Re: CVE Request -- kernel: tcp: drop SYN+FIN messages

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/30/2012 02:02 PM, Kurt Seifried wrote:
> On 05/30/2012 03:44 AM, John Haxby wrote:
>
> > Recently we have a couple of queries relating to a Nessus "TCP/IP
> >  SYN+FIN Packet Filtering Weakness".   This has not been helped
> > by the fact that [1] actually points (indrectly) to
> > CVE-2002-2438 which is actually a SYN+RST problem.
>
> > The Nessus script actually appears to detect this problem (also 
> > described in [2]):
>
> > commit fdf5af0daf8019cec2396cdef8fb042d80fe71fa Author: Eric 
> > Dumazet <eric.dumazet () gmail com> Date:   Fri Dec 2 23:41:42 2011 
> > +0000
>
> > tcp: drop SYN+FIN messages
>
> > Denys Fedoryshchenko reported that SYN+FIN attacks were bringing 
> > his linux machines to their limits.
>
> > Dont call conn_request() if the TCP flags includes SYN flag
>
> > Reported-by: Denys Fedoryshchenko <denys () visp net lb> 
> > Signed-off-by: Eric Dumazet <eric.dumazet () gmail com>
> > Signed-off-by: David S. Miller <davem () davemloft net>
>
> > diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index 
> > 78dd38c..0cbb440 100644 --- a/net/ipv4/tcp_input.c +++ 
> > b/net/ipv4/tcp_input.c @@ -5811,6 +5811,8 @@ int 
> > tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, goto 
> > discard;
>
> > if (th->syn) { +            if (th->fin) +                goto 
> > discard; if (icsk->icsk_af_ops->conn_request(sk, skb) < 0)
> > return 1;
>
>
> > References: [1] 
> > http://www.nessus.org/plugins/index.php?view=single&id=11618 [2] 
> > http://markmail.org/thread/l6y5vu3tub434z4w
>
> Please use CVE-2012-2663 for this issue.
>
> This is tracked by Red Hat as:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=826702

To clarify: CVE-2012-2663 is for the --syn processing flaw of SYN+FIN
packets in iptables (user space tools). c
Also if people could test their firewalls to make sure this still
doesn't affect other operating systems that would probably be a good idea.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIbBAEBAgAGBQJPx64VAAoJEBYNRVNeJnmTw14P91Gh46mkb+TJN9QiINhYXBMG
Iv/QTd8p3KDWQCYyqD77YEWvS4fSkkKjtoPNgDBirzzsh9lMhd5NsdGfHMvra1V0
P/ce4UgjH89Iqh+FqpZXQVA921BIQ3DPQbZF+ByH/9zisGBVrpu1OjKhFWD7vnFw
ueBjv2qmrtQ3T9i54MsWnDRufJhl3f6v3VJxPvTzvAwR1NTW3kmT0QhxiSZH+Fif
WOdpKF6A1xjQwesOHhopi3U4A+LF6v8VWuqignmd7CY2rSiGfE3CEEu+6kdCmC91
UG72SeG0lBxumraC+wUhgKRppgW+lQbF7QSJ9yixZKQQf6jF+H5fiwigX+Y4FbJu
xbSiePyEanSPnDPPF+nNa+hobKieQtiCqsv1ureMgrKFJZWPANW3Qk2Fs1NbHgOi
tOSVsHqD7eooev1TdruvLB2ve130AGQOyIe96vYNWVeUB40GRlXWyVf1rFiDLilb
fag2aS+K/G3YdjO4WXO9FtQNXsF+jQB2uAAPxhRZl5vu6LJBc+UVtLDGSNARDwAI
K2n6mn+oGPqvpSQk0fhEx/1VjPaYNp3yQHJuwJPOapWdW2ZXpycfRubj5kfuac4b
61Edj5fGEq4GcykdRSbSYyQUE4BAZTjHriPhSXRXmS7sylBePk2VFBUGf70jVqrl
6q01VsPA6gYc8cOnlmM=
=12Jg
-----END PGP SIGNATURE-----