[FUGSPBR] syncookies

Anderson Montenegro dos Santos amsnetbr em yahoo.com.br
Qua Abr 17 18:06:46 BRT 2002 

=============================================================================FreeBSD-SA-02:20                                            Security Advisory                                                                FreeBSD, Inc.Topic:          syncache/syncookies denial of serviceCategory:       coreModule:         netAnnounced:      2002-04-16Credits:        Alan Judge                 Dima Ruban Affects:        FreeBSD 4.5-RELEASE                FreeBSD 4.4-STABLE after 2001-12-14 19:53:01 UTC                FreeBSD 4.5-STABLE prior to the correction dateCorrected:      2002-02-20 16:48:49 UTC (RELENG_4)                2002-02-21 16:38:39 UTC (RELENG_4_5, 4.5-RELEASE-p1)FreeBSD only:   YESI.   BackgroundThe SYN cache ("syncache") and SYN cookie mechanism ("syncookie") arefeatures of the TCP/IP stack intended to improve resistance to a classof denial of service attacks known as SYN floods.II.  Problem DescriptionTwo related problems with syncache were triggered when syncookies wereimplemented.1) When a SYN was accepted via a syncookie, it used an uninitializedpointer to find the TCP options for the new socket.  This pointer maybe a null pointer, which will cause the machine to crash.2) A syncache entry is created when a SYN arrives on a listen socket.If the application which created the listen socket was killed andrestarted --- and therefore recreated the listen socket with adifferent inpcb --- an ACK (or duplicate SYN) which later arrived andmatched the existing syncache entry would cause a reference to the oldinpcb pointer.  Depending on the pointer's contents, this might resultin a system crash.Because syncache/syncookies support was added prior to the release ofFreeBSD 4.5-RELEASE, no other releases are affected.III. ImpactLegitimate TCP/IP traffic may cause the machine to crash.IV.  WorkaroundThe first issue described may be worked around by disabling syncookiesusing sysctl.  Issue the following command as root:  # sysctl -w net.inet.tcp.syncookies=0However, there is no workaround for the second issue.V.   Solution1) Upgrade your vulnerable system to 4.5-STABLE or the RELENG_4_5security branch dated after the respective correction dates.2) To patch your present system: download the relevant patch from thebelow location, and execute the following commands as root:# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:20/syncache.patch# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:20/syncache.patch.ascThis patch has been verified to apply to 4.5-RELEASE only.Verify the detached PGP signature using your PGP utility.Execute the following commands as root:# cd /usr/src# patch -p 

Anderson Montenegro dos Santos
Consultor Linux,*BSD e *NIX
email:amsnetbr em yahoo.com.br
      ams_consultoria em yahoo.com.br
Tel:+55021 98752174
Openbsd-->Four years without a remote hole in the default install!
www.openbsd.org


---------------------------------
Yahoo! Empregos
O trabalho dos seus sonhos pode estar aqui. Cadastre-se hoje mesmo no Yahoo! Empregos e tenha acesso a milhares de vagas abertas!
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.fug.com.br/pipermail/freebsd/attachments/20020417/0ce7888e/attachment.html>

Mais detalhes sobre a lista de discussão freebsd