|
Message-ID: <4FC7AE15.9050302@redhat.com> Date: Thu, 31 May 2012 11:44:53 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: John Haxby <john.haxby@...cle.com> Subject: Re: CVE Request -- kernel: tcp: drop SYN+FIN messages -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/30/2012 02:02 PM, Kurt Seifried wrote: > On 05/30/2012 03:44 AM, John Haxby wrote: > >> Recently we have a couple of queries relating to a Nessus "TCP/IP >> SYN+FIN Packet Filtering Weakness". This has not been helped >> by the fact that [1] actually points (indrectly) to >> CVE-2002-2438 which is actually a SYN+RST problem. > >> The Nessus script actually appears to detect this problem (also >> described in [2]): > >> commit fdf5af0daf8019cec2396cdef8fb042d80fe71fa Author: Eric >> Dumazet <eric.dumazet@...il.com> Date: Fri Dec 2 23:41:42 2011 >> +0000 > >> tcp: drop SYN+FIN messages > >> Denys Fedoryshchenko reported that SYN+FIN attacks were bringing >> his linux machines to their limits. > >> Dont call conn_request() if the TCP flags includes SYN flag > >> Reported-by: Denys Fedoryshchenko <denys@...p.net.lb> >> Signed-off-by: Eric Dumazet <eric.dumazet@...il.com> >> Signed-off-by: David S. Miller <davem@...emloft.net> > >> diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index >> 78dd38c..0cbb440 100644 --- a/net/ipv4/tcp_input.c +++ >> b/net/ipv4/tcp_input.c @@ -5811,6 +5811,8 @@ int >> tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, goto >> discard; > >> if (th->syn) { + if (th->fin) + goto >> discard; if (icsk->icsk_af_ops->conn_request(sk, skb) < 0) >> return 1; > > >> References: [1] >> http://www.nessus.org/plugins/index.php?view=single&id=11618 [2] >> http://markmail.org/thread/l6y5vu3tub434z4w > > Please use CVE-2012-2663 for this issue. > > This is tracked by Red Hat as: > > https://bugzilla.redhat.com/show_bug.cgi?id=826702 To clarify: CVE-2012-2663 is for the --syn processing flaw of SYN+FIN packets in iptables (user space tools). c Also if people could test their firewalls to make sure this still doesn't affect other operating systems that would probably be a good idea. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIbBAEBAgAGBQJPx64VAAoJEBYNRVNeJnmTw14P91Gh46mkb+TJN9QiINhYXBMG Iv/QTd8p3KDWQCYyqD77YEWvS4fSkkKjtoPNgDBirzzsh9lMhd5NsdGfHMvra1V0 P/ce4UgjH89Iqh+FqpZXQVA921BIQ3DPQbZF+ByH/9zisGBVrpu1OjKhFWD7vnFw ueBjv2qmrtQ3T9i54MsWnDRufJhl3f6v3VJxPvTzvAwR1NTW3kmT0QhxiSZH+Fif WOdpKF6A1xjQwesOHhopi3U4A+LF6v8VWuqignmd7CY2rSiGfE3CEEu+6kdCmC91 UG72SeG0lBxumraC+wUhgKRppgW+lQbF7QSJ9yixZKQQf6jF+H5fiwigX+Y4FbJu xbSiePyEanSPnDPPF+nNa+hobKieQtiCqsv1ureMgrKFJZWPANW3Qk2Fs1NbHgOi tOSVsHqD7eooev1TdruvLB2ve130AGQOyIe96vYNWVeUB40GRlXWyVf1rFiDLilb fag2aS+K/G3YdjO4WXO9FtQNXsF+jQB2uAAPxhRZl5vu6LJBc+UVtLDGSNARDwAI K2n6mn+oGPqvpSQk0fhEx/1VjPaYNp3yQHJuwJPOapWdW2ZXpycfRubj5kfuac4b 61Edj5fGEq4GcykdRSbSYyQUE4BAZTjHriPhSXRXmS7sylBePk2VFBUGf70jVqrl 6q01VsPA6gYc8cOnlmM= =12Jg -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.