From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 10:14:07 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7DA1BE2D; Tue, 16 Sep 2014 10:14:07 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 68E5E2E7; Tue, 16 Sep 2014 10:14:07 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id s8GAE7t0070673; Tue, 16 Sep 2014 10:14:07 GMT (envelope-from security-advisories@freebsd.org) Received: (from delphij@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id s8GAE77Z070671; Tue, 16 Sep 2014 10:14:07 GMT (envelope-from security-advisories@freebsd.org) Date: Tue, 16 Sep 2014 10:14:07 GMT Message-Id: <201409161014.s8GAE77Z070671@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: delphij set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-14:19.tcp Reply-To: freebsd-security@freebsd.org Precedence: bulk X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2014 10:14:07 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-14:19.tcp Security Advisory The FreeBSD Project Topic: Denial of Service in TCP packet processing Category: core Module: inet Announced: 2014-09-16 Credits: Jonathan Looney (Juniper SIRT) Affects: All supported versions of FreeBSD. Corrected: 2014-09-16 09:48:35UTC (stable/10, 10.1-PRERELEASE) 2014-09-16 09:48:35 UTC (stable/10, 10.1-BETA1-p1) 2014-09-16 09:50:19 UTC (releng/10.0, 10.0-RELEASE-p9) 2014-09-16 09:49:11 UTC (stable/9, 9.3-STABLE) 2014-09-16 09:50:19 UTC (releng/9.3, 9.3-RELEASE-p2) 2014-09-16 09:50:19 UTC (releng/9.2, 9.2-RELEASE-p12) 2014-09-16 09:50:19 UTC (releng/9.1, 9.1-RELEASE-p19) 2014-09-16 09:49:11 UTC (stable/8, 8.4-STABLE) 2014-09-16 09:50:19 UTC (releng/8.4, 8.4-RELEASE-p16) CVE Name: CVE-2004-0230 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides a connection-oriented, reliable, sequence-preserving data stream service. New TCP connections are initiated using special SYN flag in a datagram. Sequencing of data is controlled by 32-bit sequence numbers, that start with a random value and are increased using modulo 2**32 arithmetic. TCP endpoints maintain a window of expected, and thus allowed, sequence numbers for a connection. II. Problem Description When a segment with the SYN flag for an already existing connection arrives, the TCP stack tears down the connection, bypassing a check that the sequence number in the segment is in the expected window. III. Impact An attacker who has the ability to spoof IP traffic can tear down a TCP connection by sending only 2 packets, if they know both TCP port numbers. In case one of the two port numbers is unknown, a successful attack requires less than 2**17 packets spoofed, which can be generated within less than a second on a decent connection to the Internet. IV. Workaround It is possible to defend against these attacks with stateful traffic inspection using a firewall. This can be done by enabling pf(4) on the system and creating states for every connection. Even a default ruleset to allow all traffic would be sufficient to mitigate this issue. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-14:19/tcp.patch # fetch http://security.FreeBSD.org/patches/SA-14:19/tcp.patch.asc # gpg --verify tcp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r271668 releng/8.4/ r271669 stable/9/ r271668 releng/9.1/ r271669 releng/9.2/ r271669 releng/9.3/ r271669 stable/10/ r271667 releng/10.0/ r271669 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUGAnEAAoJEO1n7NZdz2rnHEkP/0fVx7U6l/YKVWToejpCxMLa TS9ng0kN5GEkyYPTHbK3Pb5T2b4zhpDlhRVTDtwkP+00VXAGIAC6GiQl2QBAApgv 68cla+TU+gh2I03XxIl+eWHu4EWaYa0v2vDqL0n/XNLvcZVD3R0CC+6HHUbKm46t dQg4olCdXdHkZleclvuYGjd+W8JfC17Xe3xshNKq7BV05XWqXrKoqxfxot8Cnxyx n4MePoiNYn13iO5OpEWf2J6BS1JJ1M/L0CAAKGcNitD8dYMdKNEfn6tpPXHNIWGH vUI0sD2rPRs3OWbK6Y3xmakCPK8MXjSyFNvJ2NkuU6dYdKBNHYswh46F9XP0cSDc K5wB36R/mx5ky05HBCpAjiGh2X67Y6QtQiBq5ESltodAp1Sl966fgLnNKyIgeHr5 51QNCXDdc7S7pE9daA/uiIEZVKH8eKYGHP53zN/tiTDVWy7yTEBIW4lhJVkHIAAt VBvLB0efr47z6IZ92GshGKZawaPAOeuBrEtYDOdNNJeh+WhSPoE5MKfS6NiH/lRg DorewB9KbChCUhxMCH2Pj7AxTVoe3fjWtZYRo02OHMitTTJbExsyT33vTH1Sb2LT 6lXBFFOvo5Uw8JJyykd+GXUcwe13hcroS+eqz/GE+9yReMrwd82qbiDM4VlTdVMq trAqOw2zRyBa7R6D2+4T =qjIZ -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 10:19:58 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 544F55BE for ; Tue, 16 Sep 2014 10:19:58 +0000 (UTC) Received: from manchester-1.man.uk.cluster.ok24.net (manchester-1.man.uk.cluster.ok24.net [213.138.100.64]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0FEE6691 for ; Tue, 16 Sep 2014 10:19:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=simple/simple; d=pyro.eu.org; s=09.2014; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:Subject:To:MIME-Version:From:Date:Message-ID; bh=2ewytUlfvPHcBBnDmPVZOrNa9RJz7Auoy7pWgJfBSjo=; b=KV9sevE+NX9dRpYZF9JZFuZkTUzGr5SRItWMzl/ri2QDRWpSdbIwknQJdxwE2z2T/VZXcn4k42jT3b0QTcAHXXpO1fum+nfp4UdLJHDBxNvSzOVlze4XNnJO67XtgSShdhUOhF8kB8RLMTP1SQjDPm/RNok6R8zsHa1NV/IfXHM=; X-Spam-Status: No, score=-1.1 required=2.0 tests=ALL_TRUSTED, BAYES_00, DKIM_ADSP_DISCARD Received: from guisborough-1.rcc.uk.cluster.ok24.net ([217.155.40.118]) by manchester-1.man.uk.cluster.ok24.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.80) (envelope-from ) id 1XTprN-0001cy-Jx for freebsd-security@freebsd.org; Tue, 16 Sep 2014 11:19:47 +0100 Received: from [10.0.1.191] by guisborough-1.rcc.uk.cluster.ok24.net with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.80) (envelope-from ) id 1XTprM-0006tE-H4 for freebsd-security@freebsd.org; Tue, 16 Sep 2014 11:19:44 +0100 Message-ID: <54180EBF.2050104@pyro.eu.org> Date: Tue, 16 Sep 2014 11:19:43 +0100 From: Steven Chamberlain User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.7.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:19.tcp References: <201409161014.s8GAE77Z070671@freefall.freebsd.org> In-Reply-To: <201409161014.s8GAE77Z070671@freefall.freebsd.org> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2014 10:19:58 -0000 Hi, On 16/09/14 11:14, FreeBSD Security Advisories wrote: > An attacker who has the ability to spoof IP traffic can tear down a > TCP connection by sending only 2 packets, if they know both TCP port > numbers. This may be a silly question but, if the attacker can spoof IP traffic, can't the same be done with a single RST packet? Thanks Regards, -- Steven Chamberlain steven@pyro.eu.org From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 12:35:27 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D55B6BC3 for ; Tue, 16 Sep 2014 12:35:27 +0000 (UTC) Received: from new1-smtp.messagingengine.com (new1-smtp.messagingengine.com [66.111.4.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A5FC2777 for ; Tue, 16 Sep 2014 12:35:27 +0000 (UTC) Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by gateway2.nyi.internal (Postfix) with ESMTP id AB3FFD30 for ; Tue, 16 Sep 2014 08:35:26 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute6.internal (MEProxy); Tue, 16 Sep 2014 08:35:26 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:from:to:mime-version :content-transfer-encoding:content-type:subject:date:in-reply-to :references; s=smtpout; bh=L4GqEcqlh7ReRhQteNWp4hBFmvs=; b=Db/3+ 9jmuynAIBa97qU1zc6K7f6Oi+hYqbRMkAPHeWvBlpcprV3GPy5BVBZE0jtWiIRT0 mKhFCi2kMO5lbPJ0EYyAXgK1MUBNOev1t72mZTWZdqrKHsEkl721Nereo7igB12O HQoaOHgRGyAdVRsFfDhvJfh14ELcKdkoP8ZYsQ= Received: by web3.nyi.internal (Postfix, from userid 99) id 5B7E0183B58; Tue, 16 Sep 2014 08:35:26 -0400 (EDT) Message-Id: <1410870926.3637266.168084441.4C997218@webmail.messagingengine.com> X-Sasl-Enc: At4ewSVwPpaNJJCfcXjtZXg8SocVDcR2Rc3LWpx7hmD3 1410870926 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-0646565c Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:19.tcp Date: Tue, 16 Sep 2014 07:35:26 -0500 In-Reply-To: <54180EBF.2050104@pyro.eu.org> References: <201409161014.s8GAE77Z070671@freefall.freebsd.org> <54180EBF.2050104@pyro.eu.org> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2014 12:35:27 -0000 On Tue, Sep 16, 2014, at 05:19, Steven Chamberlain wrote: > Hi, > > On 16/09/14 11:14, FreeBSD Security Advisories wrote: > > An attacker who has the ability to spoof IP traffic can tear down a > > TCP connection by sending only 2 packets, if they know both TCP port > > numbers. > > This may be a silly question but, if the attacker can spoof IP traffic, > can't the same be done with a single RST packet? > Yes, this is how Sandvine anti-piracy products work. They detect you torrenting/P2P and then send an RST spoofed from the other end. You can defeat this by dropping RST altogether, which is what many people do. It's better if they don't blindly block all RST, and only to the ports they use for P2P... I'm torn on calling this an actual security problem. It's certainly a bug -- defeated by a stateful firewall, as detailed in the SA -- but if someone can spoof the traffic... you've a problem at a different layer :-) (Warning: I'm not a security expert.) From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 12:49:32 2014 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DFF1A1C6 for ; Tue, 16 Sep 2014 12:49:32 +0000 (UTC) Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140]) by mx1.freebsd.org (Postfix) with ESMTP id 2B313927 for ; Tue, 16 Sep 2014 12:49:31 +0000 (UTC) Received: from porto.starpoint.kiev.ua (porto-e.starpoint.kiev.ua [212.40.38.100]) by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id PAA08950 for ; Tue, 16 Sep 2014 15:49:30 +0300 (EEST) (envelope-from avg@FreeBSD.org) Received: from localhost ([127.0.0.1]) by porto.starpoint.kiev.ua with esmtp (Exim 4.34 (FreeBSD)) id 1XTsCI-0004gM-Ih for freebsd-security@freebsd.org; Tue, 16 Sep 2014 15:49:30 +0300 Message-ID: <541831A3.7010700@FreeBSD.org> Date: Tue, 16 Sep 2014 15:48:35 +0300 From: Andriy Gapon User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0 MIME-Version: 1.0 To: freebsd-security@FreeBSD.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-14:19.tcp References: <201409161014.s8GAE7jY070664@freefall.freebsd.org> In-Reply-To: <201409161014.s8GAE7jY070664@freefall.freebsd.org> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Tue, 16 Sep 2014 12:56:08 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2014 12:49:33 -0000 On 16/09/2014 13:14, FreeBSD Security Advisories wrote: > ============================================================================= > FreeBSD-SA-14:19.tcp Security Advisory > The FreeBSD Project > > Topic: Denial of Service in TCP packet processing > > Category: core > Module: inet > Announced: 2014-09-16 > Credits: Jonathan Looney (Juniper SIRT) > Affects: All supported versions of FreeBSD. Does the issue affect head aka CURRENT as well? > Corrected: 2014-09-16 09:48:35UTC (stable/10, 10.1-PRERELEASE) > 2014-09-16 09:48:35 UTC (stable/10, 10.1-BETA1-p1) > 2014-09-16 09:50:19 UTC (releng/10.0, 10.0-RELEASE-p9) > 2014-09-16 09:49:11 UTC (stable/9, 9.3-STABLE) > 2014-09-16 09:50:19 UTC (releng/9.3, 9.3-RELEASE-p2) > 2014-09-16 09:50:19 UTC (releng/9.2, 9.2-RELEASE-p12) > 2014-09-16 09:50:19 UTC (releng/9.1, 9.1-RELEASE-p19) > 2014-09-16 09:49:11 UTC (stable/8, 8.4-STABLE) > 2014-09-16 09:50:19 UTC (releng/8.4, 8.4-RELEASE-p16) > CVE Name: CVE-2004-0230 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. Background > > The Transmission Control Protocol (TCP) of the TCP/IP protocol suite > provides a connection-oriented, reliable, sequence-preserving data > stream service. New TCP connections are initiated using special SYN > flag in a datagram. Sequencing of data is controlled by 32-bit sequence > numbers, that start with a random value and are increased using modulo > 2**32 arithmetic. TCP endpoints maintain a window of expected, and > thus allowed, sequence numbers for a connection. > > II. Problem Description > > When a segment with the SYN flag for an already existing connection arrives, > the TCP stack tears down the connection, bypassing a check that the > sequence number in the segment is in the expected window. > > III. Impact > > An attacker who has the ability to spoof IP traffic can tear down a > TCP connection by sending only 2 packets, if they know both TCP port > numbers. In case one of the two port numbers is unknown, a successful > attack requires less than 2**17 packets spoofed, which can be > generated within less than a second on a decent connection to the > Internet. > > IV. Workaround > > It is possible to defend against these attacks with stateful traffic > inspection using a firewall. This can be done by enabling pf(4) on > the system and creating states for every connection. Even a default > ruleset to allow all traffic would be sufficient to mitigate this > issue. > > V. Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date. > > 2) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch http://security.FreeBSD.org/patches/SA-14:19/tcp.patch > # fetch http://security.FreeBSD.org/patches/SA-14:19/tcp.patch.asc > # gpg --verify tcp.patch.asc > > b) Apply the patch. Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile your kernel as described in > and reboot the > system. > > 3) To update your vulnerable system via a binary patch: > > Systems running a RELEASE version of FreeBSD on the i386 or amd64 > platforms can be updated via the freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > > VI. Correction details > > The following list contains the correction revision numbers for each > affected branch. > > Branch/path Revision > ------------------------------------------------------------------------- > stable/8/ r271668 > releng/8.4/ r271669 > stable/9/ r271668 > releng/9.1/ r271669 > releng/9.2/ r271669 > releng/9.3/ r271669 > stable/10/ r271667 > releng/10.0/ r271669 > ------------------------------------------------------------------------- > > To see which files were modified by a particular revision, run the > following command, replacing NNNNNN with the revision number, on a > machine with Subversion installed: > > # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base > > Or visit the following URL, replacing NNNNNN with the revision number: > > > > VII. References > > > > The latest revision of this advisory is available at > > _______________________________________________ > freebsd-announce@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-announce > To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org" > -- Andriy Gapon From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 13:27:21 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1C5FA7E4 for ; Tue, 16 Sep 2014 13:27:21 +0000 (UTC) Received: from be-well.ilk.org (be-well.ilk.org [23.30.133.173]) by mx1.freebsd.org (Postfix) with ESMTP id E6E6BD1A for ; Tue, 16 Sep 2014 13:27:20 +0000 (UTC) Received: from lowell-desk.lan (lowell-desk.lan [172.30.250.41]) by be-well.ilk.org (Postfix) with ESMTP id 5CEE933C1E for ; Tue, 16 Sep 2014 09:20:07 -0400 (EDT) Received: by lowell-desk.lan (Postfix, from userid 1147) id 738EA3985D; Tue, 16 Sep 2014 09:20:06 -0400 (EDT) From: Lowell Gilbert To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:19.tcp References: <201409161014.s8GAE77Z070671@freefall.freebsd.org> <54180EBF.2050104@pyro.eu.org> <1410870926.3637266.168084441.4C997218@webmail.messagingengine.com> Date: Tue, 16 Sep 2014 09:20:05 -0400 In-Reply-To: <1410870926.3637266.168084441.4C997218@webmail.messagingengine.com> (Mark Felder's message of "Tue, 16 Sep 2014 07:35:26 -0500") Message-ID: <44y4tjwvlm.fsf@lowell-desk.lan> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2014 13:27:21 -0000 Mark Felder writes: > On Tue, Sep 16, 2014, at 05:19, Steven Chamberlain wrote: >> Hi, >> >> On 16/09/14 11:14, FreeBSD Security Advisories wrote: >> > An attacker who has the ability to spoof IP traffic can tear down a >> > TCP connection by sending only 2 packets, if they know both TCP port >> > numbers. >> >> This may be a silly question but, if the attacker can spoof IP traffic, >> can't the same be done with a single RST packet? >> > > Yes, this is how Sandvine anti-piracy products work. They detect you > torrenting/P2P and then send an RST spoofed from the other end. You can > defeat this by dropping RST altogether, which is what many people do. > It's better if they don't blindly block all RST, and only to the ports > they use for P2P... That's not quite the same; that's a full man-in-the-middle attack on the connection, so all of the connection information is available. The problem being fixed here allowed an attacker to do that without knowing the sequence numbers. > I'm torn on calling this an actual security problem. It's certainly a > bug -- defeated by a stateful firewall, as detailed in the SA -- but if > someone can spoof the traffic... you've a problem at a different layer > :-) Spoofing traffic is pretty easy. The reason it isn't generally a problem is that knowing what to spoof is more difficult. [I assume that's what feld@ actually meant, but it's an important distinction.] From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 13:34:46 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1E1A7B04 for ; Tue, 16 Sep 2014 13:34:46 +0000 (UTC) Received: from mail-oi0-x22d.google.com (mail-oi0-x22d.google.com [IPv6:2607:f8b0:4003:c06::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DC5C3E0B for ; Tue, 16 Sep 2014 13:34:45 +0000 (UTC) Received: by mail-oi0-f45.google.com with SMTP id v63so3308835oia.4 for ; Tue, 16 Sep 2014 06:34:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=lqO5R5iFRNXHDEwnlAFYYRoj7VmDK/dBihFu7xApMwA=; b=DJOZfGnXhrNgwV3XlwicGJGSOr9t2mP5E6+RXC9NpHncKnlh1vGqtiMYBo20zMagjr NdL1bxpYqGOwh/sHYcfAGdBAYvLXfkEC0uuswUx/HZUyrxZL1i0bjfWMdMhftwoyyCHr flKzgKpZv+ywviQ4B2/GoYrjm2t9su7vqS0sTwcQj0izgfAR/sJwEA7zBmY8l2/BSeS4 9bMHLhe6k/CEkIw5zjcteR97b/oLu98Hma649K0EwnYFyj4FjYng7BTkK/lRXD9aF2BM 3krJdWjYL21Be1Bb5PqmeHFWhqFqcGFPUMo0AsKYIXakVUsjn2N7WVkjdVBYERvrzlmz KwUA== X-Received: by 10.60.96.129 with SMTP id ds1mr35328348oeb.43.1410874485228; Tue, 16 Sep 2014 06:34:45 -0700 (PDT) MIME-Version: 1.0 Received: by 10.76.24.132 with HTTP; Tue, 16 Sep 2014 06:34:25 -0700 (PDT) In-Reply-To: <201409161014.s8GAE77Z070671@freefall.freebsd.org> References: <201409161014.s8GAE77Z070671@freefall.freebsd.org> From: n j Date: Tue, 16 Sep 2014 15:34:25 +0200 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:19.tcp To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2014 13:34:46 -0000 Hi, On Tue, Sep 16, 2014 at 12:14 PM, FreeBSD Security Advisories < security-advisories@freebsd.org> wrote: > IV. Workaround > > It is possible to defend against these attacks with stateful traffic > inspection using a firewall. This can be done by enabling pf(4) on > the system and creating states for every connection. Even a default > ruleset to allow all traffic would be sufficient to mitigate this > issue. > Any chance of getting more information in Workaround section? Is the workaround applicable only to pf or IPFW also helps? Perhaps an example rule? > VII. References > > > 2004? Wow, that's an old one. Thanks, -- Nino From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 13:46:55 2014 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9276C5F7; Tue, 16 Sep 2014 13:46:55 +0000 (UTC) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7830DF41; Tue, 16 Sep 2014 13:46:55 +0000 (UTC) Received: from delphij-macbook.local (unknown [1.202.68.57]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id 3C9291530F; Tue, 16 Sep 2014 06:46:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1410875215; x=1410889615; bh=a9D+iJjpI4qegGGGmqaqjXKL2Pcatq/4K13warU5SF0=; h=Date:From:Reply-To:To:Subject:References:In-Reply-To; b=ZhC2OYOP9kgzNxmFjr8w7P4xKmkHz5CD01lQXgOamQg8rXPM7qiOi7idQsjPfaaBM cjtE06BvEdtFr77P4wmPBm69paBNKNzfsR593FLjUf6Fru7q94cYDB8q/M7U4thePj 5oDvFj9ePsJ9Y6nLqbtZdlTipoJ7oEA8K6sv/mzc= Message-ID: <54183F4A.10802@delphij.net> Date: Tue, 16 Sep 2014 21:46:50 +0800 From: Xin Li Reply-To: d@delphij.net Organization: The FreeBSD Project MIME-Version: 1.0 To: Andriy Gapon , freebsd-security@FreeBSD.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-14:19.tcp References: <201409161014.s8GAE7jY070664@freefall.freebsd.org> <541831A3.7010700@FreeBSD.org> In-Reply-To: <541831A3.7010700@FreeBSD.org> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2014 13:46:55 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 9/16/14 8:48 PM, Andriy Gapon wrote: > On 16/09/2014 13:14, FreeBSD Security Advisories wrote: >> ============================================================================= >> >> FreeBSD-SA-14:19.tcp Security Advisory >> The FreeBSD Project >> >> Topic: Denial of Service in TCP packet processing >> >> Category: core Module: inet Announced: >> 2014-09-16 Credits: Jonathan Looney (Juniper SIRT) >> Affects: All supported versions of FreeBSD. > > Does the issue affect head aka CURRENT as well? It does. Note that CURRENT is not considered as 'supported' in the security advisory context, though. Cheers, -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUGD9KAAoJEJW2GBstM+nsi3cQAKzL4RINOVU2FkZsLyN4RYGH golAhWQ2L07GYc1AfahyH/KNpGsYVT/bXuW+2qsm+Rl+UZbbYsN9Jza8RNSDCxPa 5MfQZXQEYAUfUcHMskqgf2vV5sNIzGp9F8ouxUZX0URAndv67Y5+bF4jIX+SlFcP f0kzwTFObDSYrYoGniZMzT17YAPB8cS1l/NkSH2Rnu7mbY7h0ybRngODZKnfFvoM fcPD/23cFqsxAK7jEo7i5a0lvx9dTm2Ahtesj7CyzJgTjB2/MhsJbNnp4rCOYx1f 4X3vePUoTUmkDqIT6SoFdO2aVAH1JDzM/e6swWQFLCYMZPI6x4Zw22vaARQSiECw aeHu2nkG/m4HVXrOiRUuy9Wk7rGq/IfzCMiTGdwU/mV3A952J/sDBjl211XKBDZq A6fKdBaXi9V5P7ykUt3HonEoVjbt71KmiMKI1pqE63q+QCw8sZCwqd7uwoiaE71B 7H1UYBNlEgxisP6WolzCPpBOMAEVQiqesYHlQHgW/kzq4aTVa7EumhBuciQ1QfDq fFERPnHHwwUiwF+D/OiJQtPCqVhpJSP48nJsyVTJKZWpUI8NU1ePDVmLUWLPbtv/ 5VKwwjtT9jJEC2sl4dSRNFT0xcMH2g0n3mdVxJTiF/RinWuk9Qf14l+43A/gzwps srLDGfcN70zXV0C0NXNT =yDa7 -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 13:49:10 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 717B19E4 for ; Tue, 16 Sep 2014 13:49:10 +0000 (UTC) Received: from new1-smtp.messagingengine.com (new1-smtp.messagingengine.com [66.111.4.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 40FE1F7C for ; Tue, 16 Sep 2014 13:49:09 +0000 (UTC) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by gateway2.nyi.internal (Postfix) with ESMTP id 67690150C for ; Tue, 16 Sep 2014 09:49:08 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute1.internal (MEProxy); Tue, 16 Sep 2014 09:49:08 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:from:to:mime-version :content-transfer-encoding:content-type:in-reply-to:references :subject:date; s=smtpout; bh=mQ2Gg+975QN8AXU+cppJQ5DK9kk=; b=Zil K33vopJIrc6ikDHW3sRNsCiWTTV6RLMOGAS3gFyI0X+ppHwq4dX/jzHKLjydyxzg raTFSQqKINKgtq4M3FytR6tE3Dws0it4dx7t51JIZIppHWsr5DxP8fnw5ZpyngM/ tEceaDyVOj61egbmu/0yFaUrdDsAH3gI+gJD5QMg= Received: by web3.nyi.internal (Postfix, from userid 99) id 2CD691843B9; Tue, 16 Sep 2014 09:49:08 -0400 (EDT) Message-Id: <1410875348.3660913.168112729.18E69A9D@webmail.messagingengine.com> X-Sasl-Enc: bLv1Vbmpu4kZ/mLY8l66QGTOSCXpxUiMzoz18ev5DTmo 1410875348 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-0646565c In-Reply-To: <44y4tjwvlm.fsf@lowell-desk.lan> References: <201409161014.s8GAE77Z070671@freefall.freebsd.org> <54180EBF.2050104@pyro.eu.org> <1410870926.3637266.168084441.4C997218@webmail.messagingengine.com> <44y4tjwvlm.fsf@lowell-desk.lan> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:19.tcp Date: Tue, 16 Sep 2014 08:49:08 -0500 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2014 13:49:10 -0000 On Tue, Sep 16, 2014, at 08:20, Lowell Gilbert wrote: > > Spoofing traffic is pretty easy. The reason it isn't generally a problem > is that knowing what to spoof is more difficult. [I assume that's what > feld@ actually meant, but it's an important distinction.] > How many AS are out there don't implement BCP38? Spoofing these days without MITM should be considered hard, and TCP even harder, no? I'd find it more believable that it's easier to hijack BGP than to target someone and successfully spoof TCP. Maybe I'm just naive and haven't seen this behavior in the wild during my time working at an ISP :-) From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 14:00:29 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A6528FA3 for ; Tue, 16 Sep 2014 14:00:29 +0000 (UTC) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 8A17E144 for ; Tue, 16 Sep 2014 14:00:29 +0000 (UTC) Received: from delphij-macbook.local (unknown [1.202.68.57]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id 98424154FF; Tue, 16 Sep 2014 07:00:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1410876029; x=1410890429; bh=HVt0efnsAlQrXxtIqScT6j4QZwCUQQDnbYF/IUph0yU=; h=Date:From:Reply-To:To:Subject:References:In-Reply-To; b=HfTJ4iKddIu+lq6Nz9zfYLcU4FSY86eEIyN6b1/hipu8uf77up+WpZdIpyVeywt1P zqFcjEKTLISDSRxbzAlexuu+z49SLMBP9LwvOVVUtWpPoFv3nsmozv++51xSgwWo/6 HSEVIPwxR9TtXwna5DMIcTmsMADS6QCdxNaoYwEI= Message-ID: <5418427B.9080909@delphij.net> Date: Tue, 16 Sep 2014 22:00:27 +0800 From: Xin Li Reply-To: d@delphij.net Organization: The FreeBSD Project MIME-Version: 1.0 To: Steven Chamberlain , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:19.tcp References: <201409161014.s8GAE77Z070671@freefall.freebsd.org> <54180EBF.2050104@pyro.eu.org> In-Reply-To: <54180EBF.2050104@pyro.eu.org> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2014 14:00:29 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 9/16/14 6:19 PM, Steven Chamberlain wrote: > Hi, > > On 16/09/14 11:14, FreeBSD Security Advisories wrote: >> An attacker who has the ability to spoof IP traffic can tear down >> a TCP connection by sending only 2 packets, if they know both TCP >> port numbers. > > This may be a silly question but, if the attacker can spoof IP > traffic, can't the same be done with a single RST packet? By default RST has to be within the window if the connection is in ESTABLISHED state. So in order to do that the attacker still need to guess or know the sequence number. Hope this helps. Cheers, -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUGEJ7AAoJEJW2GBstM+ns4MgP/jhjYEZnzZimP9COnxiIpQTV E21qVdMQPfglicoPKKvzNfyNL1ZRUHYCXa3tGmKE0zO/6b03c8xmvqARCtZVDF+K xLD1ZfaCjo4mrIKG7LDNAN6WYHYKnF1WNsABcy/7PwnY7Bw3CoVZg3DXKj1s72m4 0XnZwVBfY0e3sy2wzcbirfW9bYk4JK5900wUkXaxtEBkLcdJWirsxx6teC9hvvUS 3K/7NpL0/Hv3nAhEJQwA8kTwD5qNg0uwj1WDY8GzHOSzATIo8B/Dy2ubsN8EBChn OWR/xOBwXTU79RH+f4qwWYV887xsniKTS7uUZIEjgAdS1xz5rjmGIDAm1ATHfrK5 tJm2pZdnxrpJqzBY7zxyQwDAPS1w8bNHzmcXBrZd+m3DvrGRpJO2qqCYZakUI9gR 00ArI4jrD8HFyboQdXy3uW3xIddD07u2xQQ3wwbgigF7tKgZG9m6Iq+Q10YoLo6x Ck/Hpf5yDo/COE/RD8UbyEw3nSsl4s9T6oqPXCLBlnNjuCrh0AqEDwCQ476X7pPb B0BxTZ46KY//h0vzMpTFQO3EShQfIYRKsme3bRfuiApXb+xgFpz1KEzqDkeiz3/3 681k8COJYjLKoe6Xq7p1C8sL5pmg9G/pTjyN38vOZF10096+RGP1kLZO2zT88BEi pIIwvv0RmHBgAf+PL0mH =sAgZ -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 14:06:00 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A9A4C1A1 for ; Tue, 16 Sep 2014 14:06:00 +0000 (UTC) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 8BE1021E for ; Tue, 16 Sep 2014 14:06:00 +0000 (UTC) Received: from delphij-macbook.local (unknown [1.202.68.57]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id 73F3F15609; Tue, 16 Sep 2014 07:05:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1410876360; x=1410890760; bh=zuR30wu/lKwkgj87NHHupCeObCsU46ObrkyPqTauou0=; h=Date:From:Reply-To:To:Subject:References:In-Reply-To; b=3//AB0UXO0LiM56i36KqfgJVJBqGqvts1sRz6jlTDK6195JVokgOV/33g1dMuPEEz z/bTH4bTWVbAOzAFBv2vDwbu18Qg9WwlXn20dmFanhtruIKNdsl+Rqs2haPynndUsh y9jKoPs/tMEcSE0HgF6VcexrQxoVguh4mZptzVWU= Message-ID: <541843C6.7040909@delphij.net> Date: Tue, 16 Sep 2014 22:05:58 +0800 From: Xin Li Reply-To: d@delphij.net Organization: The FreeBSD Project MIME-Version: 1.0 To: n j , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:19.tcp References: <201409161014.s8GAE77Z070671@freefall.freebsd.org> In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2014 14:06:00 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 9/16/14 9:34 PM, n j wrote: >> VII. References >> >> >> > >> > 2004? Wow, that's an old one. This is an old, generic issue that didn't affect FreeBSD at the time in 2004, and the issue was introduced in 2009 by r192912. Cheers, -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUGEPFAAoJEJW2GBstM+ns54IP+gLeJxSf744SJ2Vp/M0xdJDH Hg+7ArP1oco4cchY9kZppLHJ3s+rGxNd9R/wM5Tw9fZfT9eB+LfzU5cM6w7rIB9f nH1Go7ZdCfU0DeMaK+WMrbwIgeqZJTtSBaIiryvaSDa053BZIPXPdeRrB30S1Otq z+ohwkqh2mdInQqqpH1ClBnn0kxQmBs8iPJiTuXapsuIN/SBFmVJBRJ4BPySwBM9 3EQjqYfO7psfijoaHKOv42YDwVKP66uKK7sk/AlBTCCiE8kD32Ix+Cm9zWqyiYwo 06qfaIL7A/2i0QftVidkI1Q5MI5a1l0lheSR/KeGMn6uNcZWVsHJjsgGDPwa7qSY vH8mt7vdoOdiO4lf7qqT2hODlpdJtzgu2L6m0tYwg+1G6tf9UK1Ha5wo36PCREGv w3M9s1SJZAIXyzh1rw99kzWu9fkzzQyDe0WtQB2iWBmBvUVgwTNgJdEOHULkMi3z ljwadwVaSEOVhdXQ7pSJmJ9S2BXFH8MwbAB4raj1QFQs+/GW1kLGuCDZ3eDdqlvH zmnjEDa47E3zCDu5Oy2xoo4mvTHVl1RH0JTz0d0V4dXzA0GunRel4AbA7hrZ2n8o NcIqknr+k75evg4aPf6L7MbFBKUL56vAuGS0xGhj/eAIyf3uCNluXFZuUDiq6Lwz ieKAP60MVg7HqGrLaLxe =C2J/ -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 14:10:50 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 62EB264E for ; Tue, 16 Sep 2014 14:10:50 +0000 (UTC) Received: from manchester-1.man.uk.cluster.ok24.net (manchester-1.man.uk.cluster.ok24.net [213.138.100.64]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1BFD42A2 for ; Tue, 16 Sep 2014 14:10:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=simple/simple; d=pyro.eu.org; s=09.2014; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:Subject:To:MIME-Version:From:Date:Message-ID; bh=uebN9znn3TlAFvHMlf/P2BPHeTCsLVL9uoqaORShnPA=; b=iIzs13vzGGXNHqXfO+WrBcxH158a1jvf7Q4gXNMsSi5AVDJwr/pcrIee6VTCD37p1YF11PRDhMzCkut1YoS+6U0uyArju8aKQZBJeQXfSKfob2eHl/hkiwlDQL94GAPKVylBfghNX27LCU7jMQ4BGpt6zB4xYxYvupGXj0zeQK4=; X-Spam-Status: No, score=-1.1 required=2.0 tests=ALL_TRUSTED, BAYES_00, DKIM_ADSP_DISCARD Received: from guisborough-1.rcc.uk.cluster.ok24.net ([217.155.40.118]) by manchester-1.man.uk.cluster.ok24.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.80) (envelope-from ) id 1XTtSj-0002Bb-5s for freebsd-security@freebsd.org; Tue, 16 Sep 2014 15:10:43 +0100 Received: from [10.0.1.191] by guisborough-1.rcc.uk.cluster.ok24.net with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.80) (envelope-from ) id 1XTtSi-0007QF-5i for freebsd-security@freebsd.org; Tue, 16 Sep 2014 15:10:32 +0100 Message-ID: <541844D7.9090600@pyro.eu.org> Date: Tue, 16 Sep 2014 15:10:31 +0100 From: Steven Chamberlain User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.7.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:19.tcp References: <201409161014.s8GAE77Z070671@freefall.freebsd.org> <54180EBF.2050104@pyro.eu.org> <5418427B.9080909@delphij.net> In-Reply-To: <5418427B.9080909@delphij.net> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2014 14:10:50 -0000 On 16/09/14 15:00, Xin Li wrote: > By default RST has to be within the window if the connection is in > ESTABLISHED state. So in order to do that the attacker still need to > guess or know the sequence number. Thanks, I didn't know that; that must be how a router or MITM attacker is able to do that so easily. Whereas, the attack described in this advisory could work blindly against two remote endpoints. I believe I understand now. Regards, -- Steven Chamberlain steven@pyro.eu.org From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 15:03:26 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E70355BD for ; Tue, 16 Sep 2014 15:03:26 +0000 (UTC) Received: from mproxy8.sbb.rs (mproxy8.sbb.rs [89.216.2.99]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "smtp.sbb.rs", Issuer "PositiveSSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 57FE6ADD for ; Tue, 16 Sep 2014 15:03:25 +0000 (UTC) Received: from faust.localdomain (cable-178-148-96-27.dynamic.sbb.rs [178.148.96.27]) by mproxy8.sbb.rs (8.14.4/8.14.4) with ESMTP id s8GF3ATG004597 for ; Tue, 16 Sep 2014 17:03:10 +0200 X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.97.6 at SBB mail Received: by faust.localdomain (Postfix, from userid 1001) id 41817A41D9B; Tue, 16 Sep 2014 17:03:53 +0200 (CEST) Date: Tue, 16 Sep 2014 17:03:53 +0200 From: Zoran Kolic To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:18.openssl Message-ID: <20140916150353.GA1117@faust.sbb.rs> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mproxy8.sbb.rs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2014 15:03:27 -0000 > Systems running a RELEASE version of FreeBSD on the i386 or amd64 > platforms can be updated via the freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install No need to recompile the kernel? Zoran From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 15:07:11 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 25EDA6DE for ; Tue, 16 Sep 2014 15:07:11 +0000 (UTC) Received: from mproxy19.sbb.rs (mproxy19.sbb.rs [89.216.2.104]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "smtp.sbb.rs", Issuer "PositiveSSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8BD74B12 for ; Tue, 16 Sep 2014 15:07:10 +0000 (UTC) Received: from faust.localdomain (cable-178-148-96-27.dynamic.sbb.rs [178.148.96.27]) by mproxy19.sbb.rs (8.14.4/8.14.4) with ESMTP id s8GF71a5029944 for ; Tue, 16 Sep 2014 17:07:01 +0200 X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.97.6 at SBB mail Received: by faust.localdomain (Postfix, from userid 1001) id CC21FA41D9B; Tue, 16 Sep 2014 17:07:42 +0200 (CEST) Date: Tue, 16 Sep 2014 17:07:42 +0200 From: Zoran Kolic To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:19.tcp Message-ID: <20140916150742.GA1201@faust.sbb.rs> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mproxy19.sbb.rs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2014 15:07:11 -0000 Sorry to make a mistake, regarding the subject!!! > Systems running a RELEASE version of FreeBSD on the i386 or amd64 > platforms can be updated via the freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install This is the question, I was intended to ask, since the patch method needs kernel recompile: do I need to recompile the kernel after freebsd-update? Sorry for the noise Zoran From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 16:14:55 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D92A04C4 for ; Tue, 16 Sep 2014 16:14:55 +0000 (UTC) Received: from omgo.iij.ad.jp (mo30.iij.ad.jp [202.232.30.71]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8BFBB611 for ; Tue, 16 Sep 2014 16:14:54 +0000 (UTC) DKIM-Signature: v=1;a=rsa-sha256;c=relaxed/simple;d=iij.ad.jp;h=Date: Message-Id:To:Cc:Subject:From:In-Reply-To:References:Mime-Version: Content-Type:Content-Transfer-Encoding;i=nagao@iij.ad.jp;s=omgo2;t= 1410883776; x=1412093376; bh=uM2FLxoDXPeQWIEjg33FRTScPJIAbd5b8lk8w/lKKCs=; b=Wy/ 5+xSqZ7pSnLMt9PTFiPLzf3zuYlnZbJeH3+VcOdF/swJbp/Lt4LsIWHjDZuya/HerFSHe0VDis4Mc NUbS+/VyHS+o77kBTjiU/ccyBlE1vGXAlRZ9xopKDImP8mmETlY/mK7VB2G/u5Vof4vBW7lkPlLok S2U2/Oj8LZ9TWJ9WHGr8ebvO08GqDwCmUZ3IBYuv9RHabtWq6j/AApH1gzjRj0/q/vvzJ3pDP6dE0 raBaN001S4tSJihVkShe/E2MnOATZ873IOo1Cek+UKtDJEpo+8m1Z5ZdLkm1OOQ8QHDJfCzALxbze HnixmPCiQc89pYLJ/yRU3Wl4Rzws0iQ==; Received: by omgo.iij.ad.jp (mo30) id s8GG9adq008837; Wed, 17 Sep 2014 01:09:36 +0900 X-MXL-Hash: 541860c011f74667-c3dfb676544a2b0b25123092a40f768a1d46b86c Date: Wed, 17 Sep 2014 01:09:29 +0900 (JST) Message-Id: <20140917.010929.1161101766373361820.nagao@iij.ad.jp> To: d@delphij.net, delphij@delphij.net Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:19.tcp From: Tadaaki Nagao In-Reply-To: <5418427B.9080909@delphij.net> References: <201409161014.s8GAE77Z070671@freefall.freebsd.org> <54180EBF.2050104@pyro.eu.org> <5418427B.9080909@delphij.net> X-Mailer: Mew version 6.6 on Emacs 24.4.50 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, steven@pyro.eu.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2014 16:14:55 -0000 Hi, In "Re: FreeBSD Security Advisory FreeBSD-SA-14:19.tcp", Xin Li wrote: > > On 16/09/14 11:14, FreeBSD Security Advisories wrote: > >> An attacker who has the ability to spoof IP traffic can tear down > >> a TCP connection by sending only 2 packets, if they know both TCP > >> port numbers. > > > > This may be a silly question but, if the attacker can spoof IP > > traffic, can't the same be done with a single RST packet? > > By default RST has to be within the window if the connection is in > ESTABLISHED state. So in order to do that the attacker still need to > guess or know the sequence number. No, in the case of RST packets, the check in tcp_input.c is much narrower than the receiving window size. Actually, it was the discussion in 2004 that the usual window size had become large enough (64k or more?) for an attacker to easily guess the sequence number by sending a feasible number of packets (2^32 / window_size (<= 2^16)). And this is also the case for SYN packets. I suspect that, even with the patch in FreeBSD-SA-14:19.tcp applied, an attacker can still reset a connection by sending the above mentioned number of SYN packets, guessing a in-window sequence number. See RFC5961, which discusses attack scenarios including these and changes to the TCP specification. -- Tadaaki Nagao Internet Initiative Japan Inc. From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 16:36:31 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E6615E28 for ; Tue, 16 Sep 2014 16:36:31 +0000 (UTC) Received: from mx1.rsle.net (mx1.rsle.net [IPv6:2607:ff40:b0b::4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A1519905 for ; Tue, 16 Sep 2014 16:36:31 +0000 (UTC) Received: from CLASSIFIED (CLASSIFIED [IPv6:2607:ff40:b0b::3:1415]) (authenticated bits=0) by mx1.rsle.net (8.14.9/8.14.9) with ESMTP id s8GGaKuQ041743 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Tue, 16 Sep 2014 12:36:20 -0400 (EDT) (envelope-from freebsd-security@rsle.net) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.4 at antivirus.rsle.net Message-ID: <541866FF.1070204@rsle.net> Date: Tue, 16 Sep 2014 12:36:15 -0400 From: "R. Scott Evans" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:19.tcp References: <20140916150742.GA1201@faust.sbb.rs> In-Reply-To: <20140916150742.GA1201@faust.sbb.rs> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (mx1.rsle.net [IPv6:2607:ff40:b0b::2]); Tue, 16 Sep 2014 12:36:20 -0400 (EDT) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2014 16:36:32 -0000 On 09/16/14 11:07, Zoran Kolic wrote: > Sorry to make a mistake, regarding the subject!!! > >> Systems running a RELEASE version of FreeBSD on the i386 or amd64 >> platforms can be updated via the freebsd-update(8) utility: >> >> # freebsd-update fetch >> # freebsd-update install > > This is the question, I was intended to ask, since > the patch method needs kernel recompile: > do I need to recompile the kernel after freebsd-update? > Sorry for the noise > > Zoran The advisory solution offers 3 options... freebsd-update is the binary approach (option #3) that provides you a new updated generic kernel already compiled. If you aren't using a generic kernel or want to patch and recompile your own, then you would use the option #2. -scott From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 16:42:19 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E33C6145 for ; Tue, 16 Sep 2014 16:42:19 +0000 (UTC) Received: from mproxy19.sbb.rs (mproxy19.sbb.rs [89.216.2.104]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "smtp.sbb.rs", Issuer "PositiveSSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 57DBDA06 for ; Tue, 16 Sep 2014 16:42:18 +0000 (UTC) Received: from faust.localdomain (cable-178-148-96-27.dynamic.sbb.rs [178.148.96.27]) by mproxy19.sbb.rs (8.14.4/8.14.4) with ESMTP id s8GGgG1r014970 for ; Tue, 16 Sep 2014 18:42:16 +0200 X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.97.6 at SBB mail Received: by faust.localdomain (Postfix, from userid 1001) id 1A708A41F9F; Tue, 16 Sep 2014 18:42:58 +0200 (CEST) Date: Tue, 16 Sep 2014 18:42:58 +0200 From: Zoran Kolic To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:19.tcp Message-ID: <20140916164257.GA1277@faust.sbb.rs> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mproxy19.sbb.rs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2014 16:42:20 -0000 > The advisory solution offers 3 options... freebsd-update is the binary > approach (option #3) that provides you a new updated generic kernel > already compiled. If you aren't using a generic kernel or want to patch > and recompile your own, then you would use the option #2. Hm! I use custom kernel. Here is what I did using freebsd-update: I fetched and installed. Then I recompiled the kernel. Did I miss the security patch doing this? Zoran From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 17:10:10 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B32EBEC9 for ; Tue, 16 Sep 2014 17:10:10 +0000 (UTC) Received: from mail-la0-f47.google.com (mail-la0-f47.google.com [209.85.215.47]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0DEAFD19 for ; Tue, 16 Sep 2014 17:10:09 +0000 (UTC) Received: by mail-la0-f47.google.com with SMTP id mc6so209923lab.34 for ; Tue, 16 Sep 2014 10:10:07 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=ro9kR7myck29FXzWWQ2C7zYa2a8Y2kybSo2pvLuNmNw=; b=YK/VZWEf62CRGT3BmVJ/Z+7YRC2GUArVKxU5gSx+KVhQv2AtJ4uiM2qhyotj1H01kA /KmxF1heG50xdd9T6JOvXVjlkB8fC9tjuEDtY63d+DgduBX3ZPff2GgowkEIvn+ozIf9 coP8YR8Ru1Pl+YbkfQwWOKtzm6+feBQGey4oJb5wAJ2uh54MTcU3XnHJ6MJ4HFiyw4CX vlnCh3DF1ALKE0FXmaMBhvOELOKqSYhEvcUjleoSPjodtIpkPNg7KDOYKj7tKomB4AK6 kZ/a2FQAuIZisCUMNN4h8c4Qzu+F7Lj+JH1TA2+iLvqGaO2aqTnhvuw3bmZEDKhxkSPd 0pDQ== X-Gm-Message-State: ALoCoQmLVo/Xf9uicuFqdElvrKN8K1ey3qb3Un440upFUK08NLbptDIkjdgzUpuhqgM/eWKFqttz X-Received: by 10.112.219.71 with SMTP id pm7mr36115835lbc.3.1410887407562; Tue, 16 Sep 2014 10:10:07 -0700 (PDT) MIME-Version: 1.0 Received: by 10.112.35.137 with HTTP; Tue, 16 Sep 2014 10:09:26 -0700 (PDT) X-Originating-IP: [96.3.203.126] In-Reply-To: <1410875348.3660913.168112729.18E69A9D@webmail.messagingengine.com> References: <201409161014.s8GAE77Z070671@freefall.freebsd.org> <54180EBF.2050104@pyro.eu.org> <1410870926.3637266.168084441.4C997218@webmail.messagingengine.com> <44y4tjwvlm.fsf@lowell-desk.lan> <1410875348.3660913.168112729.18E69A9D@webmail.messagingengine.com> From: Leif Pedersen Date: Tue, 16 Sep 2014 12:09:26 -0500 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:19.tcp To: Mark Felder Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: "freebsd-security@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2014 17:10:10 -0000 On Tue, Sep 16, 2014 at 8:49 AM, Mark Felder wrote: > > How many AS are out there don't implement BCP38? Spoofing these days > without MITM should be considered hard, and TCP even harder, no? I'd > find it more believable that it's easier to hijack BGP than to target > someone and successfully spoof TCP. > > Maybe I'm just naive and haven't seen this behavior in the wild during > my time working at an ISP :-) > > Between work and home, I have access to three internet connections from different ISPs. None stop me from sourcing packets from arbitrary addresses. For example, if I use "ifconfig xx0 alias 1.1.1.1/32; ping -S 1.1.1.1 " and use tcpdump on , I see the traffic with the source address 1.1.1.1. I have no special arrangements; just typical commodity service. So there are at least three ISPs serving my area that don't prevent IP spoofing. -- As implied by email protocols, the information in this message is not confidential. Any middle-man or recipient may inspect, modify, copy, forward, reply to, delete, or filter email for any purpose unless said parties are otherwise obligated. As the sender, I acknowledge that I have a lower expectation of the control and privacy of this message than I would a post-card. Further, nothing in this message is legally binding without cryptographic evidence of its integrity. http://bilbo.hobbiton.org/wiki/Eat_My_Sig From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 17:19:11 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0901F25F for ; Tue, 16 Sep 2014 17:19:11 +0000 (UTC) Received: from calvin.ustdmz.roe.ch (calvin.ustdmz.roe.ch [IPv6:2001:1620:98f:face::26]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B2F87E2C for ; Tue, 16 Sep 2014 17:19:10 +0000 (UTC) Received: from roe (ssh-from [130.59.18.75]) by calvin.ustdmz.roe.ch (envelope-from ) with LOCAL id 1XTwPC-000ISX-CD for freebsd-security@freebsd.org; Tue, 16 Sep 2014 19:19:06 +0200 Date: Tue, 16 Sep 2014 19:19:06 +0200 From: Daniel Roethlisberger To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:19.tcp Message-ID: <20140916171906.GB40056@calvin.ustdmz.roe.ch> Mail-Followup-To: freebsd-security@freebsd.org References: <201409161014.s8GAE77Z070671@freefall.freebsd.org> <54180EBF.2050104@pyro.eu.org> <1410870926.3637266.168084441.4C997218@webmail.messagingengine.com> <44y4tjwvlm.fsf@lowell-desk.lan> <1410875348.3660913.168112729.18E69A9D@webmail.messagingengine.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1410875348.3660913.168112729.18E69A9D@webmail.messagingengine.com> User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2014 17:19:11 -0000 Mark Felder 2014-09-16: > On Tue, Sep 16, 2014, at 08:20, Lowell Gilbert wrote: > > Spoofing traffic is pretty easy. The reason it isn't generally a problem > > is that knowing what to spoof is more difficult. [I assume that's what > > feld@ actually meant, but it's an important distinction.] > > How many AS are out there don't implement BCP38? Spoofing these days > without MITM should be considered hard, and TCP even harder, no? I'd > find it more believable that it's easier to hijack BGP than to target > someone and successfully spoof TCP. FWIW, if that assumption about the BCP38 adoption rate were true, then we would see less reflected DoS attacks than we actually do these days. -- Daniel Roethlisberger http://daniel.roe.ch/ From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 17:25:36 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 03AEF637 for ; Tue, 16 Sep 2014 17:25:36 +0000 (UTC) Received: from mx1.rsle.net (mx1.rsle.net [IPv6:2607:ff40:b0b::4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B5074F20 for ; Tue, 16 Sep 2014 17:25:35 +0000 (UTC) Received: from CLASSIFIED (CLASSIFIED [IPv6:2607:ff40:b0b::3:1415]) (authenticated bits=0) by mx1.rsle.net (8.14.9/8.14.9) with ESMTP id s8GHPYfc059932 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Tue, 16 Sep 2014 13:25:34 -0400 (EDT) (envelope-from freebsd-security@rsle.net) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.4 at antivirus.rsle.net Message-ID: <54187289.8030604@rsle.net> Date: Tue, 16 Sep 2014 13:25:29 -0400 From: "R. Scott Evans" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:19.tcp References: <20140916164257.GA1277@faust.sbb.rs> In-Reply-To: <20140916164257.GA1277@faust.sbb.rs> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (mx1.rsle.net [IPv6:2607:ff40:b0b::2]); Tue, 16 Sep 2014 13:25:34 -0400 (EDT) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2014 17:25:36 -0000 On 09/16/14 12:42, Zoran Kolic wrote: >> The advisory solution offers 3 options... freebsd-update is the binary >> approach (option #3) that provides you a new updated generic kernel >> already compiled. If you aren't using a generic kernel or want to patch >> and recompile your own, then you would use the option #2. > > Hm! I use custom kernel. Here is what I did using > freebsd-update: > I fetched and installed. Then I recompiled the kernel. > Did I miss the security patch doing this? > > Zoran Unfortunately, I don't think your custom kernel got the patch. In your case you will want to follow option 2 with: " a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-14:19/tcp.patch # fetch http://security.FreeBSD.org/patches/SA-14:19/tcp.patch.asc # gpg --verify tcp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. " -scott From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 18:59:18 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0F9DF5A2 for ; Tue, 16 Sep 2014 18:59:18 +0000 (UTC) Received: from mproxy8.sbb.rs (mproxy8.sbb.rs [89.216.2.99]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "smtp.sbb.rs", Issuer "PositiveSSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8C356C2A for ; Tue, 16 Sep 2014 18:59:17 +0000 (UTC) Received: from faust.localdomain (cable-178-148-96-27.dynamic.sbb.rs [178.148.96.27]) by mproxy8.sbb.rs (8.14.4/8.14.4) with ESMTP id s8GIx4hU006067 for ; Tue, 16 Sep 2014 20:59:05 +0200 X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.97.6 at SBB mail Received: by faust.localdomain (Postfix, from userid 1001) id 1194EA41E6C; Tue, 16 Sep 2014 20:59:46 +0200 (CEST) Date: Tue, 16 Sep 2014 20:59:45 +0200 From: Zoran Kolic To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:19.tcp Message-ID: <20140916185945.GA777@faust.sbb.rs> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mproxy8.sbb.rs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2014 18:59:18 -0000 > Unfortunately, I don't think your custom kernel got the patch. I made a mess out of this patch, that is for sure. On laptop I previously used freebsd-update for openssl advisory. Now I followed your advice and used patch way. Recompiled a kernel and got p1. I expected p2. However. On desktop, I previously did the same openssl update, today made tcp freebsd-update and recompiled the kernel. Now, I tried to follow the same patch step. To my big surprize, I was asked what file I want to patch. I don't know. Since I do use stateful firewall, not pf, but ipfw, I expect to be on a safe side. So far. Best regards Zoran From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 19:02:40 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A0F017E4 for ; Tue, 16 Sep 2014 19:02:40 +0000 (UTC) Received: from mail.jr-hosting.nl (mail.jr-hosting.nl [78.47.69.234]) by mx1.freebsd.org (Postfix) with ESMTP id 5B192D01 for ; Tue, 16 Sep 2014 19:02:40 +0000 (UTC) Received: from [10.0.2.17] (a44084.upc-a.chello.nl [62.163.44.84]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.jr-hosting.nl (Postfix) with ESMTPSA id 25A574BC15; Tue, 16 Sep 2014 21:02:32 +0200 (CEST) DMARC-Filter: OpenDMARC Filter v1.3.0 mail.jr-hosting.nl 25A574BC15 Authentication-Results: mail.jr-hosting.nl/25A574BC15; dmarc=none header.from=FreeBSD.org Content-Type: multipart/signed; boundary="Apple-Mail=_51682649-1901-48D2-A14F-A4CA44591308"; protocol="application/pgp-signature"; micalg=pgp-sha1 Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:19.tcp From: Remko Lodder In-Reply-To: <20140916164257.GA1277@faust.sbb.rs> Date: Tue, 16 Sep 2014 21:02:30 +0200 Message-Id: References: <20140916164257.GA1277@faust.sbb.rs> To: Zoran Kolic X-Mailer: Apple Mail (2.1878.6) Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2014 19:02:40 -0000 --Apple-Mail=_51682649-1901-48D2-A14F-A4CA44591308 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii On 16 Sep 2014, at 18:42, Zoran Kolic wrote: >> The advisory solution offers 3 options... freebsd-update is the binary >> approach (option #3) that provides you a new updated generic kernel >> already compiled. If you aren't using a generic kernel or want to patch >> and recompile your own, then you would use the option #2. > > Hm! I use custom kernel. Here is what I did using > freebsd-update: > I fetched and installed. Then I recompiled the kernel. > Did I miss the security patch doing this? If you have a custom kernel, you should update your local sources and rebuild world and the kernel. You should not use freebsd-update which is not the right tool for customized kernels and environments (because you deviate from the standard, which you likely have a good reason for). So, option 2) should apply to you after updating your local checked out sources.. Please let me know if I can be of more help wrt. this issue (no need to send this to the entire list :)) Cheers Remko > > Zoran > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News --Apple-Mail=_51682649-1901-48D2-A14F-A4CA44591308 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJUGIlGAAoJEKjD27JZ84ywYXsP/jfdebm9Y4EJdK4DzrW5H/o1 9KT87LK3YKZvCdAdwiTZs+Gf7qKOqITziNK/677xNaVEgy+OVZ84yzKp1rr5EyJl 48EhwhFq1mZ1S9ncYzKzIGa+DScXto+mKf50ZuSTrdAnwdbUeP0r9JuzTi1hqWSW tsk5uF5JwmMeDDGxhpCfxt2eeWDn5bVxa6wlNE0HK1REJExtkqiuTrPuu0xz4qzS YSk7RMJDhq1MG51fjz44ZfmNYLi36Y4kBaC1zEn/HwmbjtmfZpJ9nQzyxJI/SR+a 30rRYB1xWFCrcE8+h67Xz4dfxWwUlwksPyrIZxHDyAaUu3ol2oW5P3t/JgxePL4V yY1i+Y+xrjFLVpgVOi1DRBXd1C5uSjbfHiHuw9SEiOFzpunOmL1QivtA09kVkIvo FRwysrAAexsOzye9lMiNcexWQRMkfZetTkO2BJkMxaLnOBVfVcD8ZA9l36twnRUE 4okis0kjt/DDH+CfkLQgsedGiL/1dtfJTvGexRqTpZRYagODaMp3qPkwhsEl7+kf eVymR/h3qLiwS+AEeSFABjzBzWa5H69Dm2L1axkVouKBRBd6vOM2WdSagEUEaeJO uninKh5qziTyy7J6pDWUsrts7PAtx+HSJY0awrPhx3OXU1QP3vlGrnkwJhNBLNTY VCUEsqaciYA7V8NPI0qn =jxpu -----END PGP SIGNATURE----- --Apple-Mail=_51682649-1901-48D2-A14F-A4CA44591308-- From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 19:31:12 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CC35DAB8 for ; Tue, 16 Sep 2014 19:31:12 +0000 (UTC) Received: from mail.lariat.net (mail.lariat.net [66.62.230.51]) by mx1.freebsd.org (Postfix) with ESMTP id 7CD68FAB for ; Tue, 16 Sep 2014 19:31:12 +0000 (UTC) Received: from Toshi.lariat.net (IDENT:ppp1000.lariat.net@localhost [127.0.0.1]) by mail.lariat.net (8.9.3/8.9.3) with ESMTP id NAA27699; Tue, 16 Sep 2014 13:31:03 -0600 (MDT) Message-Id: <201409161931.NAA27699@mail.lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Tue, 16 Sep 2014 13:30:59 -0600 To: Zoran Kolic , freebsd-security@freebsd.org From: brett@lariat.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:19.tcp Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2014 19:31:12 -0000 At 10:42 AM 9/16/2014, Zoran Kolic wrote: >Hm! I use custom kernel. Here is what I did using >freebsd-update: >I fetched and installed. Then I recompiled the kernel. >Did I miss the security patch doing this? > > Zoran I always use a custom kernel. I did a fetch and an install using freebsd-update. I saw that tcp_input.c was updated. I then recompiled my custom kernel, which applied the patch to it. --Brett Glass From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 14:15:31 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A1236D58; Thu, 18 Sep 2014 14:15:31 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 61D75B3E; Thu, 18 Sep 2014 14:15:31 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 7224E7099; Thu, 18 Sep 2014 14:15:30 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 8C842303E; Thu, 18 Sep 2014 16:15:27 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Mark Felder Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:19.tcp References: <201409161014.s8GAE77Z070671@freefall.freebsd.org> <54180EBF.2050104@pyro.eu.org> <1410870926.3637266.168084441.4C997218@webmail.messagingengine.com> <44y4tjwvlm.fsf@lowell-desk.lan> <1410875348.3660913.168112729.18E69A9D@webmail.messagingengine.com> Date: Thu, 18 Sep 2014 16:15:27 +0200 In-Reply-To: <1410875348.3660913.168112729.18E69A9D@webmail.messagingengine.com> (Mark Felder's message of "Tue, 16 Sep 2014 08:49:08 -0500") Message-ID: <86sijp581s.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2014 14:15:31 -0000 Mark Felder writes: > How many AS are out there don't implement BCP38? Almost all of them. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no