[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request (2002): Linux TCP stack could accept invalid TCP flag combinations
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2012-05-29 17:02:42
Message-ID: 4FC50132.30402 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/29/2012 06:17 AM, John Haxby wrote:
> On 03/02/12 10:37, Marcus Meissner wrote:
>> Hi,
>> 
>> After a customer query likely coming from erroneous Security
>> Scanner output,
>> 
>> this issue from 2002 has no CVE id yet as far as I see:
>> 
>> http://www.kb.cert.org/vuls/id/464113

Nope it lists one at the bottom:

Other Information
CVE IDs: CVE-2002-2438

>> It describes a problem where firewalls might let some TCP flags
>> combinations pass (e.g. all with RST flag set) and the OS (e.g.
>> Linux) stack would in turn accept a TCP session it might not have
>> accepted otherwise.
>> 
>> The protection added in Linux 2.4.20 is checking for the RST
>> (reset) flag when a SYN packet is received, which was I think the
>> main attack scenario.
>> 
>> The relevant part of the 2.4.20 patch is:
>> 
>> @@ -3667,6 +3693,9 @@ if(th->ack) return 1;
>> 
>> +               if(th->rst) +                       goto
>> discard; + if(th->syn) { if(tp->af_specific->conn_request(sk,
>> skb) < 0) return 1;
>> 
>> 
>> The check still exists in current mainline git, so the issue is
>> still fixed.
>> 
>> Ciao, Marcus
> 
> I suspect that this actually came from here:
> 
> http://www.nessus.org/plugins/index.php?view=single&id=11618
> 
> It's entirely possible that there's a typo in the web page because
> it talks about TCP+FIN but refers to web pages dealing with the
> much older TCP+RST.
> 
> There is actually a SYN+FIN discard fix in the mainline kernel
> which would appear to be a DoS ("Denys Fedoryshchenko reported that
> SYN+FIN attacks were bringing his linux machines to their limits.")
> should we have a CVE for this issue?  (I'll ask in a separate
> message if so.)
> 
> jch

Can you send a separate message and specific information? Thanks.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPxQEyAAoJEBYNRVNeJnmTfK8P/RANaD+snEuUWnGhAVH7x1s4
U5hqhYmOa+z4ZuEZqvtRFQscW3ftKYJcnxvw8x9QU2+mkRLqUL4Iu8xs5ThN1ORY
KoGzFJqaHZRfk1qh0mn6yI31+H3oCqCobX4Q/pq+BqEcXbn0czOfOvH6afW0emvJ
swPf5YP+9quD1CBHtBB2Hl8XGoD2ywPVyHlNkmo67rrbleam2Q6uP+ymDC6TGrve
BpdzaNK9bHMVUSu7dU4i7Wi03SsmyHlfvV4uZTSJtdY17lrMTLjYWtmyfoNB9PY1
c9TO2kz2MADX6ZvI6HFJhAO6rkMpKLyNXL6v9tHgwH7NhidqGX2EeuNTYGLaJ0aM
xXn+ipWTi7DKRc7ifeVh58JX2GcWm+LC++3aPUPmIUlMurnrqksZPGhuqR922VF2
Ab/s5kUVsC6xy2Y1995BcnnezJXUUj/XMW9olXEDzvG/249jZnsmREZbSO9HSU0u
gYudIlcfIdUgMsefhIzjNFenwslfXHlfcC7UlrFVb1URZiEKlhN+tAZ8QiClMg3c
K8QCeyN95DydCrCOPdy3nVLaMX9I18MjU76m9pwMSgA1e9MgACK/Mlbu0yEIFuGg
hLgGzKMp5GqnOg6oVzCSUiQC+KJa0cdljsgN54UHzHud6ZxBPU/KWo1BG3dkWtGN
woSkz1tu1AvBd5QbU7mt
=roya
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]