FreeBSD Security Advisories
2004-Mar-02 11:55 UTC
FreeBSD Security Advisory FreeBSD-SA-04:04.tcp
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
============================================================================FreeBSD-SA-04:04.tcp
Security Advisory
The FreeBSD Project
Topic: many out-of-sequence TCP packets denial-of-service
Category: core
Module: kernel
Announced: 2004-03-02
Credits: iDEFENSE
Affects: All FreeBSD releases
Corrected: 2004-03-02 17:19:18 UTC (RELENG_4)
2004-03-02 17:24:46 UTC (RELENG_5_2, 5.2.1-RELEASE-p1)
2004-03-02 17:26:33 UTC (RELENG_4_9, 4.9-RELEASE-p3)
2004-03-02 17:27:47 UTC (RELENG_4_8, 4.8-RELEASE-p16)
CVE Name: CAN-2004-0171
FreeBSD only: NO
I. Background
The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
provides a connection-oriented, reliable, sequence-preserving data
stream service. When network packets making up a TCP stream (``TCP
segments'') are received out-of-sequence, they are maintained in a
reassembly queue by the destination system until they can be re-ordered
and re-assembled.
II. Problem Description
FreeBSD does not limit the number of TCP segments that may be held in a
reassembly queue.
III. Impact
A remote attacker may conduct a low-bandwidth denial-of-service attack
against a machine providing services based on TCP (there are many such
services, including HTTP, SMTP, and FTP). By sending many
out-of-sequence TCP segments, the attacker can cause the target machine
to consume all available memory buffers (``mbufs''), likely leading to
a system crash.
IV. Workaround
It may be possible to mitigate some denial-of-service attacks by
implementing timeouts at the application level.
V. Solution
Do one of the following:
1) Upgrade your vulnerable system to 4-STABLE, or to the RELENG_5_2,
RELENG_4_9, or RELENG_4_8 security branch dated after the correction
date.
OR
2) Patch your present system:
The following patch has been verified to apply to FreeBSD 4.x and 5.x
systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 5.2]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp52.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp52.patch.asc
[FreeBSD 4.8, 4.9]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp47.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp47.patch.asc
b) Apply the patch.
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_4
src/UPDATING 1.73.2.90
src/sys/conf/newvers.sh 1.44.2.33
src/sys/netinet/tcp_input.c 1.107.2.40
src/sys/netinet/tcp_subr.c 1.73.2.33
src/sys/netinet/tcp_var.h 1.56.2.15
RELENG_5_2
src/UPDATING 1.282.2.9
src/sys/conf/newvers.sh 1.56.2.8
src/sys/netinet/tcp_input.c 1.217.2.2
src/sys/netinet/tcp_subr.c 1.169.2.4
src/sys/netinet/tcp_var.h 1.93.2.2
RELENG_4_9
src/UPDATING 1.73.2.89.2.4
src/sys/conf/newvers.sh 1.44.2.32.2.4
src/sys/netinet/tcp_input.c 1.107.2.38.2.1
src/sys/netinet/tcp_subr.c 1.73.2.31.4.1
src/sys/netinet/tcp_var.h 1.56.2.13.4.1
RELENG_4_8
src/UPDATING 1.73.2.80.2.19
src/sys/conf/newvers.sh 1.44.2.29.2.17
src/sys/netinet/tcp_input.c 1.107.2.37.2.1
src/sys/netinet/tcp_subr.c 1.73.2.31.2.1
src/sys/netinet/tcp_var.h 1.56.2.13.2.1
- -------------------------------------------------------------------------
VII. References
<URL:http://www.idefense.com/application/poi/display?id=78&type=vulnerabilities>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4
iD8DBQFAROKHFdaIBMps37IRAu9EAJ9VY70IDYdjr6GkKJCJCGyvBV3OcQCeIXwL
UDTQ4rcO/SP2rFRZ0Mcj1iQ=Gkct
-----END PGP SIGNATURE-----
is FreeBSD 5.2.1 affected by this exploit ? On Tue, 2 Mar 2004, FreeBSD Security Advisories wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ============================================================================> FreeBSD-SA-04:04.tcp Security Advisory > The FreeBSD Project > > Topic: many out-of-sequence TCP packets denial-of-service > > Category: core > Module: kernel > Announced: 2004-03-02 > Credits: iDEFENSE > Affects: All FreeBSD releases > Corrected: 2004-03-02 17:19:18 UTC (RELENG_4) > 2004-03-02 17:24:46 UTC (RELENG_5_2, 5.2.1-RELEASE-p1) > 2004-03-02 17:26:33 UTC (RELENG_4_9, 4.9-RELEASE-p3) > 2004-03-02 17:27:47 UTC (RELENG_4_8, 4.8-RELEASE-p16) > CVE Name: CAN-2004-0171 > FreeBSD only: NO > > I. Background > > The Transmission Control Protocol (TCP) of the TCP/IP protocol suite > provides a connection-oriented, reliable, sequence-preserving data > stream service. When network packets making up a TCP stream (``TCP > segments'') are received out-of-sequence, they are maintained in a > reassembly queue by the destination system until they can be re-ordered > and re-assembled. > > II. Problem Description > > FreeBSD does not limit the number of TCP segments that may be held in a > reassembly queue. > > III. Impact > > A remote attacker may conduct a low-bandwidth denial-of-service attack > against a machine providing services based on TCP (there are many such > services, including HTTP, SMTP, and FTP). By sending many > out-of-sequence TCP segments, the attacker can cause the target machine > to consume all available memory buffers (``mbufs''), likely leading to > a system crash. > > IV. Workaround > > It may be possible to mitigate some denial-of-service attacks by > implementing timeouts at the application level. > > V. Solution > > Do one of the following: > > 1) Upgrade your vulnerable system to 4-STABLE, or to the RELENG_5_2, > RELENG_4_9, or RELENG_4_8 security branch dated after the correction > date. > > OR > > 2) Patch your present system: > > The following patch has been verified to apply to FreeBSD 4.x and 5.x > systems. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > [FreeBSD 5.2] > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp52.patch > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp52.patch.asc > > [FreeBSD 4.8, 4.9] > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp47.patch > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp47.patch.asc > > b) Apply the patch. > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile your kernel as described in > <URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the > system. > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > Branch Revision > Path > - ------------------------------------------------------------------------- > RELENG_4 > src/UPDATING 1.73.2.90 > src/sys/conf/newvers.sh 1.44.2.33 > src/sys/netinet/tcp_input.c 1.107.2.40 > src/sys/netinet/tcp_subr.c 1.73.2.33 > src/sys/netinet/tcp_var.h 1.56.2.15 > RELENG_5_2 > src/UPDATING 1.282.2.9 > src/sys/conf/newvers.sh 1.56.2.8 > src/sys/netinet/tcp_input.c 1.217.2.2 > src/sys/netinet/tcp_subr.c 1.169.2.4 > src/sys/netinet/tcp_var.h 1.93.2.2 > RELENG_4_9 > src/UPDATING 1.73.2.89.2.4 > src/sys/conf/newvers.sh 1.44.2.32.2.4 > src/sys/netinet/tcp_input.c 1.107.2.38.2.1 > src/sys/netinet/tcp_subr.c 1.73.2.31.4.1 > src/sys/netinet/tcp_var.h 1.56.2.13.4.1 > RELENG_4_8 > src/UPDATING 1.73.2.80.2.19 > src/sys/conf/newvers.sh 1.44.2.29.2.17 > src/sys/netinet/tcp_input.c 1.107.2.37.2.1 > src/sys/netinet/tcp_subr.c 1.73.2.31.2.1 > src/sys/netinet/tcp_var.h 1.56.2.13.2.1 > - ------------------------------------------------------------------------- > > VII. References > > <URL:http://www.idefense.com/application/poi/display?id=78&type=vulnerabilities> > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 > > iD8DBQFAROKHFdaIBMps37IRAu9EAJ9VY70IDYdjr6GkKJCJCGyvBV3OcQCeIXwL > UDTQ4rcO/SP2rFRZ0Mcj1iQ> =Gkct > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >
Carlos A. Carnero Delgado
2004-Mar-02 12:11 UTC
FreeBSD Security Advisory FreeBSD-SA-04:04.tcp
Hi, On Tuesday 02 March 2004 03:06, Daniel Spielman wrote:> is FreeBSD 5.2.1 affected by this exploit ? > > On Tue, 2 Mar 2004, FreeBSD Security Advisories wrote: > ... > > Category: core > > Module: kernel > > Announced: 2004-03-02 > > Credits: iDEFENSE > > Affects: All FreeBSD releases > > Corrected: 2004-03-02 17:19:18 UTC (RELENG_4) > > 2004-03-02 17:24:46 UTC (RELENG_5_2, > > 5.2.1-RELEASE-p1) 2004-03-02 17:26:33 UTC (RELENG_4_9, > > 4.9-RELEASE-p3) 2004-03-02 17:27:47 UTC (RELENG_4_8, > > 4.8-RELEASE-p16) CVE Name: CAN-2004-0171 > > FreeBSD only: NOit seems so. Look above at it says it was corrected on 2004-03-02 in 5.2.1-RELEASE-p1.
Hi, On Tue Mar 02, 2004 at 11:55AM -0800, FreeBSD Security Advisories wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ============================================================================> FreeBSD-SA-04:04.tcp Security Advisory > The FreeBSD Project > > Topic: many out-of-sequence TCP packets denial-of-service > > Category: core > Module: kernel > Announced: 2004-03-02 > Credits: iDEFENSE > Affects: All FreeBSD releases > Corrected: 2004-03-02 17:19:18 UTC (RELENG_4) > 2004-03-02 17:24:46 UTC (RELENG_5_2, 5.2.1-RELEASE-p1) > 2004-03-02 17:26:33 UTC (RELENG_4_9, 4.9-RELEASE-p3) > 2004-03-02 17:27:47 UTC (RELENG_4_8, 4.8-RELEASE-p16) > CVE Name: CAN-2004-0171 > FreeBSD only: NOIs there any chance to get this fixed in RELENG_5_1? best regards, Gordon -- Gordon Bergling <GBergling@0xfce3.net> http://www.0xFCE3.net/ PGP Fingerprint: 7732 9BB1 5013 AE8B E42C 28E0 93B9 D32B C76F 02A0 RIPE-HDL: MDTP-RIPE "There is no place like 127.0.0.0/8" -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20040303/25499d1f/attachment.bin
On Wed, Mar 03, 2004 at 12:04:05PM +0100, Gordon Bergling wrote:> Is there any chance to get this fixed in RELENG_5_1?I intend to do so as time allows. Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org
On Tue, Mar 02, 2004 at 12:06:14PM -0800, Daniel Spielman wrote:> is FreeBSD 5.2.1 affected by this exploit ?Yes. -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org
Jacques A. Vidrine on Wed, Mar 03, 2004 at 07:53:36AM -0600 wrote:> On Wed, Mar 03, 2004 at 12:04:05PM +0100, Gordon Bergling wrote: > > Is there any chance to get this fixed in RELENG_5_1? > > I intend to do so as time allows.Any word on when the fix of 5.1 will be ready?> Cheers, > -- > Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
On Sat, 6 Mar 2004, Mark Ogden wrote:> Jacques A. Vidrine on Wed, Mar 03, 2004 at 07:53:36AM -0600 wrote: > > On Wed, Mar 03, 2004 at 12:04:05PM +0100, Gordon Bergling wrote: > > > Is there any chance to get this fixed in RELENG_5_1? > > > > I intend to do so as time allows. > > Any word on when the fix of 5.1 will be ready?by simply taking the 5.2 patch and applying it you will get two rejects which seem to be easily resolvable by hand - if the patch will dtrt is another question. -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT 56 69 73 69 74 http://www.zabbadoz.net/