oss-sec mailing list archives
Re: CVE Request (2002): Linux TCP stack could accept invalid TCP flag combinations
From: John Haxby <john.haxby () oracle com>
Date: Tue, 29 May 2012 13:17:52 +0100
On 03/02/12 10:37, Marcus Meissner wrote:
Hi, After a customer query likely coming from erroneous Security Scanner output, this issue from 2002 has no CVE id yet as far as I see: http://www.kb.cert.org/vuls/id/464113 It describes a problem where firewalls might let some TCP flags combinations pass (e.g. all with RST flag set) and the OS (e.g. Linux) stack would in turn accept a TCP session it might not have accepted otherwise. The protection added in Linux 2.4.20 is checking for the RST (reset) flag when a SYN packet is received, which was I think the main attack scenario. The relevant part of the 2.4.20 patch is: @@ -3667,6 +3693,9 @@ if(th->ack) return 1; + if(th->rst) + goto discard; + if(th->syn) { if(tp->af_specific->conn_request(sk, skb) < 0) return 1; The check still exists in current mainline git, so the issue is still fixed. Ciao, Marcus
I suspect that this actually came from here: http://www.nessus.org/plugins/index.php?view=single&id=11618 It's entirely possible that there's a typo in the web page because it talks about TCP+FIN but refers to web pages dealing with the much older TCP+RST. There is actually a SYN+FIN discard fix in the mainline kernel which would appear to be a DoS ("Denys Fedoryshchenko reported that SYN+FIN attacks were bringing his linux machines to their limits.") should we have a CVE for this issue? (I'll ask in a separate message if so.) jch
Current thread:
- Re: CVE Request (2002): Linux TCP stack could accept invalid TCP flag combinations John Haxby (May 29)
- Re: CVE Request (2002): Linux TCP stack could accept invalid TCP flag combinations Kurt Seifried (May 29)