From owner-freebsd-security@FreeBSD.ORG Tue Mar 2 12:08:13 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4B44716A4CE for ; Tue, 2 Mar 2004 12:08:13 -0800 (PST) Received: from mail.evilcoder.org (cust.94.120.adsl.cistron.nl [195.64.94.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7110D43D2D for ; Tue, 2 Mar 2004 12:08:10 -0800 (PST) (envelope-from remko@elvandar.org) From: "Remko Lodder" To: "Daniel Spielman" , Date: Tue, 2 Mar 2004 21:08:03 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) In-Reply-To: <20040302200713.8381924@mail.elvandar.org> Importance: Normal X-Virus-Scanned: for evilcoder.org Message-Id: <20040302200809.0E98F2B4DA4@mail.evilcoder.org> Subject: RE: [Freebsd-security] Re: FreeBSD Security AdvisoryFreeBSD-SA-04:04.tcp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Mar 2004 20:08:13 -0000 yes unless you use the version as of :> 2004-03-02 17:24:46 UTC (RELENG_5_2, 5.2.1-RELEASE-p1) check it out with uname -a if it does not say -p1 it affects you. My guess, you are affected :) cheers -- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl Dutch community for helping newcomers on the hackerscene -----Oorspronkelijk bericht----- Van: freebsd-security-bounces@lists.elvandar.org [mailto:freebsd-security-bounces@lists.elvandar.org]Namens Daniel Spielman Verzonden: dinsdag 2 maart 2004 21:06 Aan: freebsd-security@FreeBSD.org Onderwerp: [Freebsd-security] Re: FreeBSD Security AdvisoryFreeBSD-SA-04:04.tcp is FreeBSD 5.2.1 affected by this exploit ? On Tue, 2 Mar 2004, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ============================================================================ = > FreeBSD-SA-04:04.tcp Security Advisory > The FreeBSD Project > > Topic: many out-of-sequence TCP packets denial-of-service > > Category: core > Module: kernel > Announced: 2004-03-02 > Credits: iDEFENSE > Affects: All FreeBSD releases > Corrected: 2004-03-02 17:19:18 UTC (RELENG_4) > 2004-03-02 17:24:46 UTC (RELENG_5_2, 5.2.1-RELEASE-p1) > 2004-03-02 17:26:33 UTC (RELENG_4_9, 4.9-RELEASE-p3) > 2004-03-02 17:27:47 UTC (RELENG_4_8, 4.8-RELEASE-p16) > CVE Name: CAN-2004-0171 > FreeBSD only: NO > > I. Background > > The Transmission Control Protocol (TCP) of the TCP/IP protocol suite > provides a connection-oriented, reliable, sequence-preserving data > stream service. When network packets making up a TCP stream (``TCP > segments'') are received out-of-sequence, they are maintained in a > reassembly queue by the destination system until they can be re-ordered > and re-assembled. > > II. Problem Description > > FreeBSD does not limit the number of TCP segments that may be held in a > reassembly queue. > > III. Impact > > A remote attacker may conduct a low-bandwidth denial-of-service attack > against a machine providing services based on TCP (there are many such > services, including HTTP, SMTP, and FTP). By sending many > out-of-sequence TCP segments, the attacker can cause the target machine > to consume all available memory buffers (``mbufs''), likely leading to > a system crash. > > IV. Workaround > > It may be possible to mitigate some denial-of-service attacks by > implementing timeouts at the application level. > > V. Solution > > Do one of the following: > > 1) Upgrade your vulnerable system to 4-STABLE, or to the RELENG_5_2, > RELENG_4_9, or RELENG_4_8 security branch dated after the correction > date. > > OR > > 2) Patch your present system: > > The following patch has been verified to apply to FreeBSD 4.x and 5.x > systems. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > [FreeBSD 5.2] > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp52.patch > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp52.patch.asc > > [FreeBSD 4.8, 4.9] > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp47.patch > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp47.patch.asc > > b) Apply the patch. > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile your kernel as described in > and reboot the > system. > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > Branch Revision > Path > - ------------------------------------------------------------------------ - > RELENG_4 > src/UPDATING 1.73.2.90 > src/sys/conf/newvers.sh 1.44.2.33 > src/sys/netinet/tcp_input.c 1.107.2.40 > src/sys/netinet/tcp_subr.c 1.73.2.33 > src/sys/netinet/tcp_var.h 1.56.2.15 > RELENG_5_2 > src/UPDATING 1.282.2.9 > src/sys/conf/newvers.sh 1.56.2.8 > src/sys/netinet/tcp_input.c 1.217.2.2 > src/sys/netinet/tcp_subr.c 1.169.2.4 > src/sys/netinet/tcp_var.h 1.93.2.2 > RELENG_4_9 > src/UPDATING 1.73.2.89.2.4 > src/sys/conf/newvers.sh 1.44.2.32.2.4 > src/sys/netinet/tcp_input.c 1.107.2.38.2.1 > src/sys/netinet/tcp_subr.c 1.73.2.31.4.1 > src/sys/netinet/tcp_var.h 1.56.2.13.4.1 > RELENG_4_8 > src/UPDATING 1.73.2.80.2.19 > src/sys/conf/newvers.sh 1.44.2.29.2.17 > src/sys/netinet/tcp_input.c 1.107.2.37.2.1 > src/sys/netinet/tcp_subr.c 1.73.2.31.2.1 > src/sys/netinet/tcp_var.h 1.56.2.13.2.1 > - ------------------------------------------------------------------------ - > > VII. References > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 > > iD8DBQFAROKHFdaIBMps37IRAu9EAJ9VY70IDYdjr6GkKJCJCGyvBV3OcQCeIXwL > UDTQ4rcO/SP2rFRZ0Mcj1iQ= > =Gkct > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" _______________________________________________ Freebsd-security mailing list Freebsd-security@lists.elvandar.org http://lists.elvandar.org/mailman/listinfo/freebsd-security