Date: Tue, 05 May 2015 09:32:13 -0400 From: Mike Tancsa <mike@sentex.net> To: Julian Elischer <julian@freebsd.org>, "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: SA-14:19 (Denial of Service in TCP packet processing) and jails issue ? Message-ID: <5548C65D.5070703@sentex.net> In-Reply-To: <55482F9E.8050701@freebsd.org> References: <5541560C.5020004@sentex.net> <5547E47A.5040502@sentex.net> <55482F9E.8050701@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5/4/2015 10:49 PM, Julian Elischer wrote: >> Anyone have any have any ideas what can be done to mitigate this risk >> if its real, or if its a false positive ? > Firstly I assume you are not talking about a vimage jail? > > It seems unlikely that jailing affects that processing. Does the test > actually try cause the problem to occur? a tcpdump would be really nice. Hi, Just a plain jail. No vimage. It doesnt make sense to me either how the jail / no jail would impact it. I am guessing some sort of false positive as well, but I dont understand the details enough of how the vulnerability works and why there would even be a different result whether its a jail or not, whether real or not. Here is what I did this AM. In the parent, I stopped the jail and I bound sendmail and sshd to the IP 98.159.241.178 and an instance of apache so the same services would be visible on the scan outside the jail and inside. I then ran the scan. It came up clean. I then removed sendmail, sshd and apache from the IP addresses, and started up the jail # sockstat | grep 98.159.241.178 # /usr/local/etc/rc.d/ezjail start scantest.sentex.ca Configuring jails:. Starting jails: scantest.sentex.ca. 0{vinyl6}# sockstat | grep 98.159.241.178 root sendmail 78661 5 tcp4 98.159.241.178:25 *:* www httpd 78659 3 tcp4 98.159.241.178:80 *:* www httpd 78658 3 tcp4 98.159.241.178:80 *:* www httpd 78657 3 tcp4 98.159.241.178:80 *:* www httpd 78656 3 tcp4 98.159.241.178:80 *:* www httpd 78655 3 tcp4 98.159.241.178:80 *:* root httpd 78651 3 tcp4 98.159.241.178:80 *:* root sshd 78646 4 tcp4 98.159.241.178:22 *:* root syslogd 78586 6 udp4 98.159.241.178:514 *:* # and then restarted the scan. Sure enough, it comes up vulnerable. I have placed the 2 pcaps, and the reports in http://www.tancsa.com/jail ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5548C65D.5070703>