[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE Request -- kernel: tcp: drop SYN+FIN messages
From: Kurt Seifried <kseifried () redhat ! com>
Date: 2012-05-31 17:44:53
Message-ID: 4FC7AE15.9050302 () redhat ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/30/2012 02:02 PM, Kurt Seifried wrote:
> On 05/30/2012 03:44 AM, John Haxby wrote:
>
>> Recently we have a couple of queries relating to a Nessus "TCP/IP
>> SYN+FIN Packet Filtering Weakness". This has not been helped
>> by the fact that [1] actually points (indrectly) to
>> CVE-2002-2438 which is actually a SYN+RST problem.
>
>> The Nessus script actually appears to detect this problem (also
>> described in [2]):
>
>> commit fdf5af0daf8019cec2396cdef8fb042d80fe71fa Author: Eric
>> Dumazet <eric.dumazet@gmail.com> Date: Fri Dec 2 23:41:42 2011
>> +0000
>
>> tcp: drop SYN+FIN messages
>
>> Denys Fedoryshchenko reported that SYN+FIN attacks were bringing
>> his linux machines to their limits.
>
>> Dont call conn_request() if the TCP flags includes SYN flag
>
>> Reported-by: Denys Fedoryshchenko <denys@visp.net.lb>
>> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
>> Signed-off-by: David S. Miller <davem@davemloft.net>
>
>> diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index
>> 78dd38c..0cbb440 100644 --- a/net/ipv4/tcp_input.c +++
>> b/net/ipv4/tcp_input.c @@ -5811,6 +5811,8 @@ int
>> tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, goto
>> discard;
>
>> if (th->syn) { + if (th->fin) + goto
>> discard; if (icsk->icsk_af_ops->conn_request(sk, skb) < 0)
>> return 1;
>
>
>> References: [1]
>> http://www.nessus.org/plugins/index.php?view=single&id=11618 [2]
>> http://markmail.org/thread/l6y5vu3tub434z4w
>
> Please use CVE-2012-2663 for this issue.
>
> This is tracked by Red Hat as:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=826702
To clarify: CVE-2012-2663 is for the --syn processing flaw of SYN+FIN
packets in iptables (user space tools). c
Also if people could test their firewalls to make sure this still
doesn't affect other operating systems that would probably be a good idea.
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIbBAEBAgAGBQJPx64VAAoJEBYNRVNeJnmTw14P91Gh46mkb+TJN9QiINhYXBMG
Iv/QTd8p3KDWQCYyqD77YEWvS4fSkkKjtoPNgDBirzzsh9lMhd5NsdGfHMvra1V0
P/ce4UgjH89Iqh+FqpZXQVA921BIQ3DPQbZF+ByH/9zisGBVrpu1OjKhFWD7vnFw
ueBjv2qmrtQ3T9i54MsWnDRufJhl3f6v3VJxPvTzvAwR1NTW3kmT0QhxiSZH+Fif
WOdpKF6A1xjQwesOHhopi3U4A+LF6v8VWuqignmd7CY2rSiGfE3CEEu+6kdCmC91
UG72SeG0lBxumraC+wUhgKRppgW+lQbF7QSJ9yixZKQQf6jF+H5fiwigX+Y4FbJu
xbSiePyEanSPnDPPF+nNa+hobKieQtiCqsv1ureMgrKFJZWPANW3Qk2Fs1NbHgOi
tOSVsHqD7eooev1TdruvLB2ve130AGQOyIe96vYNWVeUB40GRlXWyVf1rFiDLilb
fag2aS+K/G3YdjO4WXO9FtQNXsF+jQB2uAAPxhRZl5vu6LJBc+UVtLDGSNARDwAI
K2n6mn+oGPqvpSQk0fhEx/1VjPaYNp3yQHJuwJPOapWdW2ZXpycfRubj5kfuac4b
61Edj5fGEq4GcykdRSbSYyQUE4BAZTjHriPhSXRXmS7sylBePk2VFBUGf70jVqrl
6q01VsPA6gYc8cOnlmM=
=12Jg
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic