Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 31 May 2012 11:44:53 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: John Haxby <john.haxby@...cle.com>
Subject: Re: CVE Request -- kernel: tcp: drop SYN+FIN messages

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/30/2012 02:02 PM, Kurt Seifried wrote:
> On 05/30/2012 03:44 AM, John Haxby wrote:
> 
>> Recently we have a couple of queries relating to a Nessus "TCP/IP
>>  SYN+FIN Packet Filtering Weakness".   This has not been helped
>> by the fact that [1] actually points (indrectly) to
>> CVE-2002-2438 which is actually a SYN+RST problem.
> 
>> The Nessus script actually appears to detect this problem (also 
>> described in [2]):
> 
>> commit fdf5af0daf8019cec2396cdef8fb042d80fe71fa Author: Eric 
>> Dumazet <eric.dumazet@...il.com> Date:   Fri Dec 2 23:41:42 2011 
>> +0000
> 
>> tcp: drop SYN+FIN messages
> 
>> Denys Fedoryshchenko reported that SYN+FIN attacks were bringing 
>> his linux machines to their limits.
> 
>> Dont call conn_request() if the TCP flags includes SYN flag
> 
>> Reported-by: Denys Fedoryshchenko <denys@...p.net.lb> 
>> Signed-off-by: Eric Dumazet <eric.dumazet@...il.com>
>> Signed-off-by: David S. Miller <davem@...emloft.net>
> 
>> diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index 
>> 78dd38c..0cbb440 100644 --- a/net/ipv4/tcp_input.c +++ 
>> b/net/ipv4/tcp_input.c @@ -5811,6 +5811,8 @@ int 
>> tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, goto 
>> discard;
> 
>> if (th->syn) { +            if (th->fin) +                goto 
>> discard; if (icsk->icsk_af_ops->conn_request(sk, skb) < 0)
>> return 1;
> 
> 
>> References: [1] 
>> http://www.nessus.org/plugins/index.php?view=single&id=11618 [2] 
>> http://markmail.org/thread/l6y5vu3tub434z4w
> 
> Please use CVE-2012-2663 for this issue.
> 
> This is tracked by Red Hat as:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=826702

To clarify: CVE-2012-2663 is for the --syn processing flaw of SYN+FIN
packets in iptables (user space tools). c
Also if people could test their firewalls to make sure this still
doesn't affect other operating systems that would probably be a good idea.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIbBAEBAgAGBQJPx64VAAoJEBYNRVNeJnmTw14P91Gh46mkb+TJN9QiINhYXBMG
Iv/QTd8p3KDWQCYyqD77YEWvS4fSkkKjtoPNgDBirzzsh9lMhd5NsdGfHMvra1V0
P/ce4UgjH89Iqh+FqpZXQVA921BIQ3DPQbZF+ByH/9zisGBVrpu1OjKhFWD7vnFw
ueBjv2qmrtQ3T9i54MsWnDRufJhl3f6v3VJxPvTzvAwR1NTW3kmT0QhxiSZH+Fif
WOdpKF6A1xjQwesOHhopi3U4A+LF6v8VWuqignmd7CY2rSiGfE3CEEu+6kdCmC91
UG72SeG0lBxumraC+wUhgKRppgW+lQbF7QSJ9yixZKQQf6jF+H5fiwigX+Y4FbJu
xbSiePyEanSPnDPPF+nNa+hobKieQtiCqsv1ureMgrKFJZWPANW3Qk2Fs1NbHgOi
tOSVsHqD7eooev1TdruvLB2ve130AGQOyIe96vYNWVeUB40GRlXWyVf1rFiDLilb
fag2aS+K/G3YdjO4WXO9FtQNXsF+jQB2uAAPxhRZl5vu6LJBc+UVtLDGSNARDwAI
K2n6mn+oGPqvpSQk0fhEx/1VjPaYNp3yQHJuwJPOapWdW2ZXpycfRubj5kfuac4b
61Edj5fGEq4GcykdRSbSYyQUE4BAZTjHriPhSXRXmS7sylBePk2VFBUGf70jVqrl
6q01VsPA6gYc8cOnlmM=
=12Jg
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.