[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-14:19.tcp

Andriy Gapon avg at FreeBSD.org
Tue Sep 16 12:49:33 UTC 2014 

On 16/09/2014 13:14, FreeBSD Security Advisories wrote:
> =============================================================================
> FreeBSD-SA-14:19.tcp                                        Security Advisory
>                                                           The FreeBSD Project
> 
> Topic:          Denial of Service in TCP packet processing
> 
> Category:       core
> Module:         inet
> Announced:      2014-09-16
> Credits:        Jonathan Looney (Juniper SIRT)
> Affects:        All supported versions of FreeBSD.

Does the issue affect head aka CURRENT as well?

> Corrected:      2014-09-16 09:48:35UTC (stable/10, 10.1-PRERELEASE)
>                 2014-09-16 09:48:35 UTC (stable/10, 10.1-BETA1-p1)
>                 2014-09-16 09:50:19 UTC (releng/10.0, 10.0-RELEASE-p9)
>                 2014-09-16 09:49:11 UTC (stable/9, 9.3-STABLE)
>                 2014-09-16 09:50:19 UTC (releng/9.3, 9.3-RELEASE-p2)
>                 2014-09-16 09:50:19 UTC (releng/9.2, 9.2-RELEASE-p12)
>                 2014-09-16 09:50:19 UTC (releng/9.1, 9.1-RELEASE-p19)
>                 2014-09-16 09:49:11 UTC (stable/8, 8.4-STABLE)
>                 2014-09-16 09:50:19 UTC (releng/8.4, 8.4-RELEASE-p16)
> CVE Name:       CVE-2004-0230
> 
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:http://security.FreeBSD.org/>.
> 
> I.   Background
> 
> The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
> provides a connection-oriented, reliable, sequence-preserving data
> stream service.  New TCP connections are initiated using special SYN
> flag in a datagram.  Sequencing of data is controlled by 32-bit sequence
> numbers, that start with a random value and are increased using modulo
> 2**32 arithmetic.  TCP endpoints maintain a window of expected, and
> thus allowed, sequence numbers for a connection.
> 
> II.  Problem Description
> 
> When a segment with the SYN flag for an already existing connection arrives,
> the TCP stack tears down the connection, bypassing a check that the
> sequence number in the segment is in the expected window.
> 
> III. Impact
> 
> An attacker who has the ability to spoof IP traffic can tear down a
> TCP connection by sending only 2 packets, if they know both TCP port
> numbers.  In case one of the two port numbers is unknown, a successful
> attack requires less than 2**17 packets spoofed, which can be
> generated within less than a second on a decent connection to the
> Internet.
> 
> IV.  Workaround
> 
> It is possible to defend against these attacks with stateful traffic
> inspection using a firewall.  This can be done by enabling pf(4) on
> the system and creating states for every connection.  Even a default
> ruleset to allow all traffic would be sufficient to mitigate this
> issue.
> 
> V.   Solution
> 
> Perform one of the following:
> 
> 1) Upgrade your vulnerable system to a supported FreeBSD stable or
> release / security branch (releng) dated after the correction date.
> 
> 2) To update your vulnerable system via a source code patch:
> 
> The following patches have been verified to apply to the applicable
> FreeBSD release branches.
> 
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
> 
> # fetch http://security.FreeBSD.org/patches/SA-14:19/tcp.patch
> # fetch http://security.FreeBSD.org/patches/SA-14:19/tcp.patch.asc
> # gpg --verify tcp.patch.asc
> 
> b) Apply the patch.  Execute the following commands as root:
> 
> # cd /usr/src
> # patch < /path/to/patch
> 
> c) Recompile your kernel as described in
> <URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
> system.
> 
> 3) To update your vulnerable system via a binary patch:
> 
> Systems running a RELEASE version of FreeBSD on the i386 or amd64
> platforms can be updated via the freebsd-update(8) utility:
> 
> # freebsd-update fetch
> # freebsd-update install
> 
> VI.  Correction details
> 
> The following list contains the correction revision numbers for each
> affected branch.
> 
> Branch/path                                                      Revision
> -------------------------------------------------------------------------
> stable/8/                                                         r271668
> releng/8.4/                                                       r271669
> stable/9/                                                         r271668
> releng/9.1/                                                       r271669
> releng/9.2/                                                       r271669
> releng/9.3/                                                       r271669
> stable/10/                                                        r271667
> releng/10.0/                                                      r271669
> -------------------------------------------------------------------------
> 
> To see which files were modified by a particular revision, run the
> following command, replacing NNNNNN with the revision number, on a
> machine with Subversion installed:
> 
> # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
> 
> Or visit the following URL, replacing NNNNNN with the revision number:
> 
> <URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
> 
> VII. References
> 
> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0230>
> 
> The latest revision of this advisory is available at
> <URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:19.tcp.asc>
> _______________________________________________
> freebsd-announce at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-announce
> To unsubscribe, send any mail to "freebsd-announce-unsubscribe at freebsd.org"
> 

-- 
Andriy Gapon

More information about the freebsd-security mailing list