diff options
Diffstat (limited to 'share/security/advisories/FreeBSD-SA-02:20.syncache.asc')
-rw-r--r-- | share/security/advisories/FreeBSD-SA-02:20.syncache.asc | 111 |
1 files changed, 111 insertions, 0 deletions
diff --git a/share/security/advisories/FreeBSD-SA-02:20.syncache.asc b/share/security/advisories/FreeBSD-SA-02:20.syncache.asc new file mode 100644 index 0000000000..69cb866943 --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-02:20.syncache.asc @@ -0,0 +1,111 @@ +-----BEGIN PGP SIGNED MESSAGE----- + +============================================================================= +FreeBSD-SA-02:20 Security Advisory + FreeBSD, Inc. + +Topic: syncache/syncookies denial of service + +Category: core +Module: net +Announced: 2002-04-16 +Credits: Alan Judge <Alan.Judge@eircom.net> + Dima Ruban <dima@FreeBSD.org> +Affects: FreeBSD 4.5-RELEASE + FreeBSD 4.4-STABLE after 2001-12-14 19:53:01 UTC + FreeBSD 4.5-STABLE prior to the correction date +Corrected: 2002-02-20 16:48:49 UTC (RELENG_4) + 2002-02-21 16:38:39 UTC (RELENG_4_5, 4.5-RELEASE-p1) +FreeBSD only: YES + +I. Background + +The SYN cache ("syncache") and SYN cookie mechanism ("syncookie") are +features of the TCP/IP stack intended to improve resistance to a class +of denial of service attacks known as SYN floods. + +II. Problem Description + +Two related problems with syncache were triggered when syncookies were +implemented. + +1) When a SYN was accepted via a syncookie, it used an uninitialized +pointer to find the TCP options for the new socket. This pointer may +be a null pointer, which will cause the machine to crash. + +2) A syncache entry is created when a SYN arrives on a listen socket. +If the application which created the listen socket was killed and +restarted --- and therefore recreated the listen socket with a +different inpcb --- an ACK (or duplicate SYN) which later arrived and +matched the existing syncache entry would cause a reference to the old +inpcb pointer. Depending on the pointer's contents, this might result +in a system crash. + +Because syncache/syncookies support was added prior to the release of +FreeBSD 4.5-RELEASE, no other releases are affected. + +III. Impact + +Legitimate TCP/IP traffic may cause the machine to crash. + +IV. Workaround + +The first issue described may be worked around by disabling syncookies +using sysctl. Issue the following command as root: + + # sysctl -w net.inet.tcp.syncookies=0 + +However, there is no workaround for the second issue. + +V. Solution + +1) Upgrade your vulnerable system to 4.5-STABLE or the RELENG_4_5 +security branch dated after the respective correction dates. + +2) To patch your present system: download the relevant patch from the +below location, and execute the following commands as root: + +# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:20/syncache.patch +# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:20/syncache.patch.asc + +This patch has been verified to apply to 4.5-RELEASE only. + +Verify the detached PGP signature using your PGP utility. + +Execute the following commands as root: + +# cd /usr/src +# patch -p < /path/to/patch + +Recompile your kernel as described in +http://www.freebsd.org/handbook/kernelconfig.html and reboot the +system. + +VI. Correction details + +The following list contains the revision numbers of each file that was +corrected in the FreeBSD ports collection. + +Path Revision + Branch +- ------------------------------------------------------------------------- +src/sys/conf/newvers.sh + RELENG_4_5 1.44.2.20.2.2 +src/sys/netinet/tcp_syncache.c + RELENG_4 1.5.2.5 + RELENG_4_5 1.5.2.4.2.1 +- ------------------------------------------------------------------------- + +VII. References + +<URL:http://www.FreeBSD.org/cgi/query-pr.cgi?pr=34658> +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.0.6 (FreeBSD) +Comment: For info see http://www.gnupg.org + +iQCVAwUBPLw9nVUuHi5z0oilAQFwpAP9EJludFfmQfMWU4supMdZ1K//qeqgtJVn +XrEX3TZjqOxRSnlzUUibbO2agnW7yCd8i2Qq0/3KyvMrcS4qSLmcvhQPsZxc26Bx +Xakz3uvCRIA0XlpJAd/HirsdPHQ94q0JMdnx6C1kW+EMQzM/0KKLpVNsdnFopy0m +mtPNSZRYgHk= +=9qwI +-----END PGP SIGNATURE----- |