ92GshGKZawaPAOeuBrEtYDOdNNJeh+WhSPoE5MKfS6NiH/lRg +DorewB9KbChCUhxMCH2Pj7AxTVoe3fjWtZYRo02OHMitTTJbExsyT33vTH1Sb2LT +6lXBFFOvo5Uw8JJyykd+GXUcwe13hcroS+eqz/GE+9yReMrwd82qbiDM4VlTdVMq +trAqOw2zRyBa7R6D2+4T +=qjIZ +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-14:19/tcp.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:19/tcp.patch Tue Sep 16 10:03:58 2014 (r45614) @@ -0,0 +1,17 @@ +Index: sys/netinet/tcp_input.c +=================================================================== +--- sys/netinet/tcp_input.c (revision 271383) ++++ sys/netinet/tcp_input.c (working copy) +@@ -2092,11 +2092,7 @@ tcp_do_segment(struct mbuf *m, struct tcphdr *th, + + todrop = tp->rcv_nxt - th->th_seq; + if (todrop > 0) { +- /* +- * If this is a duplicate SYN for our current connection, +- * advance over it and pretend and it's not a SYN. +- */ +- if (thflags & TH_SYN && th->th_seq == tp->irs) { ++ if (thflags & TH_SYN) { + thflags &= ~TH_SYN; + th->th_seq++; + if (th->th_urp > 1) Added: head/share/security/patches/SA-14:19/tcp.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:19/tcp.patch.asc Tue Sep 16 10:03:58 2014 (r45614) @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJUGAnQAAoJEO1n7NZdz2rnMucQALHIm020vq4E+9LT+OhvMo2o +cAAD5W+IK4yj39jKjqyMK3Elm6iKgPYhyAZrOGxHtoDnjWXfQrKWmZFsmTXNjbHy +ramFwe6qglsZQ0mkKT36OJgVCK/vw1wUPO+CyyGD87n6XJ6uwmc7KOzWcrECuYun +rXR6IjOjyevSWsX0N+e+qN2kmry1RYfqnsg7yaNKbjO4EDr3UoCbT2Hp+sTS60gF +YnbKmCLhew0lcGXcbNmBitsj1jn/JwXnQsloKasUhkCBVBVuYs3i602FSb+szDe5 +C/KcUqETCMJleiqhf5YufkKcHtM5aQf/J9HIILmbzF8cEHRy0RPlxZrcHJIfHplu +TJWehGl6jBWpxgWS0FEPoR0fGHaGIZy72rdclLcV4uMuyvOwdJMFXEsU22FCa3Mt +w85RfsxHxxsDte8aHkyzMuN8OQVbG2RvfmfrMOCfCJvSc1QMUshkhCQgn5wj6y9z +qc4cfK8ppt15F2x1AC2uscaNghdOD6yixE8JqOjpXArXIGjkkWLB9t6sgoUiOMbS +jyaseaFisIdto0j7UJ9OnuUbDLxcQhgIk1JXNlu6Vwb4PitRKiL3Ix5CiYYB643k +iPJGcHx8JblX/z+TE5X7WA/T4TlvphthZ6QKgVmW8TMcgqrBSazEo0EN7mHeCKLo +VziBvb2zKWYjEa29uE5u +=ZTBf +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Tue Sep 16 09:05:41 2014 (r45613) +++ head/share/xml/advisories.xml Tue Sep 16 10:03:58 2014 (r45614) @@ -11,6 +11,14 @@ <name>9</name> <day> + <name>16</name> + + <advisory> + <name>FreeBSD-SA-14:19.tcp</name> + </advisory> + </day> + + <day> <name>9</name> <advisory>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201409161003.s8GA3xFV071776>