[FUGSPBR] ALERTA do CAIS - Como Atualizar ?
Ivan Carlos Ricci
ricci em process.com.br
Qui Abr 18 12:21:32 BRT 2002
Prezados amigos,
Recebemos o alerta do CAIS sobre vunerabilidades no FBSD 4.5 RELEASE.
Como faço p/ atualizar meu sistema p/ a versão 4.5 STABLE?
Neste alerta(abaixo) mostra também a atualização dos patchs necessários, não
estou conseguindo fazê-lo.
Alguém poderia nos ajudar ?
[]s
Ivan Carlos Ricci - Webmaster
ivan em process.com.br
Process / Net Site
Fone: (16) 282-7949
Fax: (16) 282-5304
FreeBSD - The Power of Server
-----------Mensagem do CAIS ------------
Prezados,
O CAIS esta' repassando o alerta divulgado pelo FreeBSD, Inc.,
FreeBSD-SA-02:20 Security Advisory, Syncache/Syncookies denial of service,
que trata de uma falha na implementacao do SYNCACHE/SYNCOOKIES. Devido a
essa falha, trafego TCP/IP legitimo pode afetar o funcionamento do sistema
operacional, deixando-o inoperante.
Sistemas afetados:
.. FreeBSD 4.5-RELEASE
.. FreeBSD 4.4-STABLE apos 14/12/2001 19:53:01 UTC
.. FreeBSD 4.5-STABLE anterior a data de correcao.
A correcao para tais falhas foi disponibilizada em 20/02/2002 16:48:39 UTC
(RELENG_4), 21/02/2002 16:38:39 UTC (RELENG_4_5, 4.5-RELEASE-p1)
Workaround:
Existe uma maneira de contornar o problema identificado no syncookies,
desabilitando-o usando sysctl, como root:
# sysctl -w net.inet.tcp.syncookies=0
Correcoes Disponiveis:
(1) Faca o upgrade do sistema vulneravel para 4.5-STABLE ou linhagem
RELENG_4_5 apos a data de correcao.
(2) Aplique o patch no seu sistema. Faca o download correspondente a
partir de:
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:20/syncache.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:20/syncache.patch.asc
E' importante lembrar que o patch e' aplicavel apenas em sistemas
FreeBSD-4.5-RELEASE.
O CAIS recomenda fortemente aos administradores de sistemas FreeBSD que
atualizem seus sistemas urgentemente.
Atenciosamente,
################################################################
# CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP #
# #
# cais em cais.rnp.br http://www.cais.rnp.br #
# Tel. 019-37873300 Fax. 019-37873301 #
# Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key #
################################################################
============================================================================
=
FreeBSD-SA-02:20 Security
Advisory
FreeBSD, Inc.
Topic: syncache/syncookies denial of service
Category: core
Module: net
Announced: 2002-04-16
Credits: Alan Judge <Alan.Judge em eircom.net>
Dima Ruban <dima em FreeBSD.org>
Affects: FreeBSD 4.5-RELEASE
FreeBSD 4.4-STABLE after 2001-12-14 19:53:01 UTC
FreeBSD 4.5-STABLE prior to the correction date
Corrected: 2002-02-20 16:48:49 UTC (RELENG_4)
2002-02-21 16:38:39 UTC (RELENG_4_5, 4.5-RELEASE-p1)
FreeBSD only: YES
I. Background
The SYN cache ("syncache") and SYN cookie mechanism ("syncookie") are
features of the TCP/IP stack intended to improve resistance to a class
of denial of service attacks known as SYN floods.
II. Problem Description
Two related problems with syncache were triggered when syncookies were
implemented.
1) When a SYN was accepted via a syncookie, it used an uninitialized
pointer to find the TCP options for the new socket. This pointer may
be a null pointer, which will cause the machine to crash.
2) A syncache entry is created when a SYN arrives on a listen socket.
If the application which created the listen socket was killed and
restarted --- and therefore recreated the listen socket with a
different inpcb --- an ACK (or duplicate SYN) which later arrived and
matched the existing syncache entry would cause a reference to the old
inpcb pointer. Depending on the pointer's contents, this might result
in a system crash.
Because syncache/syncookies support was added prior to the release of
FreeBSD 4.5-RELEASE, no other releases are affected.
III. Impact
Legitimate TCP/IP traffic may cause the machine to crash.
IV. Workaround
The first issue described may be worked around by disabling syncookies
using sysctl. Issue the following command as root:
# sysctl -w net.inet.tcp.syncookies=0
However, there is no workaround for the second issue.
V. Solution
1) Upgrade your vulnerable system to 4.5-STABLE or the RELENG_4_5
security branch dated after the respective correction dates.
2) To patch your present system: download the relevant patch from the
below location, and execute the following commands as root:
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:20/syncache.patch
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:20/syncache.patch.asc
This patch has been verified to apply to 4.5-RELEASE only.
Verify the detached PGP signature using your PGP utility.
Execute the following commands as root:
# cd /usr/src
# patch -p < /path/to/patch
Recompile your kernel as described in
http://www.freebsd.org/handbook/kernelconfig.html and reboot the
system.
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in the FreeBSD ports collection.
Path Revision
Branch
-------------------------------------------------------------------------
src/sys/conf/newvers.sh
RELENG_4_5 1.44.2.20.2.2
src/sys/netinet/tcp_syncache.c
RELENG_4 1.5.2.5
RELENG_4_5 1.5.2.4.2.1
-------------------------------------------------------------------------
VII. References
<URL:http://www.FreeBSD.org/cgi/query-pr.cgi?pr=34658>
----
Para sair da lista envie um e-mail para majordomo em fugspbr.org
com as palavras "unsubscribe fugspbr" no corpo da mensagem.
Mais detalhes sobre a lista de discussão freebsd