Archive of FreeBSD Security general posting, FreeBSD Security Advisory FreeBSD-SA-03:03.syncookies

24/02/03, FreeBSD Security Advisory FreeBSD-SA-03:03.syncookies
From: FreeBSD Security Advisories <security-advisories@FreeBSD.ORG>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.
Search

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


To: FreeBSD Security Advisories <security-advisories@FreeBSD.ORG>
Subject: FreeBSD Security Advisory FreeBSD-SA-03:03.syncookies
From: FreeBSD Security Advisories <security-advisories@FreeBSD.ORG>
Date: Mon, 24 Feb 2003 05:05:37 -0800 (PST)
Delivered-to: freebsd-security-notifications@freebsd.org
List-archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-id: <freebsd-security-notifications.FreeBSD.ORG>
List-subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security-notifications>
List-unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security-notifications>
Mail-from: From owner-freebsd-security-notifications@FreeBSD.ORG Mon Feb 24 20:06:18 2003
Reply-to: postmaster@FreeBSD.ORG
Sender: owner-freebsd-security-notifications@FreeBSD.ORG

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-03:03.syncookies                                 Security Advisory
                                                          The FreeBSD Project

Topic:          Brute force attack on SYN cookies

Category:       core
Module:         sys_netinet
Announced:      2003-02-24
Credits:        Mike Silbersack <silby@FreeBSD.org>
Affects:        FreeBSD 4.5-RELEASE
                FreeBSD 4.6-RELEASE prior to 4.6.2-RELEASE-p9
                FreeBSD 4.7-RELEASE prior to 4.7-RELEASE-p6
                FreeBSD 4.7-STABLE prior to the correction date
                FreeBSD 5.0-RELEASE prior to 5.0-RELEASE-p3
Corrected:      2003-02-23 19:04:58 UTC (RELENG_4)
                2003-02-23 20:18:48 UTC (RELENG_5_0)
                2003-02-23 20:19:29 UTC (RELENG_4_7)
                2003-02-24 02:42:06 UTC (RELENG_4_6)
FreeBSD only:   YES

I.  Background

SYN cookies are a technique used to mitigate the effects of SYN flood
attacks by choosing initial TCP sequence numbers (ISNs) that can be
verified cryptographically.  FreeBSD implements this technique in the
TCP stack (where it is referred to as `syncookies') by default.

II.  Problem Description

The FreeBSD syncookie implementation protects the generated ISN using
a MAC that is keyed on one of several internal secret keys which are
rotated periodically.  However, the keys are only 32 bits in length,
allowing brute force attacks on the secrets to be feasible.

III.  Impact

Once a syncookie key has been recovered, an attacker may construct
valid ISNs until the key is rotated (typically up to four seconds).
The ability to construct a valid ISN may be used to spoof a TCP
connection in exactly the same way as in the well-known ISN prediction
attacks (see `References').  Spoofing may allow an attacker to bypass
IP-based access control lists such as those implemented by
tcp_wrappers and many firewalls.  Similarly, SMTP and other
connections may be forged, increasing the difficulty of tracing
abusers.  Recovery of a syncookie key will also allow the attacker to
reset TCP connections initiated within the same 31.25ms window.

IV.  Workaround

syncookies may be disabled using the `net.inet.tcp.syncookies'
sysctl(8).  Execute the following command as root:

  # sysctl net.inet.tcp.syncookies=0

To disable syncookies at system startup time, add the following line
to sysctl.conf(5):

  net.inet.tcp.syncookies=0


V.   Solution

1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_4_7
(4.7-RELEASE-p6), RELENG_4_6 (4.6.2-RELEASE-p9), or RELENG_5_0
(5.0-RELEASE-p3) security branch dated after the correction date.

2) To patch your present system:

The following patch has been verified to apply to FreeBSD 4.6, 4.7, and
5.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:03/syncookie.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:03/syncookie.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html >
and reboot the system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Path                                                             Revision
  Branch
- -------------------------------------------------------------------------
src/sys/conf/newvers.sh
  RELENG_5_0                                                     1.48.2.4
  RELENG_4_7                                                1.44.2.26.2.8
  RELENG_4_6                                               1.44.2.23.2.26
src/sys/netinet/tcp_syncache.c
  RELENG_4                                                       1.5.2.13
  RELENG_5_0                                                     1.28.2.3
  RELENG_4_7                                                  1.5.2.8.2.1
  RELENG_4_6                                                  1.5.2.6.2.2
- -------------------------------------------------------------------------

VII. References

<URL: http://cr.yp.to/syncookies.html >
<URL: http://www.cert.org/advisories/CA-2001-09.html >
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE+Whc6FdaIBMps37IRAgP9AJ4npQ6fYrxATBWOx8AdlKA/03GsggCcC4Br
GBDcKjEcnHInChHZVuXYg58=
=LfP+
-----END PGP SIGNATURE-----

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security-notifications" in the body of the message





Previous message sorted by date: FreeBSD Security Advisory FreeBSD-SA-03:02.openssl
Next message sorted by date: FreeBSD Security Advisory FreeBSD-SA-03:02.openssl [REVISED]
Previous message sorted by thread: FreeBSD Security Advisory FreeBSD-SA-03:02.openssl
Next message by thread: FreeBSD Security Advisory FreeBSD-SA-03:02.openssl [REVISED]
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Jan 2004