oss-sec mailing list archives
Re: CVE Request (2002): Linux TCP stack could accept invalid TCP flag combinations
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 29 May 2012 11:02:42 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/29/2012 06:17 AM, John Haxby wrote:
On 03/02/12 10:37, Marcus Meissner wrote:Hi, After a customer query likely coming from erroneous Security Scanner output, this issue from 2002 has no CVE id yet as far as I see: http://www.kb.cert.org/vuls/id/464113
Nope it lists one at the bottom: Other Information CVE IDs: CVE-2002-2438
It describes a problem where firewalls might let some TCP flags combinations pass (e.g. all with RST flag set) and the OS (e.g. Linux) stack would in turn accept a TCP session it might not have accepted otherwise. The protection added in Linux 2.4.20 is checking for the RST (reset) flag when a SYN packet is received, which was I think the main attack scenario. The relevant part of the 2.4.20 patch is: @@ -3667,6 +3693,9 @@ if(th->ack) return 1; + if(th->rst) + goto discard; + if(th->syn) { if(tp->af_specific->conn_request(sk, skb) < 0) return 1; The check still exists in current mainline git, so the issue is still fixed. Ciao, MarcusI suspect that this actually came from here: http://www.nessus.org/plugins/index.php?view=single&id=11618 It's entirely possible that there's a typo in the web page because it talks about TCP+FIN but refers to web pages dealing with the much older TCP+RST. There is actually a SYN+FIN discard fix in the mainline kernel which would appear to be a DoS ("Denys Fedoryshchenko reported that SYN+FIN attacks were bringing his linux machines to their limits.") should we have a CVE for this issue? (I'll ask in a separate message if so.) jch
Can you send a separate message and specific information? Thanks. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPxQEyAAoJEBYNRVNeJnmTfK8P/RANaD+snEuUWnGhAVH7x1s4 U5hqhYmOa+z4ZuEZqvtRFQscW3ftKYJcnxvw8x9QU2+mkRLqUL4Iu8xs5ThN1ORY KoGzFJqaHZRfk1qh0mn6yI31+H3oCqCobX4Q/pq+BqEcXbn0czOfOvH6afW0emvJ swPf5YP+9quD1CBHtBB2Hl8XGoD2ywPVyHlNkmo67rrbleam2Q6uP+ymDC6TGrve BpdzaNK9bHMVUSu7dU4i7Wi03SsmyHlfvV4uZTSJtdY17lrMTLjYWtmyfoNB9PY1 c9TO2kz2MADX6ZvI6HFJhAO6rkMpKLyNXL6v9tHgwH7NhidqGX2EeuNTYGLaJ0aM xXn+ipWTi7DKRc7ifeVh58JX2GcWm+LC++3aPUPmIUlMurnrqksZPGhuqR922VF2 Ab/s5kUVsC6xy2Y1995BcnnezJXUUj/XMW9olXEDzvG/249jZnsmREZbSO9HSU0u gYudIlcfIdUgMsefhIzjNFenwslfXHlfcC7UlrFVb1URZiEKlhN+tAZ8QiClMg3c K8QCeyN95DydCrCOPdy3nVLaMX9I18MjU76m9pwMSgA1e9MgACK/Mlbu0yEIFuGg hLgGzKMp5GqnOg6oVzCSUiQC+KJa0cdljsgN54UHzHud6ZxBPU/KWo1BG3dkWtGN woSkz1tu1AvBd5QbU7mt =roya -----END PGP SIGNATURE-----
Current thread:
- Re: CVE Request (2002): Linux TCP stack could accept invalid TCP flag combinations John Haxby (May 29)
- Re: CVE Request (2002): Linux TCP stack could accept invalid TCP flag combinations Kurt Seifried (May 29)