Site Navigation

Date:      Tue, 05 May 2015 09:32:13 -0400
From:      Mike Tancsa <mike@sentex.net>
To:        Julian Elischer <julian@freebsd.org>, "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
Subject:   Re: SA-14:19 (Denial of Service in TCP packet processing) and jails issue ?
Message-ID:  <5548C65D.5070703@sentex.net>
In-Reply-To: <55482F9E.8050701@freebsd.org>
References:  <5541560C.5020004@sentex.net> <5547E47A.5040502@sentex.net> <55482F9E.8050701@freebsd.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

On 5/4/2015 10:49 PM, Julian Elischer wrote:
>> Anyone have any have any ideas what can be done to mitigate this risk
>> if its real, or if its a false positive ?
> Firstly I assume you are not talking about a vimage jail?
>
> It seems unlikely that jailing affects that processing. Does the test
> actually try cause the problem to occur? a tcpdump would be really nice.

Hi,
	Just a plain jail. No vimage.  It doesnt make sense to me either how 
the jail / no jail would impact it. I am guessing some sort of false 
positive as well, but I dont understand the details enough of how the 
vulnerability works and why there would even be a different result 
whether its a jail or not, whether real or not.

Here is what I did this AM.

In the parent, I stopped the jail and I bound sendmail and sshd to the 
IP 98.159.241.178 and an instance of apache so the same services would 
be visible on the scan outside the jail and inside. I then ran the scan. 
It came up clean. I then removed sendmail, sshd and apache from the IP 
addresses, and started up the jail

# sockstat | grep 98.159.241.178
# /usr/local/etc/rc.d/ezjail start scantest.sentex.ca
Configuring jails:.
Starting jails: scantest.sentex.ca.
0{vinyl6}# sockstat | grep 98.159.241.178
root     sendmail   78661 5  tcp4   98.159.241.178:25     *:*
www      httpd      78659 3  tcp4   98.159.241.178:80     *:*
www      httpd      78658 3  tcp4   98.159.241.178:80     *:*
www      httpd      78657 3  tcp4   98.159.241.178:80     *:*
www      httpd      78656 3  tcp4   98.159.241.178:80     *:*
www      httpd      78655 3  tcp4   98.159.241.178:80     *:*
root     httpd      78651 3  tcp4   98.159.241.178:80     *:*
root     sshd       78646 4  tcp4   98.159.241.178:22     *:*
root     syslogd    78586 6  udp4   98.159.241.178:514    *:*
#

and then restarted the scan.

Sure enough, it comes up vulnerable.  I have placed the 2 pcaps, and the 
reports in http://www.tancsa.com/jail

	---Mike

-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5548C65D.5070703>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact