From owner-svn-doc-head@FreeBSD.ORG Tue Sep 16 10:03:59 2014 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D59BEB01; Tue, 16 Sep 2014 10:03:59 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BFF29182; Tue, 16 Sep 2014 10:03:59 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s8GA3xax071780; Tue, 16 Sep 2014 10:03:59 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s8GA3xFV071776; Tue, 16 Sep 2014 10:03:59 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201409161003.s8GA3xFV071776@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Tue, 16 Sep 2014 10:03:59 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r45614 - in head/share: security/advisories security/patches/SA-14:19 xml X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2014 10:03:59 -0000 Author: delphij Date: Tue Sep 16 10:03:58 2014 New Revision: 45614 URL: http://svnweb.freebsd.org/changeset/doc/45614 Log: Add SA-14:19.tcp. Added: head/share/security/advisories/FreeBSD-SA-14:19.tcp.asc (contents, props changed) head/share/security/patches/SA-14:19/ head/share/security/patches/SA-14:19/tcp.patch (contents, props changed) head/share/security/patches/SA-14:19/tcp.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml Added: head/share/security/advisories/FreeBSD-SA-14:19.tcp.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-14:19.tcp.asc Tue Sep 16 10:03:58 2014 (r45614) @@ -0,0 +1,147 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-14:19.tcp Security Advisory + The FreeBSD Project + +Topic: Denial of Service in TCP packet processing + +Category: core +Module: inet +Announced: 2014-09-16 +Credits: Jonathan Looney (Juniper SIRT) +Affects: All supported versions of FreeBSD. +Corrected: 2014-09-16 09:48:35UTC (stable/10, 10.1-PRERELEASE) + 2014-09-16 09:48:35 UTC (stable/10, 10.1-BETA1-p1) + 2014-09-16 09:50:19 UTC (releng/10.0, 10.0-RELEASE-p9) + 2014-09-16 09:49:11 UTC (stable/9, 9.3-STABLE) + 2014-09-16 09:50:19 UTC (releng/9.3, 9.3-RELEASE-p2) + 2014-09-16 09:50:19 UTC (releng/9.2, 9.2-RELEASE-p12) + 2014-09-16 09:50:19 UTC (releng/9.1, 9.1-RELEASE-p19) + 2014-09-16 09:49:11 UTC (stable/8, 8.4-STABLE) + 2014-09-16 09:50:19 UTC (releng/8.4, 8.4-RELEASE-p16) +CVE Name: CVE-2004-0230 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +The Transmission Control Protocol (TCP) of the TCP/IP protocol suite +provides a connection-oriented, reliable, sequence-preserving data +stream service. New TCP connections are initiated using special SYN +flag in a datagram. Sequencing of data is controlled by 32-bit sequence +numbers, that start with a random value and are increased using modulo +2**32 arithmetic. TCP endpoints maintain a window of expected, and +thus allowed, sequence numbers for a connection. + +II. Problem Description + +When a segment with the SYN flag for an already existing connection arrives, +the TCP stack tears down the connection, bypassing a check that the +sequence number in the segment is in the expected window. + +III. Impact + +An attacker who has the ability to spoof IP traffic can tear down a +TCP connection by sending only 2 packets, if they know both TCP port +numbers. In case one of the two port numbers is unknown, a successful +attack requires less than 2**17 packets spoofed, which can be +generated within less than a second on a decent connection to the +Internet. + +IV. Workaround + +It is possible to defend against these attacks with stateful traffic +inspection using a firewall. This can be done by enabling pf(4) on +the system and creating states for every connection. Even a default +ruleset to allow all traffic would be sufficient to mitigate this +issue. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/SA-14:19/tcp.patch +# fetch http://security.FreeBSD.org/patches/SA-14:19/tcp.patch.asc +# gpg --verify tcp.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r271668 +releng/8.4/ r271669 +stable/9/ r271668 +releng/9.1/ r271669 +releng/9.2/ r271669 +releng/9.3/ r271669 +stable/10/ r271667 +releng/10.0/ r271669 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJUGAnEAAoJEO1n7NZdz2rnHEkP/0fVx7U6l/YKVWToejpCxMLa +TS9ng0kN5GEkyYPTHbK3Pb5T2b4zhpDlhRVTDtwkP+00VXAGIAC6GiQl2QBAApgv +68cla+TU+gh2I03XxIl+eWHu4EWaYa0v2vDqL0n/XNLvcZVD3R0CC+6HHUbKm46t +dQg4olCdXdHkZleclvuYGjd+W8JfC17Xe3xshNKq7BV05XWqXrKoqxfxot8Cnxyx +n4MePoiNYn13iO5OpEWf2J6BS1JJ1M/L0CAAKGcNitD8dYMdKNEfn6tpPXHNIWGH +vUI0sD2rPRs3OWbK6Y3xmakCPK8MXjSyFNvJ2NkuU6dYdKBNHYswh46F9XP0cSDc +K5wB36R/mx5ky05HBCpAjiGh2X67Y6QtQiBq5ESltodAp1Sl966fgLnNKyIgeHr5 +51QNCXDdc7S7pE9daA/uiIEZVKH8eKYGHP53zN/tiTDVWy7yTEBIW4lhJVkHIAAt +VBvLB0efr47z6IZ92GshGKZawaPAOeuBrEtYDOdNNJeh+WhSPoE5MKfS6NiH/lRg +DorewB9KbChCUhxMCH2Pj7AxTVoe3fjWtZYRo02OHMitTTJbExsyT33vTH1Sb2LT +6lXBFFOvo5Uw8JJyykd+GXUcwe13hcroS+eqz/GE+9yReMrwd82qbiDM4VlTdVMq +trAqOw2zRyBa7R6D2+4T +=qjIZ +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-14:19/tcp.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:19/tcp.patch Tue Sep 16 10:03:58 2014 (r45614) @@ -0,0 +1,17 @@ +Index: sys/netinet/tcp_input.c +=================================================================== +--- sys/netinet/tcp_input.c (revision 271383) ++++ sys/netinet/tcp_input.c (working copy) +@@ -2092,11 +2092,7 @@ tcp_do_segment(struct mbuf *m, struct tcphdr *th, + + todrop = tp->rcv_nxt - th->th_seq; + if (todrop > 0) { +- /* +- * If this is a duplicate SYN for our current connection, +- * advance over it and pretend and it's not a SYN. +- */ +- if (thflags & TH_SYN && th->th_seq == tp->irs) { ++ if (thflags & TH_SYN) { + thflags &= ~TH_SYN; + th->th_seq++; + if (th->th_urp > 1) Added: head/share/security/patches/SA-14:19/tcp.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:19/tcp.patch.asc Tue Sep 16 10:03:58 2014 (r45614) @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJUGAnQAAoJEO1n7NZdz2rnMucQALHIm020vq4E+9LT+OhvMo2o +cAAD5W+IK4yj39jKjqyMK3Elm6iKgPYhyAZrOGxHtoDnjWXfQrKWmZFsmTXNjbHy +ramFwe6qglsZQ0mkKT36OJgVCK/vw1wUPO+CyyGD87n6XJ6uwmc7KOzWcrECuYun +rXR6IjOjyevSWsX0N+e+qN2kmry1RYfqnsg7yaNKbjO4EDr3UoCbT2Hp+sTS60gF +YnbKmCLhew0lcGXcbNmBitsj1jn/JwXnQsloKasUhkCBVBVuYs3i602FSb+szDe5 +C/KcUqETCMJleiqhf5YufkKcHtM5aQf/J9HIILmbzF8cEHRy0RPlxZrcHJIfHplu +TJWehGl6jBWpxgWS0FEPoR0fGHaGIZy72rdclLcV4uMuyvOwdJMFXEsU22FCa3Mt +w85RfsxHxxsDte8aHkyzMuN8OQVbG2RvfmfrMOCfCJvSc1QMUshkhCQgn5wj6y9z +qc4cfK8ppt15F2x1AC2uscaNghdOD6yixE8JqOjpXArXIGjkkWLB9t6sgoUiOMbS +jyaseaFisIdto0j7UJ9OnuUbDLxcQhgIk1JXNlu6Vwb4PitRKiL3Ix5CiYYB643k +iPJGcHx8JblX/z+TE5X7WA/T4TlvphthZ6QKgVmW8TMcgqrBSazEo0EN7mHeCKLo +VziBvb2zKWYjEa29uE5u +=ZTBf +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Tue Sep 16 09:05:41 2014 (r45613) +++ head/share/xml/advisories.xml Tue Sep 16 10:03:58 2014 (r45614) @@ -11,6 +11,14 @@ 9 + 16 + + + FreeBSD-SA-14:19.tcp + + + + 9