Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 12 Jan 2018 08:16:38 +0530
From:      Brahmanand Reddy <brahma.gdb@gmail.com>
To:        freebsd-security@freebsd.org
Subject:   Re: Need FreeBSD-SA-00:52(TCP uses weak initial sequence numbers) latest patch
Message-ID:  <CAKsRH7=hyRPG6vEUi_tYSUXtSr58WKoegaDhNzG_qSQie=aUpQ@mail.gmail.com>
In-Reply-To: <44k1wnes1w.fsf@be-well.ilk.org>
References:  <CAKsRH7nsVmhSMUT7TNzGfuN55_J9BkLBzO=8dvjLGvOZtri%2BuQ@mail.gmail.com> <CAKsRH7nsUfkkLfoEuJXBcVpH%2BgnNRpLNb0fjxkJN-xKQnenuQg@mail.gmail.com> <44k1wnes1w.fsf@be-well.ilk.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi Lowell,

Yes its has been fixed 20 years back,  but this patch not available on
10.2/10.4 source code,  still the problem exist on 10.4 too,  Please find
below snip of patch


Index: tcp_seq.h
===================================================================
RCS file: /usr2/ncvs/src/sys/netinet/tcp_seq.h,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- tcp_seq.h    1999/12/29 04:41:02    1.11
+++ tcp_seq.h    2000/09/29 01:37:19    1.12
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *    @(#)tcp_seq.h    8.3 (Berkeley) 6/21/95
- * $FreeBSD: src/sys/netinet/tcp_seq.h,v 1.11 1999/12/29 04:41:02 peter
Exp $
+ * $FreeBSD: src/sys/netinet/tcp_seq.h,v 1.12 2000/09/29 01:37:19 kris Exp
$
  */

 #ifndef _NETINET_TCP_SEQ_H_
@@ -91,7 +91,7 @@
  * number in the range [0-0x3ffff] that is hard to predict.
  */
 #ifndef tcp_random18
-#define    tcp_random18()    ((random() >> 14) & 0x3ffff)
+#define    tcp_random18()    (arc4random() & 0x3ffff)
 #endif
 #define    TCP_ISSINCR    (122*1024 + tcp_random18())

Index: tcp_subr.c
===================================================================
RCS file: /usr2/ncvs/src/sys/netinet/tcp_subr.c,v
retrieving revision 1.80
retrieving revision 1.81
diff -u -r1.80 -r1.81
--- tcp_subr.c    2000/09/25 23:40:22    1.80
+++ tcp_subr.c    2000/09/29 01:37:19    1.81
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *    @(#)tcp_subr.c    8.2 (Berkeley) 5/24/95
- * $FreeBSD: src/sys/netinet/tcp_subr.c,v 1.80 2000/09/25 23:40:22
bmilekic Exp $
+ * $FreeBSD: src/sys/netinet/tcp_subr.c,v 1.81 2000/09/29 01:37:19 kris
Exp $
  */

 #include "opt_compat.h"
@@ -178,7 +178,7 @@
 {
     int hashsize;

-    tcp_iss = random();    /* wrong, but better than a constant */
+    tcp_iss = arc4random();    /* wrong, but better than a constant */
     tcp_ccgen = 1;
     tcp_cleartaocache();

i suspect 10.4.& above the patch is released, but i didn't  found exactly
/corresponding from https://www.freebsd.org/security/patches/

i would expecting ..  confirm the relevant patch for this problem

Kindly correct me   anything missing


Regards,
Brahma

On Fri, Jan 12, 2018 at 7:50 AM, Lowell Gilbert <
freebsd-security-local@be-well.ilk.org> wrote:

> Brahmanand Reddy <brahma.gdb@gmail.com> writes:
>
> >>
> >> Dear Team,
> >>
> >> Thanks for responding.
> >>
> >> Please share the corresponding FreeBSD-SA-00:52(*TCP uses weak initial
> >> sequence numbers*) latest patch.
> >>
> >> the original problem reported on :
> >> https://www.freebsd.org/security/advisories/FreeBSD-
> SA-00%3A52.tcp-iss.asc
> >>
> >> below list of similar CVEs
> >>
> >> CVE-2001-0328
> >> CVE- 1999-0077
> >> CVE-2000-0916
> >>
> >>
> >> Thanks and regards,
> >> Brahma
>
> Those reports were fixed in FreeBSD almost 20 years ago,
> so you already have the fixes.
>
> Moreover, it seems silly to worry about minor security
> patches when you're running a FreeBSD release that has
> been out of support for over a year.
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAKsRH7=hyRPG6vEUi_tYSUXtSr58WKoegaDhNzG_qSQie=aUpQ>