Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 29 May 2012 11:02:42 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: John Haxby <john.haxby@...cle.com>, Marcus Meissner <meissner@...e.de>
Subject: Re: CVE Request (2002): Linux TCP stack could accept
 invalid TCP flag combinations

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/29/2012 06:17 AM, John Haxby wrote:
> On 03/02/12 10:37, Marcus Meissner wrote:
>> Hi,
>> 
>> After a customer query likely coming from erroneous Security
>> Scanner output,
>> 
>> this issue from 2002 has no CVE id yet as far as I see:
>> 
>> http://www.kb.cert.org/vuls/id/464113

Nope it lists one at the bottom:

Other Information
CVE IDs: CVE-2002-2438

>> It describes a problem where firewalls might let some TCP flags
>> combinations pass (e.g. all with RST flag set) and the OS (e.g.
>> Linux) stack would in turn accept a TCP session it might not have
>> accepted otherwise.
>> 
>> The protection added in Linux 2.4.20 is checking for the RST
>> (reset) flag when a SYN packet is received, which was I think the
>> main attack scenario.
>> 
>> The relevant part of the 2.4.20 patch is:
>> 
>> @@ -3667,6 +3693,9 @@ if(th->ack) return 1;
>> 
>> +               if(th->rst) +                       goto
>> discard; + if(th->syn) { if(tp->af_specific->conn_request(sk,
>> skb) < 0) return 1;
>> 
>> 
>> The check still exists in current mainline git, so the issue is
>> still fixed.
>> 
>> Ciao, Marcus
> 
> I suspect that this actually came from here:
> 
> http://www.nessus.org/plugins/index.php?view=single&id=11618
> 
> It's entirely possible that there's a typo in the web page because
> it talks about TCP+FIN but refers to web pages dealing with the
> much older TCP+RST.
> 
> There is actually a SYN+FIN discard fix in the mainline kernel
> which would appear to be a DoS ("Denys Fedoryshchenko reported that
> SYN+FIN attacks were bringing his linux machines to their limits.")
> should we have a CVE for this issue?  (I'll ask in a separate
> message if so.)
> 
> jch

Can you send a separate message and specific information? Thanks.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPxQEyAAoJEBYNRVNeJnmTfK8P/RANaD+snEuUWnGhAVH7x1s4
U5hqhYmOa+z4ZuEZqvtRFQscW3ftKYJcnxvw8x9QU2+mkRLqUL4Iu8xs5ThN1ORY
KoGzFJqaHZRfk1qh0mn6yI31+H3oCqCobX4Q/pq+BqEcXbn0czOfOvH6afW0emvJ
swPf5YP+9quD1CBHtBB2Hl8XGoD2ywPVyHlNkmo67rrbleam2Q6uP+ymDC6TGrve
BpdzaNK9bHMVUSu7dU4i7Wi03SsmyHlfvV4uZTSJtdY17lrMTLjYWtmyfoNB9PY1
c9TO2kz2MADX6ZvI6HFJhAO6rkMpKLyNXL6v9tHgwH7NhidqGX2EeuNTYGLaJ0aM
xXn+ipWTi7DKRc7ifeVh58JX2GcWm+LC++3aPUPmIUlMurnrqksZPGhuqR922VF2
Ab/s5kUVsC6xy2Y1995BcnnezJXUUj/XMW9olXEDzvG/249jZnsmREZbSO9HSU0u
gYudIlcfIdUgMsefhIzjNFenwslfXHlfcC7UlrFVb1URZiEKlhN+tAZ8QiClMg3c
K8QCeyN95DydCrCOPdy3nVLaMX9I18MjU76m9pwMSgA1e9MgACK/Mlbu0yEIFuGg
hLgGzKMp5GqnOg6oVzCSUiQC+KJa0cdljsgN54UHzHud6ZxBPU/KWo1BG3dkWtGN
woSkz1tu1AvBd5QbU7mt
=roya
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.