FreeBSD Security Advisory FreeBSD-SA-16:05.tcp

Fabricante: FreeBSD
Fecha: 14/01/2016
Identificador: FreeBSD-SA-16:05.tcp
FreeBSD Security Advisory FreeBSD-SA-16:05.tcp
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-16:05.tcp Security Advisory The FreeBSD Project Topic: TCP MD5 signature denial of service Category: core Module: kernel Announced: 2016-01-14 Credits: Ryan Stone, Jonathan T. Looney Affects: All supported versions of FreeBSD. Corrected: 2016-01-14 09:11:42 UTC (stable/10, 10.2-STABLE) 2016-01-14 09:10:46 UTC (releng/10.2, 10.2-RELEASE-p9) 2016-01-14 09:11:16 UTC (releng/10.1, 10.1-RELEASE-p26) 2016-01-14 09:11:48 UTC (stable/9, 9.3-STABLE) 2016-01-14 09:11:26 UTC (releng/9.3, 9.3-RELEASE-p33) CVE Name: CVE-2016-1882 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides a connection-oriented, reliable, sequence-preserving data stream service. An optional extension to TCP described in RFC 2385 allows protecting data streams against spoofed packets with MD5 signature. Support for TCP MD5 signatures is not enabled in default kernel. II. Problem Description A programming error in processing a TCP connection with both TCP_MD5SIG and TCP_NOOPT socket options may lead to kernel crash. III. Impact A local attacker can crash the kernel, resulting in a denial-of-service. A remote attack is theoretically possible, if server has a listening socket with TCP_NOOPT set, and server is either out of SYN cache entries, or SYN cache is disabled by configuration. IV. Workaround No workaround is available, but installations running a default kernel, or a custom kernel without TCP_SIGNATURE option are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. System reboot is required. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:05/tcp.patch # fetch https://security.FreeBSD.org/patches/SA-16:05/tcp.patch.asc # gpg --verify tcp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r293898 releng/9.3/ r293896 stable/10/ r293897 releng/10.1/ r293894 releng/10.2/ r293893 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWl2j3AAoJEO1n7NZdz2rnrWcQAN+QX6wEvC7FkTXyX2LHFWas CVOI/KkxkHSVwYMMScmorG27OxDsHTkvrGfqyVbYDczmC5NY+AorMiZMoo7CHn5J gYmS8NZvBPeMKmFt45lBTBDnKT6mOvHBz6UPhyyHruvR6VZ2h3fyLqYzbMKcy12i Onmk/nm3vgrqOCmnqYQN8Xo2v2x4KcKU3/jegK+pdfOwd9Q1bmxzBWwFx8yc7pZ0 3YItalkiMsuRppSuNS9fGoRSoB/Ybf/8pu6SDnhvJnw4CIRGAl3IDKpBanB7F/9E sofcI499s+uyOHPY8TrQ62L4UjteEukwaV8EJh6vPaLm3pns0cSURzKczgytTH3G Nz9GcI3hYdfbXRBgJvwtZv9JY5s3ZtPiqqTwHta7AdplXwiOJJ1Ylso5lZ4beiJh q7Sv+YMJr9cNfnYmSGv33rKN4hdae7XfJm+Ipde4bpgCLFpKkb/aQaGxGlowjDaW 0C77qCg+se3TzwGl0A7ClEq4dLaadTsiShQCpZGQOgc6Wgz9QUBGxU811e3KQHLo 3XQgxGSB9+3d7YiK/ZNkzi8d89VXMgUOx4HoOZ7+SkVBg1+qpbiYnk8VJjLmXyOz dPtDbzWG68wluWcSc7TD5yIYx2Lw4E9ZMWzh2boOxEWrcd9mxCUPiU9nsF+PIAPG kTcLnX0+iXijpKMnQpgP =UjjC -----END PGP SIGNATURE-----