Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 12 Mar 2014 11:03:41 -0400 (EDT)
Subject: Re: CVE Request for Quick Blind TCP Connection Spoofing with SYN Cookies

Hash: SHA1

> Did this issue:
> ever get a CVE or should it get one?

There are no CVE assignments specific to that report, but
CVE-1999-0077 is related.

> Made "4 times" harder in 3.13 by these two patches:

This may be best interpreted as a security-hardening step that was
made as a tradeoff against other possible functionality goals. Those
types of issues typically don't have CVE assignments. It's not, for
example, a case of the Linux kernel security team announcing this as a
vulnerability fix. (We're not suggesting that the Linux kernel
security team needs to change anything about announcement approaches.)

One of the side issues is:


  This patch slows down the timer used in syncookies from 1/60 Hz to 1/60/4 Hz
  so that at any moment only two differrent timer values can be accepted.

  This changes the maximum cookie age limit from 4 - 5 minutes to 4 - 8 minutes.

but the actual accepted patch was:

  tcp: syncookies: reduce cookie lifetime to 128 seconds

If we understand this correctly, this is a direct tradeoff against
usability on slow network connections, possibly including connections
to the moon or Mars. Admittedly a different protocol or other tuning
might be needed for successful network sessions to Mars; the point is
that the patch is a behavior change that may often make spoofing more
costly, but is not really a "fix for a vulnerability." The blog post
suggests that even the patched code could realistically allow a
successful spoof within much less than an hour.

suggests other tradeoffs in other parts of the 3.13 changes, e.g.,

  Some services are secure enough at application level and don't
  care at all about TCP connection spoofing. These can use the
  sysctl to revert back to the MSS table we have now (or anyting
  that better serves their traffic).

  Other services are not so secure and some MSS values can be
  sacrified to mitigate the risk. With a smaller MSS table, tuning
  the values for specific traffic may make even more sense.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.