Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 17 Oct 2014 17:02:50 +0200
From: Florian Weimer <fweimer@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Connected UDP sockets and kernel queuing (CVE-2014-6512)

I noticed a potential issue with connected UDP sockets and the kernel 
kernel per-socket packet queue, potentially leading to IP spoofing 
vulnerabilities in the sense that the application thinks the packet came 
from host A, but it really came from host B:

   <https://bugzilla.redhat.com/show_bug.cgi?id=1071210>

OpenJDK is particularly exposed because DatagramSocket.disconnect() 
calls connect(2) with AF_UNSPEC (or a NULL socket address on some 
systems) to disconnect sockets, which is a rarely used feature of the 
BSD sockets API.  OpenJDK ensures that these disconnected sockets remain 
bound to a port, so it was possible to enqueue packets whose source 
address will not be checked, without even having a tight race to win.

We thought briefly about fixing this in the kernel, but thought better 
of it because of backwards compatibility concerns (and we would have to 
patch OpenJDK nevertheless).  The OpenJDK fix simply checks the source 
address of incoming packets.  Oracle's fix has an optimization that 
drops this additional filter after the maximum amount of pending packets 
has been consumed from the socket; my patch moved the filter to native 
code instead and applied it to every packet on a connected socket.  I 
think both approaches are valid.

I'm sharing this with a wider audience because in theory, other 
UDP-based services could be affected, although I didn't spot any when I 
looked at this prior to disclosure.

-- 
Florian Weimer / Red Hat Product Security

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.