144 lines
5.6 KiB
Text
144 lines
5.6 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-20:04.tcp Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: TCP IPv6 SYN cache kernel information disclosure
|
|
|
|
Category: core
|
|
Module: tcp
|
|
Announced: 2020-03-19
|
|
Credits: Michael Tuexen (Netflix, contractor)
|
|
Affects: All supported versions of FreeBSD.
|
|
Corrected: 2020-03-08 14:48:21 UTC (stable/12, 12.1-STABLE)
|
|
2020-03-19 16:46:01 UTC (releng/12.1, 12.1-RELEASE-p3)
|
|
2020-03-08 14:48:32 UTC (stable/11, 11.3-STABLE)
|
|
2020-03-19 16:46:01 UTC (releng/11.3, 11.3-RELEASE-p7)
|
|
CVE Name: CVE-2020-7451
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
The Internet Protocol version 6 (IPv6) header contains a one byte field
|
|
called Traffic Class. Two bits of this field are used for Explicit
|
|
Congestion Notification (ECN), the other six bits are used as Differentiated
|
|
Services Field Codepoints (DSCP).
|
|
|
|
The Transmission Control Protocol (TCP) is a connection oriented transport
|
|
protocol, which can be used as an upper layer of IPv6. A TCP endpoint is
|
|
either acting as a client (sending initially a SYN segment) or as a server
|
|
(initially waiting to receive a SYN segment and then responding with a
|
|
SYN-ACK segment).
|
|
|
|
To mitigate the impact of some attacks against TCP servers (like
|
|
SYN-flooding), FreeBSD uses specific code to handle the TCP connection setup
|
|
for servers. This includes the transmission and retransmission of SYN-ACK
|
|
segments or responding with a challenge ACK segment to a received RST
|
|
segment.
|
|
|
|
II. Problem Description
|
|
|
|
When a TCP server transmits or retransmits a TCP SYN-ACK segment over IPv6,
|
|
the Traffic Class field is not initialized. This also applies to challenge ACK
|
|
segments, which are sent in response to received RST segments during the TCP
|
|
connection setup phase.
|
|
|
|
III. Impact
|
|
|
|
For each TCP SYN-ACK (or challenge TCP-ACK) segment sent over IPv6, one byte
|
|
of kernel memory is transmitted over the network.
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available. Systems not using IPv6 are unaffected.
|
|
|
|
V. Solution
|
|
|
|
Upgrade your vulnerable system to a supported FreeBSD stable or
|
|
release / security branch (releng) dated after the correction date,
|
|
and reboot.
|
|
|
|
Perform one of the following:
|
|
|
|
1) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
# shutdown -r +10min "Rebooting for a security update"
|
|
|
|
2) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
# fetch https://security.FreeBSD.org/patches/SA-20:04/tcp.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-20:04/tcp.patch.asc
|
|
# gpg --verify tcp.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile your kernel as described in
|
|
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
|
|
system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/12/ r358739
|
|
releng/12.1/ r359138
|
|
stable/11/ r358740
|
|
releng/11.3/ r359138
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7451>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:04.tcp.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplhfFIAAAAAALgAo
|
|
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
|
|
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
|
|
5cLuzQ/9HvuKX5w2/CDerZPseNDKqumxjoap6MjfExvpVN4Auy31wcE7248JpZ/d
|
|
I+Be927dmghiey97opVcR56g5OJ9QAinQRTWX1rLKaQ2xldGFE5924iLyQ/hjMXG
|
|
LDkYrBpJ2Wkdq9XFZKAuu2dpV/RUMlGnKANG/QfAAd5V4VC7Sg5X6ty7ISlVMrM7
|
|
aQdBP4e5XyssfeqZeZ/A57dF3Yi7F1TEEjXeM+dulTET4nm0+w74n+QaNoH6hcMI
|
|
n3Bb/SsF9HfbZtXz235vkzbgvvSX4f+D/d3vrcAA9KMVjKBH6QbiwJKuHSdb0GY8
|
|
ENMb7vO7Rx71u8GnCYg659qFrWb/kaTW2BCbgAJyp2747nAw8I7DwZiN2RKWA7qh
|
|
JbcZb1rJN9gEccnGyNouuy4DzUlUc4VQnp4ajqV4S1YGbwdfsBqi2c0dYwqEcW96
|
|
RKxxTrH9JB8d52wMMshB7hMfwbeLeOJJ4phFL8knXuv19SWCP/tz6XDopoBN6wTW
|
|
yn5g+n7oVCOsSwlPLHl/5WWUTvKjyCB6eZIblFhlbiNTuQiUaegDXx66On+vgVKD
|
|
oYA9cDQUcvIKLne/KgCqTQ5MAuwE/7hPyUlGmuiZ3/Qx6CW568+v1kTc19eUQb0a
|
|
+e5HDRFhtiQyRMpTC9Yt14sv8oFLynhyt/IbQWTeqppZhBugbJ8=
|
|
=CFKz
|
|
-----END PGP SIGNATURE-----
|