From owner-freebsd-security@freebsd.org Fri Jan 12 02:46:40 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 057CEE6A212 for ; Fri, 12 Jan 2018 02:46:40 +0000 (UTC) (envelope-from brahma.gdb@gmail.com) Received: from mail-it0-x235.google.com (mail-it0-x235.google.com [IPv6:2607:f8b0:4001:c0b::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C394871FEC for ; Fri, 12 Jan 2018 02:46:39 +0000 (UTC) (envelope-from brahma.gdb@gmail.com) Received: by mail-it0-x235.google.com with SMTP id 68so7525183ite.4 for ; Thu, 11 Jan 2018 18:46:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=ft6YQ2cowqKsXqp4l82G5x7evnK/t5YrsFlMbT44pcg=; b=kwNOakApi6/XeaY/y/rTYFlBPoXnYCIyguMq25ZXOazYausOJAOlgR9U15xbGPu9lG FDIbbIvT4K74TYKFcbQjahaSLgiWWfksRskbC6gmq7V9EeAwnkXGWrpofxHTVe3PzyFu ZWhDsznguKHaV/NoqRW8DBMc2RJJ7F6LOR/PLRJ9A8jt3mKIkPZ1ey0bzNBcF6m77Ypx Qaehp9xJHHzxfjrkzIXclaxklKM0EiCrHlCajaZKViEsGRl4trno+y0iBMtdxsPzTHz3 tDkkU53MCghom0ieHA98LOg1Gadt8HLBqtSFsBJIfDTu4a1wpGZ/lWyw+lOqWkBwdrFw 94WA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=ft6YQ2cowqKsXqp4l82G5x7evnK/t5YrsFlMbT44pcg=; b=CeFGRPFw41zjvXXlgKlzlBljzw5769PWaTsnDAdS50vh1mQeLRQNAeVj6cxUgd2/sm HndocHrzbB1HbARVM0g71ao9y0JzN2l3qAeW0glFg8NYlJwmBngG5tq9U35XoksCc3Ll RZJID3RZ50b0/uKn3d/Z8+aOogA8aoixrSXMSVEsakgzcNdWpyT9sz02D0ez7oROH9Mu pfNpbvUCpUclN69qvIMY+JhubbaFw2eTk7bgm2wNRiHPJEOP1SDYYARqaE7leB3pHEa5 71UWFN3jxifjisOhJcvXA5Hx05QS9m0BbuDu7wdV8pWDxMrA27F1SZJzsODotthG/PnF +qFw== X-Gm-Message-State: AKwxytc8qyG7BxBlPnk+5/uMy0ar1x9f4Qv5zhOnd5V3Ci85tQlGSpm3 liUUd64O17ddk3IcqXSkZUfvbqcLSuRIH17A1MWocg== X-Google-Smtp-Source: ACJfBosk4pL0/joLckbPUDBwccF5XgxFU5Mn/YeIWj7s0SRSV4KfDcreSTQ3oxuGBFgZl/Fy4RNOB4NggbneBb+9KH0= X-Received: by 10.36.16.142 with SMTP id 136mr3517066ity.18.1515725198647; Thu, 11 Jan 2018 18:46:38 -0800 (PST) MIME-Version: 1.0 Received: by 10.79.141.219 with HTTP; Thu, 11 Jan 2018 18:46:38 -0800 (PST) In-Reply-To: <44k1wnes1w.fsf@be-well.ilk.org> References: <44k1wnes1w.fsf@be-well.ilk.org> From: Brahmanand Reddy Date: Fri, 12 Jan 2018 08:16:38 +0530 Message-ID: Subject: Re: Need FreeBSD-SA-00:52(TCP uses weak initial sequence numbers) latest patch To: freebsd-security@freebsd.org X-Mailman-Approved-At: Fri, 12 Jan 2018 03:45:02 +0000 Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jan 2018 02:46:40 -0000 Hi Lowell, Yes its has been fixed 20 years back, but this patch not available on 10.2/10.4 source code, still the problem exist on 10.4 too, Please find below snip of patch Index: tcp_seq.h =================================================================== RCS file: /usr2/ncvs/src/sys/netinet/tcp_seq.h,v retrieving revision 1.11 retrieving revision 1.12 diff -u -r1.11 -r1.12 --- tcp_seq.h 1999/12/29 04:41:02 1.11 +++ tcp_seq.h 2000/09/29 01:37:19 1.12 @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)tcp_seq.h 8.3 (Berkeley) 6/21/95 - * $FreeBSD: src/sys/netinet/tcp_seq.h,v 1.11 1999/12/29 04:41:02 peter Exp $ + * $FreeBSD: src/sys/netinet/tcp_seq.h,v 1.12 2000/09/29 01:37:19 kris Exp $ */ #ifndef _NETINET_TCP_SEQ_H_ @@ -91,7 +91,7 @@ * number in the range [0-0x3ffff] that is hard to predict. */ #ifndef tcp_random18 -#define tcp_random18() ((random() >> 14) & 0x3ffff) +#define tcp_random18() (arc4random() & 0x3ffff) #endif #define TCP_ISSINCR (122*1024 + tcp_random18()) Index: tcp_subr.c =================================================================== RCS file: /usr2/ncvs/src/sys/netinet/tcp_subr.c,v retrieving revision 1.80 retrieving revision 1.81 diff -u -r1.80 -r1.81 --- tcp_subr.c 2000/09/25 23:40:22 1.80 +++ tcp_subr.c 2000/09/29 01:37:19 1.81 @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)tcp_subr.c 8.2 (Berkeley) 5/24/95 - * $FreeBSD: src/sys/netinet/tcp_subr.c,v 1.80 2000/09/25 23:40:22 bmilekic Exp $ + * $FreeBSD: src/sys/netinet/tcp_subr.c,v 1.81 2000/09/29 01:37:19 kris Exp $ */ #include "opt_compat.h" @@ -178,7 +178,7 @@ { int hashsize; - tcp_iss = random(); /* wrong, but better than a constant */ + tcp_iss = arc4random(); /* wrong, but better than a constant */ tcp_ccgen = 1; tcp_cleartaocache(); i suspect 10.4.& above the patch is released, but i didn't found exactly /corresponding from https://www.freebsd.org/security/patches/ i would expecting .. confirm the relevant patch for this problem Kindly correct me anything missing Regards, Brahma On Fri, Jan 12, 2018 at 7:50 AM, Lowell Gilbert < freebsd-security-local@be-well.ilk.org> wrote: > Brahmanand Reddy writes: > > >> > >> Dear Team, > >> > >> Thanks for responding. > >> > >> Please share the corresponding FreeBSD-SA-00:52(*TCP uses weak initial > >> sequence numbers*) latest patch. > >> > >> the original problem reported on : > >> https://www.freebsd.org/security/advisories/FreeBSD- > SA-00%3A52.tcp-iss.asc > >> > >> below list of similar CVEs > >> > >> CVE-2001-0328 > >> CVE- 1999-0077 > >> CVE-2000-0916 > >> > >> > >> Thanks and regards, > >> Brahma > > Those reports were fixed in FreeBSD almost 20 years ago, > so you already have the fixes. > > Moreover, it seems silly to worry about minor security > patches when you're running a FreeBSD release that has > been out of support for over a year. >