oss-sec mailing list archives

Re: CVE Request -- kernel: tcp: drop SYN+FIN messages

From: John Haxby <john.haxby () oracle com>
Date: Fri, 08 Jun 2012 09:35:13 +0100

On 07/06/12 19:37, Kurt Seifried wrote:

On 06/07/2012 01:31 AM, John Haxby wrote:

On 01/06/12 20:12, Kurt Seifried wrote:

In my limited testing with iptables on RHEL 6.2 it appears that
--state NEW works properly, and won't allow SYN+FIN to create
connections (I used hping3 and the SYN+FIN Packets were
blocked).

So the default ruleset:

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT
-m state --state NEW -m tcp -p tcp --dport 22 -j DROP -A INPUT -j
REJECT --reject-with icmp-host-prohibited

should work, so you could do you clever --syn bits first and then
have that set to protect stuff from SYN+FIN.

What happens if you have "-j ACCEPT" instead of "-j DROP"?   I
would expect that sshd wouldn't see the connection but you would
get all the unpleasant side effects that made T/TCP deprecated.


Ooops yeah typo, that DROP should have been ACCEPT. So to summarize
properly:

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited

results in ICMP unreachable (the -F -S bypasses the "--dport 22 -j
ACCEPT" but gets caught in the final "icmp-host-prohibited" rule) with:

hping3 -c 3 -n -S -F -p 22 192.168.51.195

with:

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited

with hping -F -S the packets bypass the "--dport 22 -j DROP" and get
caught by the icmp-host-prohibited

with hping -S the packets get caught by "the "--dport 22 -j DROP"" as
expected.

So basically --state new works fine and dandy.

jch


Good.   That makes the kernel change just hardening then.   If you're
not using iptables you're leaving yourself open to all kinds of abuse
anyway so I don't think we need a CVE for the kernel.

jch

Current thread:

Re: CVE Request -- kernel: tcp: drop SYN+FIN messages, (continued)
- - - Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (May 30)
    - Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (May 30)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (May 30)
  - Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (May 31)
    - Re: CVE Request -- kernel: tcp: drop SYN+FIN messages John Haxby (Jun 01)
    - Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (Jun 01)
    - Re: CVE Request -- kernel: tcp: drop SYN+FIN messages John Haxby (Jun 01)
    - Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (Jun 01)
    - Re: CVE Request -- kernel: tcp: drop SYN+FIN messages John Haxby (Jun 07)
    - Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Kurt Seifried (Jun 07)
    - Re: CVE Request -- kernel: tcp: drop SYN+FIN messages John Haxby (Jun 08)
- Re: CVE Request -- kernel: tcp: drop SYN+FIN messages Stefan Behte (Jun 02)