[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request -- kernel: tcp: drop SYN+FIN messages
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2012-05-31 17:44:53
Message-ID: 4FC7AE15.9050302 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/30/2012 02:02 PM, Kurt Seifried wrote:
> On 05/30/2012 03:44 AM, John Haxby wrote:
> 
>> Recently we have a couple of queries relating to a Nessus "TCP/IP
>>  SYN+FIN Packet Filtering Weakness".   This has not been helped
>> by the fact that [1] actually points (indrectly) to
>> CVE-2002-2438 which is actually a SYN+RST problem.
> 
>> The Nessus script actually appears to detect this problem (also 
>> described in [2]):
> 
>> commit fdf5af0daf8019cec2396cdef8fb042d80fe71fa Author: Eric 
>> Dumazet <eric.dumazet@gmail.com> Date:   Fri Dec 2 23:41:42 2011 
>> +0000
> 
>> tcp: drop SYN+FIN messages
> 
>> Denys Fedoryshchenko reported that SYN+FIN attacks were bringing 
>> his linux machines to their limits.
> 
>> Dont call conn_request() if the TCP flags includes SYN flag
> 
>> Reported-by: Denys Fedoryshchenko <denys@visp.net.lb> 
>> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
>> Signed-off-by: David S. Miller <davem@davemloft.net>
> 
>> diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index 
>> 78dd38c..0cbb440 100644 --- a/net/ipv4/tcp_input.c +++ 
>> b/net/ipv4/tcp_input.c @@ -5811,6 +5811,8 @@ int 
>> tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, goto 
>> discard;
> 
>> if (th->syn) { +            if (th->fin) +                goto 
>> discard; if (icsk->icsk_af_ops->conn_request(sk, skb) < 0)
>> return 1;
> 
> 
>> References: [1] 
>> http://www.nessus.org/plugins/index.php?view=single&id=11618 [2] 
>> http://markmail.org/thread/l6y5vu3tub434z4w
> 
> Please use CVE-2012-2663 for this issue.
> 
> This is tracked by Red Hat as:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=826702

To clarify: CVE-2012-2663 is for the --syn processing flaw of SYN+FIN
packets in iptables (user space tools). c
Also if people could test their firewalls to make sure this still
doesn't affect other operating systems that would probably be a good idea.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIbBAEBAgAGBQJPx64VAAoJEBYNRVNeJnmTw14P91Gh46mkb+TJN9QiINhYXBMG
Iv/QTd8p3KDWQCYyqD77YEWvS4fSkkKjtoPNgDBirzzsh9lMhd5NsdGfHMvra1V0
P/ce4UgjH89Iqh+FqpZXQVA921BIQ3DPQbZF+ByH/9zisGBVrpu1OjKhFWD7vnFw
ueBjv2qmrtQ3T9i54MsWnDRufJhl3f6v3VJxPvTzvAwR1NTW3kmT0QhxiSZH+Fif
WOdpKF6A1xjQwesOHhopi3U4A+LF6v8VWuqignmd7CY2rSiGfE3CEEu+6kdCmC91
UG72SeG0lBxumraC+wUhgKRppgW+lQbF7QSJ9yixZKQQf6jF+H5fiwigX+Y4FbJu
xbSiePyEanSPnDPPF+nNa+hobKieQtiCqsv1ureMgrKFJZWPANW3Qk2Fs1NbHgOi
tOSVsHqD7eooev1TdruvLB2ve130AGQOyIe96vYNWVeUB40GRlXWyVf1rFiDLilb
fag2aS+K/G3YdjO4WXO9FtQNXsF+jQB2uAAPxhRZl5vu6LJBc+UVtLDGSNARDwAI
K2n6mn+oGPqvpSQk0fhEx/1VjPaYNp3yQHJuwJPOapWdW2ZXpycfRubj5kfuac4b
61Edj5fGEq4GcykdRSbSYyQUE4BAZTjHriPhSXRXmS7sylBePk2VFBUGf70jVqrl
6q01VsPA6gYc8cOnlmM=
=12Jg
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]