Mike Tancsa
2015-May-04 21:28 UTC
SA-14:19 (Denial of Service in TCP packet processing) and jails issue ?
On 4/29/2015 6:07 PM, Mike Tancsa wrote:> > The IP being scanned is in a jail. If I run the scan to an IP not > associated with the jail, the scan does not complain. Its only on the > jailed IP that the scan flags as problematic for this vulnerability. > > If this is a false positive, how can I be sure thats the case ? I have > pcaps of the scan both against the jailed IP (with the scan saying its > vulnerable) and against an IP not associated with the jail, saying its > not an issue. >Anyone have any have any ideas what can be done to mitigate this risk if its real, or if its a false positive ? To further clarify/describe my test environment, this is a RELENG_9 box I am testing against. I have a number of IPs aliased to lo0 associated with jails. If I run the Qualsys scan against an IP on this box that is not associated with a jail, it passes the test for SA-14:19. If I run the test against an IP associated with the jail, it fails the test. e.g. IP 192.168.1.1 is aliased to lo0 and associated with jail1.sentex.ca. If I run the free qualsys scan against jail1.sentex.ca, the test fails. If I stop the jail, and run the qualsys scan against the same IP, which is now just an aliased IP on the host machine, it passes the test. I have the pcaps, but I am not sure exactly what I am looking for in the data. The test just says it confirmed the vulnerability with the following 2 tests, Tested on port 22 with an injected SYN/RST offset by 16 bytes. Tested on port 25 with an injected SYN/RST offset by 16 bytes. What is it about the jail that might be causing either this issue to resurface, or give a false positive that its an issue ? ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike at sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/
Julian Elischer
2015-May-05 02:49 UTC
SA-14:19 (Denial of Service in TCP packet processing) and jails issue ?
On 5/5/15 5:28 AM, Mike Tancsa wrote:> On 4/29/2015 6:07 PM, Mike Tancsa wrote: >> >> The IP being scanned is in a jail. If I run the scan to an IP not >> associated with the jail, the scan does not complain. Its only on the >> jailed IP that the scan flags as problematic for this vulnerability. >> >> If this is a false positive, how can I be sure thats the case ? I have >> pcaps of the scan both against the jailed IP (with the scan saying its >> vulnerable) and against an IP not associated with the jail, saying its >> not an issue. >> > > > Anyone have any have any ideas what can be done to mitigate this > risk if its real, or if its a false positive ?Firstly I assume you are not talking about a vimage jail? It seems unlikely that jailing affects that processing. Does the test actually try cause the problem to occur? a tcpdump would be really nice.> > To further clarify/describe my test environment, this is a RELENG_9 > box I am testing against. I have a number of IPs aliased to lo0 > associated with jails. If I run the Qualsys scan against an IP on > this box that is not associated with a jail, it passes the test for > SA-14:19. If I run the test against an IP associated with the jail, > it fails the test. > > e.g. IP 192.168.1.1 is aliased to lo0 and associated with > jail1.sentex.ca. > > If I run the free qualsys scan against jail1.sentex.ca, the test > fails. If I stop the jail, and run the qualsys scan against the > same IP, which is now just an aliased IP on the host machine, it > passes the test. I have the pcaps, but I am not sure exactly what I > am looking for in the data. The test just says it confirmed the > vulnerability with the following 2 tests, > > Tested on port 22 with an injected SYN/RST offset by 16 bytes. > Tested on port 25 with an injected SYN/RST offset by 16 bytes. > > What is it about the jail that might be causing either this issue to > resurface, or give a false positive that its an issue ? > > > ---Mike > > >