Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20120203103706.GC3437@suse.de>
Date: Fri, 3 Feb 2012 11:37:06 +0100
From: Marcus Meissner <meissner@...e.de>
To: OSS Security List <oss-security@...ts.openwall.com>
Subject: CVE Request (2002): Linux TCP stack could accept invalid TCP flag combinations

Hi,

After a customer query likely coming from erroneous Security Scanner output,

this issue from 2002 has no CVE id yet as far as I see:

http://www.kb.cert.org/vuls/id/464113

It describes a problem where firewalls might let some TCP flags combinations
pass (e.g. all with RST flag set) and the OS (e.g. Linux) stack would in turn
accept a TCP session it might not have accepted otherwise.

The protection added in Linux 2.4.20 is checking for the RST (reset) flag
when a SYN packet is received, which was I think the main attack scenario.

The relevant part of the 2.4.20 patch is:

@@ -3667,6 +3693,9 @@
                if(th->ack)
                        return 1;

+               if(th->rst)
+                       goto discard;
+
                if(th->syn) {
                        if(tp->af_specific->conn_request(sk, skb) < 0)
                                return 1;


The check still exists in current mainline git, so the issue is still fixed.

Ciao, Marcus

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.