From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 12:49:32 2014 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DFF1A1C6 for ; Tue, 16 Sep 2014 12:49:32 +0000 (UTC) Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140]) by mx1.freebsd.org (Postfix) with ESMTP id 2B313927 for ; Tue, 16 Sep 2014 12:49:31 +0000 (UTC) Received: from porto.starpoint.kiev.ua (porto-e.starpoint.kiev.ua [212.40.38.100]) by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id PAA08950 for ; Tue, 16 Sep 2014 15:49:30 +0300 (EEST) (envelope-from avg@FreeBSD.org) Received: from localhost ([127.0.0.1]) by porto.starpoint.kiev.ua with esmtp (Exim 4.34 (FreeBSD)) id 1XTsCI-0004gM-Ih for freebsd-security@freebsd.org; Tue, 16 Sep 2014 15:49:30 +0300 Message-ID: <541831A3.7010700@FreeBSD.org> Date: Tue, 16 Sep 2014 15:48:35 +0300 From: Andriy Gapon User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0 MIME-Version: 1.0 To: freebsd-security@FreeBSD.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-14:19.tcp References: <201409161014.s8GAE7jY070664@freefall.freebsd.org> In-Reply-To: <201409161014.s8GAE7jY070664@freefall.freebsd.org> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Tue, 16 Sep 2014 12:56:08 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2014 12:49:33 -0000 On 16/09/2014 13:14, FreeBSD Security Advisories wrote: > ============================================================================= > FreeBSD-SA-14:19.tcp Security Advisory > The FreeBSD Project > > Topic: Denial of Service in TCP packet processing > > Category: core > Module: inet > Announced: 2014-09-16 > Credits: Jonathan Looney (Juniper SIRT) > Affects: All supported versions of FreeBSD. Does the issue affect head aka CURRENT as well? > Corrected: 2014-09-16 09:48:35UTC (stable/10, 10.1-PRERELEASE) > 2014-09-16 09:48:35 UTC (stable/10, 10.1-BETA1-p1) > 2014-09-16 09:50:19 UTC (releng/10.0, 10.0-RELEASE-p9) > 2014-09-16 09:49:11 UTC (stable/9, 9.3-STABLE) > 2014-09-16 09:50:19 UTC (releng/9.3, 9.3-RELEASE-p2) > 2014-09-16 09:50:19 UTC (releng/9.2, 9.2-RELEASE-p12) > 2014-09-16 09:50:19 UTC (releng/9.1, 9.1-RELEASE-p19) > 2014-09-16 09:49:11 UTC (stable/8, 8.4-STABLE) > 2014-09-16 09:50:19 UTC (releng/8.4, 8.4-RELEASE-p16) > CVE Name: CVE-2004-0230 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. Background > > The Transmission Control Protocol (TCP) of the TCP/IP protocol suite > provides a connection-oriented, reliable, sequence-preserving data > stream service. New TCP connections are initiated using special SYN > flag in a datagram. Sequencing of data is controlled by 32-bit sequence > numbers, that start with a random value and are increased using modulo > 2**32 arithmetic. TCP endpoints maintain a window of expected, and > thus allowed, sequence numbers for a connection. > > II. Problem Description > > When a segment with the SYN flag for an already existing connection arrives, > the TCP stack tears down the connection, bypassing a check that the > sequence number in the segment is in the expected window. > > III. Impact > > An attacker who has the ability to spoof IP traffic can tear down a > TCP connection by sending only 2 packets, if they know both TCP port > numbers. In case one of the two port numbers is unknown, a successful > attack requires less than 2**17 packets spoofed, which can be > generated within less than a second on a decent connection to the > Internet. > > IV. Workaround > > It is possible to defend against these attacks with stateful traffic > inspection using a firewall. This can be done by enabling pf(4) on > the system and creating states for every connection. Even a default > ruleset to allow all traffic would be sufficient to mitigate this > issue. > > V. Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date. > > 2) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch http://security.FreeBSD.org/patches/SA-14:19/tcp.patch > # fetch http://security.FreeBSD.org/patches/SA-14:19/tcp.patch.asc > # gpg --verify tcp.patch.asc > > b) Apply the patch. Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile your kernel as described in > and reboot the > system. > > 3) To update your vulnerable system via a binary patch: > > Systems running a RELEASE version of FreeBSD on the i386 or amd64 > platforms can be updated via the freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > > VI. Correction details > > The following list contains the correction revision numbers for each > affected branch. > > Branch/path Revision > ------------------------------------------------------------------------- > stable/8/ r271668 > releng/8.4/ r271669 > stable/9/ r271668 > releng/9.1/ r271669 > releng/9.2/ r271669 > releng/9.3/ r271669 > stable/10/ r271667 > releng/10.0/ r271669 > ------------------------------------------------------------------------- > > To see which files were modified by a particular revision, run the > following command, replacing NNNNNN with the revision number, on a > machine with Subversion installed: > > # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base > > Or visit the following URL, replacing NNNNNN with the revision number: > > > > VII. References > > > > The latest revision of this advisory is available at > > _______________________________________________ > freebsd-announce@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-announce > To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org" > -- Andriy Gapon