Add SA-14:19.tcp.

svn path=/head/; revision=45614

share/security/advisories/FreeBSD-SA-14:19.tcp.asc

@@ -0,0 +1,147 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-14:19.tcp                                        Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Denial of Service in TCP packet processing
+
+Category:       core
+Module:         inet
+Announced:      2014-09-16
+Credits:        Jonathan Looney (Juniper SIRT)
+Affects:        All supported versions of FreeBSD.
+Corrected:      2014-09-16 09:48:35UTC (stable/10, 10.1-PRERELEASE)
+                2014-09-16 09:48:35 UTC (stable/10, 10.1-BETA1-p1)
+                2014-09-16 09:50:19 UTC (releng/10.0, 10.0-RELEASE-p9)
+                2014-09-16 09:49:11 UTC (stable/9, 9.3-STABLE)
+                2014-09-16 09:50:19 UTC (releng/9.3, 9.3-RELEASE-p2)
+                2014-09-16 09:50:19 UTC (releng/9.2, 9.2-RELEASE-p12)
+                2014-09-16 09:50:19 UTC (releng/9.1, 9.1-RELEASE-p19)
+                2014-09-16 09:49:11 UTC (stable/8, 8.4-STABLE)
+                2014-09-16 09:50:19 UTC (releng/8.4, 8.4-RELEASE-p16)
+CVE Name:       CVE-2004-0230
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I.   Background
+
+The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
+provides a connection-oriented, reliable, sequence-preserving data
+stream service.  New TCP connections are initiated using special SYN
+flag in a datagram.  Sequencing of data is controlled by 32-bit sequence
+numbers, that start with a random value and are increased using modulo
+2**32 arithmetic.  TCP endpoints maintain a window of expected, and
+thus allowed, sequence numbers for a connection.
+
+II.  Problem Description
+
+When a segment with the SYN flag for an already existing connection arrives,
+the TCP stack tears down the connection, bypassing a check that the
+sequence number in the segment is in the expected window.
+
+III. Impact
+
+An attacker who has the ability to spoof IP traffic can tear down a
+TCP connection by sending only 2 packets, if they know both TCP port
+numbers.  In case one of the two port numbers is unknown, a successful
+attack requires less than 2**17 packets spoofed, which can be
+generated within less than a second on a decent connection to the
+Internet.
+
+IV.  Workaround
+
+It is possible to defend against these attacks with stateful traffic
+inspection using a firewall.  This can be done by enabling pf(4) on
+the system and creating states for every connection.  Even a default
+ruleset to allow all traffic would be sufficient to mitigate this
+issue.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/SA-14:19/tcp.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:19/tcp.patch.asc
+# gpg --verify tcp.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/8/                                                         r271668
+releng/8.4/                                                       r271669
+stable/9/                                                         r271668
+releng/9.1/                                                       r271669
+releng/9.2/                                                       r271669
+releng/9.3/                                                       r271669
+stable/10/                                                        r271667
+releng/10.0/                                                      r271669
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0230>
+
+The latest revision of this advisory is available at
+<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:19.tcp.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJUGAnEAAoJEO1n7NZdz2rnHEkP/0fVx7U6l/YKVWToejpCxMLa
+TS9ng0kN5GEkyYPTHbK3Pb5T2b4zhpDlhRVTDtwkP+00VXAGIAC6GiQl2QBAApgv
+68cla+TU+gh2I03XxIl+eWHu4EWaYa0v2vDqL0n/XNLvcZVD3R0CC+6HHUbKm46t
+dQg4olCdXdHkZleclvuYGjd+W8JfC17Xe3xshNKq7BV05XWqXrKoqxfxot8Cnxyx
+n4MePoiNYn13iO5OpEWf2J6BS1JJ1M/L0CAAKGcNitD8dYMdKNEfn6tpPXHNIWGH
+vUI0sD2rPRs3OWbK6Y3xmakCPK8MXjSyFNvJ2NkuU6dYdKBNHYswh46F9XP0cSDc
+K5wB36R/mx5ky05HBCpAjiGh2X67Y6QtQiBq5ESltodAp1Sl966fgLnNKyIgeHr5
+51QNCXDdc7S7pE9daA/uiIEZVKH8eKYGHP53zN/tiTDVWy7yTEBIW4lhJVkHIAAt
+VBvLB0efr47z6IZ92GshGKZawaPAOeuBrEtYDOdNNJeh+WhSPoE5MKfS6NiH/lRg
+DorewB9KbChCUhxMCH2Pj7AxTVoe3fjWtZYRo02OHMitTTJbExsyT33vTH1Sb2LT
+6lXBFFOvo5Uw8JJyykd+GXUcwe13hcroS+eqz/GE+9yReMrwd82qbiDM4VlTdVMq
+trAqOw2zRyBa7R6D2+4T
+=qjIZ
+-----END PGP SIGNATURE-----

share/security/patches/SA-14:19/tcp.patch

@@ -0,0 +1,17 @@
+Index: sys/netinet/tcp_input.c
+===================================================================
+--- sys/netinet/tcp_input.c	(revision 271383)
++++ sys/netinet/tcp_input.c	(working copy)
+@@ -2092,11 +2092,7 @@ tcp_do_segment(struct mbuf *m, struct tcphdr *th,
+ 
+ 	todrop = tp->rcv_nxt - th->th_seq;
+ 	if (todrop > 0) {
+-		/*
+-		 * If this is a duplicate SYN for our current connection,
+-		 * advance over it and pretend and it's not a SYN.
+-		 */
+-		if (thflags & TH_SYN && th->th_seq == tp->irs) {
++		if (thflags & TH_SYN) {
+ 			thflags &= ~TH_SYN;
+ 			th->th_seq++;
+ 			if (th->th_urp > 1)

share/security/patches/SA-14:19/tcp.patch.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJUGAnQAAoJEO1n7NZdz2rnMucQALHIm020vq4E+9LT+OhvMo2o
+cAAD5W+IK4yj39jKjqyMK3Elm6iKgPYhyAZrOGxHtoDnjWXfQrKWmZFsmTXNjbHy
+ramFwe6qglsZQ0mkKT36OJgVCK/vw1wUPO+CyyGD87n6XJ6uwmc7KOzWcrECuYun
+rXR6IjOjyevSWsX0N+e+qN2kmry1RYfqnsg7yaNKbjO4EDr3UoCbT2Hp+sTS60gF
+YnbKmCLhew0lcGXcbNmBitsj1jn/JwXnQsloKasUhkCBVBVuYs3i602FSb+szDe5
+C/KcUqETCMJleiqhf5YufkKcHtM5aQf/J9HIILmbzF8cEHRy0RPlxZrcHJIfHplu
+TJWehGl6jBWpxgWS0FEPoR0fGHaGIZy72rdclLcV4uMuyvOwdJMFXEsU22FCa3Mt
+w85RfsxHxxsDte8aHkyzMuN8OQVbG2RvfmfrMOCfCJvSc1QMUshkhCQgn5wj6y9z
+qc4cfK8ppt15F2x1AC2uscaNghdOD6yixE8JqOjpXArXIGjkkWLB9t6sgoUiOMbS
+jyaseaFisIdto0j7UJ9OnuUbDLxcQhgIk1JXNlu6Vwb4PitRKiL3Ix5CiYYB643k
+iPJGcHx8JblX/z+TE5X7WA/T4TlvphthZ6QKgVmW8TMcgqrBSazEo0EN7mHeCKLo
+VziBvb2zKWYjEa29uE5u
+=ZTBf
+-----END PGP SIGNATURE-----

share/xml/advisories.xml

@@ -10,6 +10,14 @@
     <month>
       <name>9</name>
 
+      <day>
+	<name>16</name>
+
+	<advisory>
+	  <name>FreeBSD-SA-14:19.tcp</name>
+	</advisory>
+      </day>
+
       <day>
 	<name>9</name>