Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20140310161740.GG21728@suse.de>
Date: Mon, 10 Mar 2014 17:17:40 +0100
From: Marcus Meissner <meissner@...e.de>
To: OSS Security List <oss-security@...ts.openwall.com>
Subject: CVE Request for Quick Blind TCP Connection Spoofing with SYN
	Cookies

Hi,

Did this issue:
http://www.jakoblell.com/blog/2013/08/13/quick-blind-tcp-connection-spoofing-with-syn-cookies/
ever get a CVE or should it get one?

At least some hardening measures have been implemented now:
http://thread.gmane.org/gmane.comp.security.oss.general/10875

Made "4 times" harder in 3.13 by these two patches:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8c27bd75f04fb9cb70c69c3cfe24f4e6d8e15906
commit 8c27bd75f04fb9cb70c69c3cfe24f4e6d8e15906
Author: Florian Westphal <fw@...len.de>
Date:   Fri Sep 20 22:32:55 2013 +0200

    tcp: syncookies: reduce cookie lifetime to 128 seconds
    
    We currently accept cookies that were created less than 4 minutes ago
    (ie, cookies with counter delta 0-3).  Combined with the 8 mss table
    values, this yields 32 possible values (out of 2**32) that will be valid.
    
    Reducing the lifetime to < 2 minutes halves the guessing chance while
    still providing a large enough period.
    
    While at it, get rid of jiffies value -- they overflow too quickly on
    32 bit platforms.
    
    getnstimeofday is used to create a counter that increments every 64s.
    perf shows getnstimeofday cost is negible compared to sha_transform;
    normal tcp initial sequence number generation uses getnstimeofday, too.

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=086293542b991fb88a2e41ae7b4f82ac65a20e1a
commit 086293542b991fb88a2e41ae7b4f82ac65a20e1a
Author: Florian Westphal <fw@...len.de>
Date:   Fri Sep 20 22:32:56 2013 +0200

    tcp: syncookies: reduce mss table to four values

    Halve mss table size to make blind cookie guessing more difficult.
    This is sad since the tables were already small, but there
    is little alternative except perhaps adding more precise mss information
    in the tcp timestamp.  Timestamps are unfortunately not ubiquitous.

    Guessing all possible cookie values still has 8-in 2**32 chance.


Ciao, Marcus

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.