187 lines
7.1 KiB
Text
187 lines
7.1 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-18:08.tcp Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: Resource exhaustion in TCP reassembly
|
|
|
|
Category: core
|
|
Module: inet
|
|
Announced: 2018-08-06
|
|
Credits: Juha-Matti Tilli <juha-matti.tilli@iki.fi> from
|
|
Aalto University, Department of Communications and Networking
|
|
and Nokia Bell Labs
|
|
Affects: All supported versions of FreeBSD.
|
|
Corrected: 2018-08-06 18:46:09 UTC (stable/11, 11.1-STABLE)
|
|
2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2)
|
|
2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13)
|
|
2018-08-06 18:47:03 UTC (stable/10, 10.4-STABLE)
|
|
2018-08-15 02:31:10 UTC (releng/10.4, 10.4-RELEASE-p11)
|
|
CVE Name: CVE-2018-6922
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
|
|
0. Revision history
|
|
|
|
v1.0 2018-08-06 Initial release.
|
|
v1.1 2018-08-14 Fixed documentation date in manual pages.
|
|
|
|
I. Background
|
|
|
|
The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
|
|
provides a connection-oriented, reliable, sequence-preserving data
|
|
stream service.
|
|
|
|
To transmit a stream of data, TCP breaks the data stream into segments
|
|
for transmission through the Internet, and reassembles the segments at
|
|
the receiving side to recreate the data stream.
|
|
|
|
II. Problem Description
|
|
|
|
One of the data structures that holds TCP segments uses an inefficient
|
|
algorithm to reassemble the data. This causes the CPU time spent on
|
|
segment processing to grow linearly with the number of segments in the
|
|
reassembly queue.
|
|
|
|
III. Impact
|
|
|
|
An attacker who has the ability to send TCP traffic to a victim system
|
|
can degrade the victim system's network performance and/or consume
|
|
excessive CPU by exploiting the inefficiency of TCP reassembly
|
|
handling, with relatively small bandwidth cost.
|
|
|
|
IV. Workaround
|
|
|
|
As a workaround, system administrators should configure their systems
|
|
to only accept TCP connections from trusted end-stations, if it is
|
|
possible to do so.
|
|
|
|
For systems which must accept TCP connections from untrusted
|
|
end-stations, the workaround is to limit the size of each reassembly
|
|
queue. The capability to do that is added by the patches noted in the
|
|
"Solution" section below.
|
|
|
|
V. Solution
|
|
|
|
As a temporary solution to this problem, these patches limit the size
|
|
of each TCP connection's reassembly queue. The value is controlled by
|
|
a sysctl (net.inet.tcp.reass.maxqueuelen), which sets the maximum
|
|
number of TCP segments that can be outstanding on a session's
|
|
reassembly queue. This value defaults to 100.
|
|
|
|
Note that setting this value too low could impact the throughput of
|
|
TCP connections which experience significant loss or
|
|
reordering. However, the higher this number is set, the more resources
|
|
can be consumed on TCP reassembly processing.
|
|
|
|
Perform one of the following:
|
|
|
|
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
|
release / security branch (releng) dated after the correction date.
|
|
|
|
Afterward, reboot the system.
|
|
|
|
2) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
Afterward, reboot the system.
|
|
|
|
3) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
[FreeBSD 10.4]
|
|
# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-10.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-10.patch.asc
|
|
# gpg --verify tcp-10.patch.asc
|
|
|
|
[FreeBSD 11.x]
|
|
# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-11.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-11.patch.asc
|
|
# gpg --verify tcp-11.patch.asc
|
|
|
|
[*** v1.1 NOTE ***] Patchsets are provided for completeness, it have
|
|
little impact to runtime behavior.
|
|
|
|
[FreeBSD 10.4]
|
|
# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-10.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-10.patch.asc
|
|
# gpg --verify tcp-man-10.patch.asc
|
|
|
|
[FreeBSD 11.x]
|
|
# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-11.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-11.patch.asc
|
|
# gpg --verify tcp-man-11.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile your kernel as described in
|
|
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
|
|
system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/10/ r337392
|
|
releng/10.4/ r337832
|
|
stable/11/ r337391
|
|
releng/11.1/ r337828
|
|
releng/11.2/ r337828
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6922>
|
|
|
|
<URL:https://www.kb.cert.org/vuls/id/962459>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:08.tcp.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: GnuPG v2.2.9 (FreeBSD)
|
|
|
|
iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAltztakACgkQ05eS9J6n
|
|
5cLN1A//XMCorSih94rs9zvkRPj8g3eN4es5QD9QzI9IwLlfK8DTvtMM9XUKsNT2
|
|
vxgJK8Mnl6N5NddRyiV8o0CioRQF+cmN4cnMhf0LRN6Rv0PqWpsbuuRdWgVtm/aV
|
|
yHNEvnY32RbaZ6YQWmAhG9b+7JztWCpv2MawIaIdy6QFWmHV50ElDj5k1QBHauDd
|
|
2+P3u3+ohbXNMAZGQjIMQwxIgU7BRTVKASa/GzkPSCwQHFabbtm7aL/jEhzySfdl
|
|
bA6ZsMPhr0QqLORKqt8kAUzzFgpVdSRLCa+a8H9phi3CqPDEzGCDdseiCw4mJ+VU
|
|
EhFu616EKw7V9G7FXpnK3Z+E0aHe6UYlf4swUzXluWJrtO/n5bD++ObZaSUOPH0l
|
|
arcOUe8S5dnHiZ8Gg9BqtT6nKQMPXHgGh8W3U53CPt0USJsUWMPd0GPVYt2QnbkX
|
|
27leNs7e1+Njes4PuhOJ+wunn1iye+eTVilqaGkuFC+YKiOJVs9pNJovBTalTsfB
|
|
XqQO52DesrJ/C0xo3AaaNGfNB4JhG3rqR2tPiqubNQcEIocTJ7LkGy0lKXiDbIra
|
|
UA7fDszAG5l5RSyRtgQ4QPd+EzvYguX1vccFGqItDX9aZdQDspnnViKl/FJNzb19
|
|
p9fEa+ZVjV65N836RhCtRx7allqhTAX4yQFXIrUiwQ3ssLNAx1s=
|
|
=sl/Z
|
|
-----END PGP SIGNATURE-----
|