svn commit: r47036 - in head/share: security/advisories security/patches/SA-15:13 xml
Xin LI
delphij at FreeBSD.org
Tue Jul 21 23:51:23 UTC 2015
Author: delphij
Date: Tue Jul 21 23:51:20 2015
New Revision: 47036
URL: https://svnweb.freebsd.org/changeset/doc/47036
Log:
Add SA-15:13.tcp.
Added:
head/share/security/advisories/FreeBSD-SA-15:13.tcp.asc (contents, props changed)
head/share/security/patches/SA-15:13/
head/share/security/patches/SA-15:13/tcp-9.patch (contents, props changed)
head/share/security/patches/SA-15:13/tcp-9.patch.asc (contents, props changed)
head/share/security/patches/SA-15:13/tcp.patch (contents, props changed)
head/share/security/patches/SA-15:13/tcp.patch.asc (contents, props changed)
Modified:
head/share/xml/advisories.xml
Added: head/share/security/advisories/FreeBSD-SA-15:13.tcp.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-15:13.tcp.asc Tue Jul 21 23:51:20 2015 (r47036)
@@ -0,0 +1,165 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:13.tcp Security Advisory
+ The FreeBSD Project
+
+Topic: Resource exhaustion due to sessions stuck in LAST_ACK state
+
+Category: core
+Module: inet
+Announced: 2015-07-21
+Credits: Lawrence Stewart (Netflix, Inc.),
+ Jonathan Looney (Juniper SIRT)
+Affects: All supported versions of FreeBSD.
+Corrected: 2015-07-21 23:42:17 UTC (stable/10, 10.2-PRERELEASE)
+ 2015-07-21 23:42:17 UTC (stable/10, 10.2-BETA1-p1)
+ 2015-07-21 23:42:17 UTC (stable/10, 10.2-BETA2-p1)
+ 2015-07-21 23:42:56 UTC (releng/10.1, 10.1-RELEASE-p15)
+ 2015-07-21 23:42:20 UTC (stable/9, 9.3-STABLE)
+ 2015-07-21 23:42:56 UTC (releng/9.3, 9.3-RELEASE-p20)
+ 2015-07-21 23:42:20 UTC (stable/8, 8.4-STABLE)
+ 2015-07-21 23:42:56 UTC (releng/8.4, 8.4-RELEASE-p34)
+CVE Name: CVE-2015-5358
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
+provides a connection-oriented, reliable, sequence-preserving data
+stream service.
+
+A socket enters the LAST_ACK state when the local process closes its socket
+after a FIN has already been received from the remote peer. The socket
+will remain in the LAST_ACK state until the kernel has transmitted a FIN to
+the remote peer and the kernel has received an acknowledgement of that FIN
+from the remote peer, or all retransmits of the FIN have failed and the
+connection times out.
+
+II. Problem Description
+
+TCP connections transitioning to the LAST_ACK state can become permanently
+stuck due to mishandling of protocol state in certain situations, which in
+turn can lead to accumulated consumption and eventual exhaustion of system
+resources, such as mbufs and sockets.
+
+III. Impact
+
+An attacker who can repeatedly establish TCP connections to a victim system
+(for instance, a Web server) could create many TCP connections that are
+stuck in LAST_ACK state and cause resource exhaustion, resulting in a
+denial of service condition. This may also happen in normal operation
+where no intentional attack is conducted, but an attacker who can send
+specifically crafted packets can trigger this more reliably.
+
+IV. Workaround
+
+No workaround is available, but systems that do not provide TCP based
+service to untrusted networks are not vulnerable.
+
+Note that the tcpdrop(8) utility can be used to purge connections which
+have become wedged. For example, the following command can be used to
+generate commands that would drop all connections whose last rcvtime is
+more than 100s:
+
+ netstat -nxp tcp | \
+ awk '{ if (int($NF) > 100) print "tcpdrop " $4 " " $5 }'
+
+The system administrator can then run the generated script as a temporary
+measure. Please refer to the tcpdump(8) manual page for additional
+information.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 10.1]
+# fetch https://security.FreeBSD.org/patches/SA-15:13/tcp.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:13/tcp.patch.asc
+# gpg --verify tcp.patch.asc
+
+[FreeBSD 9.x and 8.x]
+# fetch https://security.FreeBSD.org/patches/SA-15:13/tcp-9.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:13/tcp-9.patch.asc
+# gpg --verify tcp-9.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/8/ r285779
+releng/8.4/ r285780
+stable/9/ r285779
+releng/9.3/ r285780
+stable/10/ r285778
+releng/10.1/ r285780
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5358>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:13.tcp.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.6 (FreeBSD)
+
+iQIcBAEBCgAGBQJVrtnrAAoJEO1n7NZdz2rnchoQAMUV9fuXsBvQgvugFVpoe4HP
+t7tTIzKKmvC3SVOQfPF6jQllVL9qbRJK9zVdFcGX0Iy07/QPKMIRIFXqiYmRwyXt
+YEuZtZMHEo6w5YS/gEwSndGRFduFAfhaNZndycjA3O5nxR16cvqScDUAv0nErQGD
+jJzhjbwdrT4fLg06PgLOdNwQKOPhdM1k4ZOdg7WUYDi2iQUmYpD2SOzRAx/SoDK7
+N0qd7Cy7mZBLbmm1zbCGDPhvNVYCKQjPjhiZ1GhfzUQ2n9bBOGLf2K1d/N0cttFH
+/MfJoi2yRlU3iJE2DOJeD0/m4sJLmTL/7sqYEP9W2939oVH0Bku/KoJG4I4rZLDl
+6yoKTxtyJGxbw8N2M/ObFpCQwn56Vjf2oo1LhIdBb+T48OwSwxuwrtw4VnlUnVLo
+oJ5UA1VnazoyU6AwADpHkGPEPvRF1SUXfOuIOoHiZZ6O3eHdoeD3e2HqLQhoYVCj
+PMEi/k45jPnWWhwV76I65Ig02YRgzhMTSunjXLQhi44Eeavf1SxHTJpSHuVjg3zu
+MDDW55yB+wJvoetwCg3IkFPfmFBmto679xywDCKVd9VYeKoFsiVE4F/APqf6hN7o
+qO8etL5oXnwjNsm9Tf8vImoWrBw2gRYkSieG+Vsx4r2r5JNHKRg1AVmRdihI1ATb
+canMZYhLMD6A1x5T54Ya
+=UPeI
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-15:13/tcp-9.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-15:13/tcp-9.patch Tue Jul 21 23:51:20 2015 (r47036)
@@ -0,0 +1,31 @@
+Index: sys/netinet/tcp_output.c
+===================================================================
+--- sys/netinet/tcp_output.c (revision 285435)
++++ sys/netinet/tcp_output.c (working copy)
+@@ -397,7 +397,7 @@ after_sack_rexmit:
+ flags &= ~TH_FIN;
+ }
+
+- if (len < 0) {
++ if (len <= 0) {
+ /*
+ * If FIN has been sent but not acked,
+ * but we haven't been called to retransmit,
+@@ -407,9 +407,16 @@ after_sack_rexmit:
+ * to (closed) window, and set the persist timer
+ * if it isn't already going. If the window didn't
+ * close completely, just wait for an ACK.
++ *
++ * We also do a general check here to ensure that
++ * we will set the persist timer when we have data
++ * to send, but a 0-byte window. This makes sure
++ * the persist timer is set even if the packet
++ * hits one of the "goto send" lines below.
+ */
+ len = 0;
+- if (sendwin == 0) {
++ if ((sendwin == 0) && (TCPS_HAVEESTABLISHED(tp->t_state)) &&
++ (off < (int) so->so_snd.sb_cc)) {
+ tcp_timer_activate(tp, TT_REXMT, 0);
+ tp->t_rxtshift = 0;
+ tp->snd_nxt = tp->snd_una;
Added: head/share/security/patches/SA-15:13/tcp-9.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-15:13/tcp-9.patch.asc Tue Jul 21 23:51:20 2015 (r47036)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.6 (FreeBSD)
+
+iQIcBAABCgAGBQJVrtn5AAoJEO1n7NZdz2rnZNAP/isVEBX+KzcSl9/mQffRZXz2
++dujbMeZn0eVBF2e8y+DaWWkaBPTjwKZBfAuaM+VAKaQ/Gb4wM5d5vaDlPS1c+qw
+ZsFDs7glL+szJY7OdodBRGnkAP4+aXcJhd5pLjqBQ37ZwaahpYXR6VD40WBrk9Xg
+b3IhftGkhkjCJhEeZ9ct/K8CqN31XSRwD2SX7aHkLODLEC5kOIoV5cxv5F4BgN+B
+gSbryW6ZcxExP0KABTthHamF24G9n1GTeEAZuGXJvOjJBu3co8XCHQp5ELbuP/lN
+UVeTwiyEgq7XiacwfLPCSKTfhEvymq3PlJHMzXq3AiTwbvP3xGaCoxxOMI/SUsBh
+JNs0Fi3ZfiPn8WAJTnf0E/xqEq6qkLTjMOYX9vXDC1HQElwCPv4SpMJ0pkvP7Hl4
+68EV+Ohrp4jGOYtUol7JardMHtnUUd4rs3TkutKcgy7I49/4FKQ8UFyf13DCxA01
+X0oxTdYoY9HwoRdIkJj+mcKiAFXAfrwoDWaZj6L6dZwXWg12N3c5f1i6vokczmaq
+lK28ui8u4LtUgfoU+FfXzwPT5zfQXG5JGr4ehwOCN1MvGJSbMMMmII3RgfrXAb/H
+/W+su8oCHCuHV2vRRClGKL80oVgt63LfHqUFY8QyQnmDqe+VOHsHiQQ5IGXHxJU3
+AiZDOe38k8NCOFahQtio
+=CFEV
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-15:13/tcp.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-15:13/tcp.patch Tue Jul 21 23:51:20 2015 (r47036)
@@ -0,0 +1,31 @@
+Index: sys/netinet/tcp_output.c
+===================================================================
+--- sys/netinet/tcp_output.c (revision 285435)
++++ sys/netinet/tcp_output.c (working copy)
+@@ -400,7 +400,7 @@ after_sack_rexmit:
+ flags &= ~TH_FIN;
+ }
+
+- if (len < 0) {
++ if (len <= 0) {
+ /*
+ * If FIN has been sent but not acked,
+ * but we haven't been called to retransmit,
+@@ -410,9 +410,16 @@ after_sack_rexmit:
+ * to (closed) window, and set the persist timer
+ * if it isn't already going. If the window didn't
+ * close completely, just wait for an ACK.
++ *
++ * We also do a general check here to ensure that
++ * we will set the persist timer when we have data
++ * to send, but a 0-byte window. This makes sure
++ * the persist timer is set even if the packet
++ * hits one of the "goto send" lines below.
+ */
+ len = 0;
+- if (sendwin == 0) {
++ if ((sendwin == 0) && (TCPS_HAVEESTABLISHED(tp->t_state)) &&
++ (off < (int) so->so_snd.sb_cc)) {
+ tcp_timer_activate(tp, TT_REXMT, 0);
+ tp->t_rxtshift = 0;
+ tp->snd_nxt = tp->snd_una;
Added: head/share/security/patches/SA-15:13/tcp.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-15:13/tcp.patch.asc Tue Jul 21 23:51:20 2015 (r47036)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.6 (FreeBSD)
+
+iQIcBAABCgAGBQJVrtn8AAoJEO1n7NZdz2rnTxgP/RaL03Wk7bJDuusYOT5i/QYz
+t09p23Xf1dTayN/6CJQj9knt9Dp7CnX7Yjev/R+MEWOvEbYg4hP5iqpPRK4pIpAZ
+yfq6jO5w1Fis5GA8sYW6MEgQd9LOCeqTLHL/rJjiqwpMR0KwV82gNvKu4vwAfBqO
+sZZ3tNutRS0Kx22dt4rHXnZz08ldPvRF697XTJ858BSZcpqKVouUAM/7MrJ+HQCL
+51v4mLX5ewhuJ/Z1/sMPIfbQ4j1JceIG11xAeNkDwaC4MXkKrHkZK0PuLIBwyPKK
+nezCQ9UveoMSkVhelgkeb+QVTDwwiVBFCMBOD4acs7aswRNwNJO3faMmlf2oGFbG
+64tbIIH3AKKa7Q6Qd/agfoxFzSSdMGK0MuHauJOsiacPQqa5pO3wKoeFSobEQSQO
+XY2n+t763PpDdDmqjroqOcEemsN5cMbr8B3fil5e1sihN1df/Jkw4Ifz6s4R0SYI
+wo2mCurcygiUVoWuitNsPlDrPPh0EAwxcjmSOLgxsVukZKQRXgm3vx1zfyuyN3z/
+KZQERfspSRakM9nVuk7usJr2J4RwPJrEtYhu8hjlPVmZEAaQSCJYtmwj3LYiyUc0
+4Pq1tSqlfz5Oba13Q2W+09FuctLiobXhCftsYeodOfuofWLqQmi3B4A4nz3jBUI7
+zQj83z7/kojfqRNHhYNf
+=WBT+
+-----END PGP SIGNATURE-----
Modified: head/share/xml/advisories.xml
==============================================================================
--- head/share/xml/advisories.xml Tue Jul 21 17:55:37 2015 (r47035)
+++ head/share/xml/advisories.xml Tue Jul 21 23:51:20 2015 (r47036)
@@ -11,6 +11,14 @@
<name>7</name>
<day>
+ <name>21</name>
+
+ <advisory>
+ <name>FreeBSD-SA-15:13.tcp</name>
+ </advisory>
+ </day>
+
+ <day>
<name>9</name>
<advisory>
More information about the svn-doc-all
mailing list