oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Connected UDP sockets and kernel queuing (CVE-2014-6512)

From: Vitor Ventura <ventura.vitor () gmail com>
Date: Fri, 17 Oct 2014 17:28:56 +0100
Hello,

  I was thinking if this might open a door for a reflected amplification
attack. By your description this shouldn't be possible because the
application shouldn't be waiting for any packets after the close of he
socket, nevertheless a possible vector of attack seems to be open.
The attack vector could be achieved by the creation of a "connection" and
closure by a side channel and then exploit the time window created. These
side channels are common on gaming servers and streaming.

  I will try to test it.
Em 17/10/2014 16:03, "Florian Weimer" <fweimer () redhat com> escreveu:


I noticed a potential issue with connected UDP sockets and the kernel
kernel per-socket packet queue, potentially leading to IP spoofing
vulnerabilities in the sense that the application thinks the packet came
from host A, but it really came from host B:

  <https://bugzilla.redhat.com/show_bug.cgi?id=1071210>

OpenJDK is particularly exposed because DatagramSocket.disconnect() calls
connect(2) with AF_UNSPEC (or a NULL socket address on some systems) to
disconnect sockets, which is a rarely used feature of the BSD sockets API.
OpenJDK ensures that these disconnected sockets remain bound to a port, so
it was possible to enqueue packets whose source address will not be
checked, without even having a tight race to win.

We thought briefly about fixing this in the kernel, but thought better of
it because of backwards compatibility concerns (and we would have to patch
OpenJDK nevertheless).  The OpenJDK fix simply checks the source address of
incoming packets.  Oracle's fix has an optimization that drops this
additional filter after the maximum amount of pending packets has been
consumed from the socket; my patch moved the filter to native code instead
and applied it to every packet on a connected socket.  I think both
approaches are valid.

I'm sharing this with a wider audience because in theory, other UDP-based
services could be affected, although I didn't spot any when I looked at
this prior to disclosure.

--
Florian Weimer / Red Hat Product Security
Previous By Date Next
Previous By Thread Next

Current thread: