-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:20 Security Advisory FreeBSD, Inc. Topic: syncache/syncookies denial of service Category: core Module: net Announced: 2002-04-16 Credits: Alan Judge Dima Ruban Affects: FreeBSD 4.5-RELEASE FreeBSD 4.4-STABLE after 2001-12-14 19:53:01 UTC FreeBSD 4.5-STABLE prior to the correction date Corrected: 2002-02-20 16:48:49 UTC (RELENG_4) 2002-02-21 16:38:39 UTC (RELENG_4_5, 4.5-RELEASE-p1) FreeBSD only: YES I. Background The SYN cache ("syncache") and SYN cookie mechanism ("syncookie") are features of the TCP/IP stack intended to improve resistance to a class of denial of service attacks known as SYN floods. II. Problem Description Two related problems with syncache were triggered when syncookies were implemented. 1) When a SYN was accepted via a syncookie, it used an uninitialized pointer to find the TCP options for the new socket. This pointer may be a null pointer, which will cause the machine to crash. 2) A syncache entry is created when a SYN arrives on a listen socket. If the application which created the listen socket was killed and restarted --- and therefore recreated the listen socket with a different inpcb --- an ACK (or duplicate SYN) which later arrived and matched the existing syncache entry would cause a reference to the old inpcb pointer. Depending on the pointer's contents, this might result in a system crash. Because syncache/syncookies support was added prior to the release of FreeBSD 4.5-RELEASE, no other releases are affected. III. Impact Legitimate TCP/IP traffic may cause the machine to crash. IV. Workaround The first issue described may be worked around by disabling syncookies using sysctl. Issue the following command as root: # sysctl -w net.inet.tcp.syncookies=0 However, there is no workaround for the second issue. V. Solution 1) Upgrade your vulnerable system to 4.5-STABLE or the RELENG_4_5 security branch dated after the respective correction dates. 2) To patch your present system: download the relevant patch from the below location, and execute the following commands as root: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:20/syncache.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:20/syncache.patch.asc This patch has been verified to apply to 4.5-RELEASE only. Verify the detached PGP signature using your PGP utility. Execute the following commands as root: # cd /usr/src # patch -p < /path/to/patch Recompile your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in the FreeBSD ports collection. Path Revision Branch - ------------------------------------------------------------------------- src/sys/conf/newvers.sh RELENG_4_5 1.44.2.20.2.2 src/sys/netinet/tcp_syncache.c RELENG_4 1.5.2.5 RELENG_4_5 1.5.2.4.2.1 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPLw9nVUuHi5z0oilAQFwpAP9EJludFfmQfMWU4supMdZ1K//qeqgtJVn XrEX3TZjqOxRSnlzUUibbO2agnW7yCd8i2Qq0/3KyvMrcS4qSLmcvhQPsZxc26Bx Xakz3uvCRIA0XlpJAd/HirsdPHQ94q0JMdnx6C1kW+EMQzM/0KKLpVNsdnFopy0m mtPNSZRYgHk= =9qwI -----END PGP SIGNATURE-----