[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 102/04 - FreeBSD-SA-04:04.tcp many out-of-sequence TCP packets denial-of-service



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 102/04 dated 04.03.04  Time: 12:15 
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

FreeBSD-SA-04:04.tcp many out-of-sequence TCP packets denial-of-service.

Detail
====== 

A remote attacker may conduct a low-bandwidth denial-of-service attack against a machine providing services based on TCP (there are many such services, including HTTP, SMTP, and FTP).  By sending many out-of-sequence TCP segments, the attacker can cause the target machine to consume all available memory buffers (``mbufs''), likely leading to a system crash.



                   ESB-2004.0176 -- FreeBSD-SA-04:04.tcp
            many out-of-sequence TCP packets denial-of-service
                               03 March 2004


Product:                kernel (TCP)
Publisher:              FreeBSD
Operating System:       All FreeBSD releases
                        BSD
Impact:                 Denial of Service
Access Required:        Remote
CVE Names:              CAN-2004-0171

- - --------------------------BEGIN INCLUDED TEXT--------------------

- - -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-04:04.tcp                                      Security Advisory
                                                          The FreeBSD Project

Topic:          many out-of-sequence TCP packets denial-of-service

Category:       core
Module:         kernel
Announced:      2004-03-02
Credits:        iDEFENSE
Affects:        All FreeBSD releases
Corrected:      2004-03-02 17:19:18 UTC (RELENG_4)
                2004-03-02 17:24:46 UTC (RELENG_5_2, 5.2.1-RELEASE-p1)
                2004-03-02 17:26:33 UTC (RELENG_4_9, 4.9-RELEASE-p3)
                2004-03-02 17:27:47 UTC (RELENG_4_8, 4.8-RELEASE-p16)
CVE Name:       CAN-2004-0171
FreeBSD only:   NO

I.   Background

The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides a connection-oriented, reliable, sequence-preserving data stream service.  When network packets making up a TCP stream (``TCP
segments'') are received out-of-sequence, they are maintained in a reassembly queue by the destination system until they can be re-ordered and re-assembled.

II.  Problem Description

FreeBSD does not limit the number of TCP segments that may be held in a reassembly queue.

III. Impact

A remote attacker may conduct a low-bandwidth denial-of-service attack against a machine providing services based on TCP (there are many such services, including HTTP, SMTP, and FTP).  By sending many out-of-sequence TCP segments, the attacker can cause the target machine to consume all available memory buffers (``mbufs''), likely leading to a system crash.

IV.  Workaround

It may be possible to mitigate some denial-of-service attacks by implementing timeouts at the application level.

V.   Solution

Do one of the following:

1) Upgrade your vulnerable system to 4-STABLE, or to the RELENG_5_2, RELENG_4_9, or RELENG_4_8 security branch dated after the correction date.

OR

2) Patch your present system:

The following patch has been verified to apply to FreeBSD 4.x and 5.x systems.

a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility.

[FreeBSD 5.2]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp52.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp52.patch.asc

[FreeBSD 4.8, 4.9]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp47.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp47.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in <URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the system.

VI.  Correction details

The following list contains the revision numbers of each file that was corrected in FreeBSD.

Branch                                                           Revision
  Path
- - - -------------------------------------------------------------------------
RELENG_4
  src/UPDATING                                                  1.73.2.90
  src/sys/conf/newvers.sh                                       1.44.2.33
  src/sys/netinet/tcp_input.c                                  1.107.2.40
  src/sys/netinet/tcp_subr.c                                    1.73.2.33
  src/sys/netinet/tcp_var.h                                     1.56.2.15
RELENG_5_2
  src/UPDATING                                                  1.282.2.9
  src/sys/conf/newvers.sh                                        1.56.2.8
  src/sys/netinet/tcp_input.c                                   1.217.2.2
  src/sys/netinet/tcp_subr.c                                    1.169.2.4
  src/sys/netinet/tcp_var.h                                      1.93.2.2
RELENG_4_9
  src/UPDATING                                              1.73.2.89.2.4
  src/sys/conf/newvers.sh                                   1.44.2.32.2.4
  src/sys/netinet/tcp_input.c                              1.107.2.38.2.1
  src/sys/netinet/tcp_subr.c                                1.73.2.31.4.1
  src/sys/netinet/tcp_var.h                                 1.56.2.13.4.1
RELENG_4_8
  src/UPDATING                                             1.73.2.80.2.19
  src/sys/conf/newvers.sh                                  1.44.2.29.2.17
  src/sys/netinet/tcp_input.c                              1.107.2.37.2.1
  src/sys/netinet/tcp_subr.c                                1.73.2.31.2.1
  src/sys/netinet/tcp_var.h                                 1.56.2.13.2.1
- - - -------------------------------------------------------------------------

VII. References

<URL:http://www.idefense.com/application/poi/display?id=78&type=vulnerabilities>
- - -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4

iD8DBQFAROKHFdaIBMps37IRAu9EAJ9VY70IDYdjr6GkKJCJCGyvBV3OcQCeIXwL
UDTQ4rcO/SP2rFRZ0Mcj1iQ=
=Gkct
- - -----END PGP SIGNATURE-----

- - --------------------------END INCLUDED TEXT--------------------

- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of FreeBSD for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQEcdSIpao72zK539AQFYyQP/fdmHuejljcRnizxKbW69vG1SFTCoOKaU
Zmo1TwDTA+Vh1FuFTLggSs0vCpJ0aaUy86cdg+vambccYp0YvbUTGvo08vfLE02s
XXbAMwE9FxfTb8so5stHTAVYSK9N/JxoEaTCHXeVF31cfw/wG0e8cei/0UnroPyN
wDTy1+iFVtY=
=8i41
-----END PGP SIGNATURE-----