Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4F2C1141.7020006@redhat.com>
Date: Fri, 03 Feb 2012 09:54:25 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Marcus Meissner <meissner@...e.de>
Subject: Re: CVE Request (2002): Linux TCP stack could accept
 invalid TCP flag combinations

On 02/03/2012 03:37 AM, Marcus Meissner wrote:
> Hi,
> 
> After a customer query likely coming from erroneous Security Scanner output,
> 
> this issue from 2002 has no CVE id yet as far as I see:
> 
> http://www.kb.cert.org/vuls/id/464113
> 
> It describes a problem where firewalls might let some TCP flags combinations
> pass (e.g. all with RST flag set) and the OS (e.g. Linux) stack would in turn
> accept a TCP session it might not have accepted otherwise.
> 
> The protection added in Linux 2.4.20 is checking for the RST (reset) flag
> when a SYN packet is received, which was I think the main attack scenario.
> 
> The relevant part of the 2.4.20 patch is:
> 
> @@ -3667,6 +3693,9 @@
>                 if(th->ack)
>                         return 1;
> 
> +               if(th->rst)
> +                       goto discard;
> +
>                 if(th->syn) {
>                         if(tp->af_specific->conn_request(sk, skb) < 0)
>                                 return 1;
> 
> 
> The check still exists in current mainline git, so the issue is still fixed.
> 
> Ciao, Marcus

Nice, a cert KB with a picture, never seen that before.

Please use CVE-2002-2438 for this issue.

-- 
Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.