From owner-freebsd-security@FreeBSD.ORG Mon May 4 21:28:34 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D6324E25 for ; Mon, 4 May 2015 21:28:34 +0000 (UTC) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "smarthost.sentex.ca", Issuer "smarthost.sentex.ca" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id A1825182F for ; Mon, 4 May 2015 21:28:34 +0000 (UTC) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.14.9/8.14.9) with ESMTP id t44LSX34033684; Mon, 4 May 2015 17:28:33 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <5547E47A.5040502@sentex.net> Date: Mon, 04 May 2015 17:28:26 -0400 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: "freebsd-security@freebsd.org" Subject: Re: SA-14:19 (Denial of Service in TCP packet processing) and jails issue ? References: <5541560C.5020004@sentex.net> In-Reply-To: <5541560C.5020004@sentex.net> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 May 2015 21:28:34 -0000 On 4/29/2015 6:07 PM, Mike Tancsa wrote: > > The IP being scanned is in a jail. If I run the scan to an IP not > associated with the jail, the scan does not complain. Its only on the > jailed IP that the scan flags as problematic for this vulnerability. > > If this is a false positive, how can I be sure thats the case ? I have > pcaps of the scan both against the jailed IP (with the scan saying its > vulnerable) and against an IP not associated with the jail, saying its > not an issue. > Anyone have any have any ideas what can be done to mitigate this risk if its real, or if its a false positive ? To further clarify/describe my test environment, this is a RELENG_9 box I am testing against. I have a number of IPs aliased to lo0 associated with jails. If I run the Qualsys scan against an IP on this box that is not associated with a jail, it passes the test for SA-14:19. If I run the test against an IP associated with the jail, it fails the test. e.g. IP 192.168.1.1 is aliased to lo0 and associated with jail1.sentex.ca. If I run the free qualsys scan against jail1.sentex.ca, the test fails. If I stop the jail, and run the qualsys scan against the same IP, which is now just an aliased IP on the host machine, it passes the test. I have the pcaps, but I am not sure exactly what I am looking for in the data. The test just says it confirmed the vulnerability with the following 2 tests, Tested on port 22 with an injected SYN/RST offset by 16 bytes. Tested on port 25 with an injected SYN/RST offset by 16 bytes. What is it about the jail that might be causing either this issue to resurface, or give a false positive that its an issue ? ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From owner-freebsd-security@FreeBSD.ORG Tue May 5 02:49:13 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7756B1AC for ; Tue, 5 May 2015 02:49:13 +0000 (UTC) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 2F26F1A33 for ; Tue, 5 May 2015 02:49:12 +0000 (UTC) Received: from Julian-MBP3.local (ppp121-45-241-118.lns20.per4.internode.on.net [121.45.241.118]) (authenticated bits=0) by vps1.elischer.org (8.14.9/8.14.9) with ESMTP id t452n7lJ027815 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Mon, 4 May 2015 19:49:10 -0700 (PDT) (envelope-from julian@freebsd.org) Message-ID: <55482F9E.8050701@freebsd.org> Date: Tue, 05 May 2015 10:49:02 +0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: Mike Tancsa , "freebsd-security@freebsd.org" Subject: Re: SA-14:19 (Denial of Service in TCP packet processing) and jails issue ? References: <5541560C.5020004@sentex.net> <5547E47A.5040502@sentex.net> In-Reply-To: <5547E47A.5040502@sentex.net> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 May 2015 02:49:13 -0000 On 5/5/15 5:28 AM, Mike Tancsa wrote: > On 4/29/2015 6:07 PM, Mike Tancsa wrote: >> >> The IP being scanned is in a jail. If I run the scan to an IP not >> associated with the jail, the scan does not complain. Its only on the >> jailed IP that the scan flags as problematic for this vulnerability. >> >> If this is a false positive, how can I be sure thats the case ? I have >> pcaps of the scan both against the jailed IP (with the scan saying its >> vulnerable) and against an IP not associated with the jail, saying its >> not an issue. >> > > > Anyone have any have any ideas what can be done to mitigate this > risk if its real, or if its a false positive ? Firstly I assume you are not talking about a vimage jail? It seems unlikely that jailing affects that processing. Does the test actually try cause the problem to occur? a tcpdump would be really nice. > > To further clarify/describe my test environment, this is a RELENG_9 > box I am testing against. I have a number of IPs aliased to lo0 > associated with jails. If I run the Qualsys scan against an IP on > this box that is not associated with a jail, it passes the test for > SA-14:19. If I run the test against an IP associated with the jail, > it fails the test. > > e.g. IP 192.168.1.1 is aliased to lo0 and associated with > jail1.sentex.ca. > > If I run the free qualsys scan against jail1.sentex.ca, the test > fails. If I stop the jail, and run the qualsys scan against the > same IP, which is now just an aliased IP on the host machine, it > passes the test. I have the pcaps, but I am not sure exactly what I > am looking for in the data. The test just says it confirmed the > vulnerability with the following 2 tests, > > Tested on port 22 with an injected SYN/RST offset by 16 bytes. > Tested on port 25 with an injected SYN/RST offset by 16 bytes. > > What is it about the jail that might be causing either this issue to > resurface, or give a false positive that its an issue ? > > > ---Mike > > > From owner-freebsd-security@FreeBSD.ORG Tue May 5 13:32:23 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 872D9F28; Tue, 5 May 2015 13:32:23 +0000 (UTC) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "smarthost.sentex.ca", Issuer "smarthost.sentex.ca" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 36ADE12FE; Tue, 5 May 2015 13:32:23 +0000 (UTC) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.14.9/8.14.9) with ESMTP id t45DWMsO020612; Tue, 5 May 2015 09:32:22 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <5548C65D.5070703@sentex.net> Date: Tue, 05 May 2015 09:32:13 -0400 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: Julian Elischer , "freebsd-security@freebsd.org" Subject: Re: SA-14:19 (Denial of Service in TCP packet processing) and jails issue ? References: <5541560C.5020004@sentex.net> <5547E47A.5040502@sentex.net> <55482F9E.8050701@freebsd.org> In-Reply-To: <55482F9E.8050701@freebsd.org> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 May 2015 13:32:23 -0000 On 5/4/2015 10:49 PM, Julian Elischer wrote: >> Anyone have any have any ideas what can be done to mitigate this risk >> if its real, or if its a false positive ? > Firstly I assume you are not talking about a vimage jail? > > It seems unlikely that jailing affects that processing. Does the test > actually try cause the problem to occur? a tcpdump would be really nice. Hi, Just a plain jail. No vimage. It doesnt make sense to me either how the jail / no jail would impact it. I am guessing some sort of false positive as well, but I dont understand the details enough of how the vulnerability works and why there would even be a different result whether its a jail or not, whether real or not. Here is what I did this AM. In the parent, I stopped the jail and I bound sendmail and sshd to the IP 98.159.241.178 and an instance of apache so the same services would be visible on the scan outside the jail and inside. I then ran the scan. It came up clean. I then removed sendmail, sshd and apache from the IP addresses, and started up the jail # sockstat | grep 98.159.241.178 # /usr/local/etc/rc.d/ezjail start scantest.sentex.ca Configuring jails:. Starting jails: scantest.sentex.ca. 0{vinyl6}# sockstat | grep 98.159.241.178 root sendmail 78661 5 tcp4 98.159.241.178:25 *:* www httpd 78659 3 tcp4 98.159.241.178:80 *:* www httpd 78658 3 tcp4 98.159.241.178:80 *:* www httpd 78657 3 tcp4 98.159.241.178:80 *:* www httpd 78656 3 tcp4 98.159.241.178:80 *:* www httpd 78655 3 tcp4 98.159.241.178:80 *:* root httpd 78651 3 tcp4 98.159.241.178:80 *:* root sshd 78646 4 tcp4 98.159.241.178:22 *:* root syslogd 78586 6 udp4 98.159.241.178:514 *:* # and then restarted the scan. Sure enough, it comes up vulnerable. I have placed the 2 pcaps, and the reports in http://www.tancsa.com/jail ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From owner-freebsd-security@FreeBSD.ORG Thu May 7 13:49:16 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B5128752; Thu, 7 May 2015 13:49:16 +0000 (UTC) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "smarthost.sentex.ca", Issuer "smarthost.sentex.ca" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7F46617E6; Thu, 7 May 2015 13:49:16 +0000 (UTC) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.14.9/8.14.9) with ESMTP id t47DnDWn039029; Thu, 7 May 2015 09:49:14 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <554B6D4C.50903@sentex.net> Date: Thu, 07 May 2015 09:49:00 -0400 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: Julian Elischer , "freebsd-security@freebsd.org" Subject: Re: SA-14:19 (Denial of Service in TCP packet processing) and jails issue ? References: <5541560C.5020004@sentex.net> <5547E47A.5040502@sentex.net> <55482F9E.8050701@freebsd.org> <5548C65D.5070703@sentex.net> In-Reply-To: <5548C65D.5070703@sentex.net> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.75 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 May 2015 13:49:16 -0000 On 5/5/2015 9:32 AM, Mike Tancsa wrote: > and then restarted the scan. > > Sure enough, it comes up vulnerable. I have placed the 2 pcaps, and the > reports in http://www.tancsa.com/jail I setup a similar target environment for RELENG_10 but the scan seems to think RELENG_10 is just plain vulnerable. Still trying to figure out / narrow it how it decides its vulnerable. ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/