(OpenBSD Issues Fix) Re: FreeBSD, NetBSD, and OpenBSD TCP Implementation Errors Fail to Reject TCP Broadcast Connection Requests from Remote Users - SecurityTracker

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: OS (UNIX) > TCP/IP Stack Implementation

Vendors: FreeBSD, NetBSD, OpenBSD

(OpenBSD Issues Fix) Re: FreeBSD, NetBSD, and OpenBSD TCP Implementation Errors Fail to Reject TCP Broadcast Connection Requests from Remote Users

SecurityTracker Alert ID: 1003865

SecurityTracker URL: http://securitytracker.com/id/1003865

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Mar 21 2002

Impact: Host/resource access via network

Fix Available: Yes Vendor Confirmed: Yes

Description: A potential vulnerability was reported in the FreeBSD, NetBSD, and OpenBSD TCP stack implementation. The stack will fail to properly reject TCP connection requests made to IP broadcast addresses on the system

It is reported that TCP connections should not be considered valid when the destination address is a broadcast or multicast address. According to the report, FRC 1122 specifies that "a TCP implementation MUST silently discard an incoming SYN segment that is addressed to a broadcast or multicast address." Apparently, several BSD-based operating systems check only the packet's link layer address for this condition and not the IP address.

The vendors have reportedly been notified.

Impact: In certain cases, a remote user could make an unauthorized connection to a misconfigured host. According to the report, the main risk is that a firewall administrator may (incorrectly) assume that it is not possible to establish TCP connections to a broadcast address and therefore may not protect it adequately.

Some exploit scenarios and conditions are described in the Source Message.

Solution: The vendor has issued a fix:

http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/tcp_input.c.diff?r1=1.109&r2=1.110

Vendor URL: www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/tcp_input.c.diff?r1=1.109&r2=1.110 (Links to External Site)

Cause: State error

Underlying OS: UNIX (OpenBSD)

Message History: This archive entry is a follow-up to the message listed below.

FreeBSD, NetBSD, and OpenBSD TCP Implementation Errors Fail to Reject TCP Broadcast Connection Requests from Remote Users

Source Message Contents

Date: Thu, 21 Mar 2002 10:30:34 +0900
Subject: Re: TCP Connections to a Broadcast Address on BSD-Based Systems


>Actions:
>
>I notified security-officer@{free,open,net}bsd.org on Feburary
>17th. From examining OpenBSD source code, it appears to have the
>flaw. I have confirmed that NetBSD is vulnerable. I have been unable
>to actually test the vulnerability on an operational OpenBSD system. I
>have not heard anything from either NetBSD or OpenBSD, and no changes
>related to this bug appear to have been committed to their code. Patches
>for NetBSD and OpenBSD are attached below.

	the changes were made into both openbsd and netbsd repository
	as shown below:

	http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/tcp_input.c.diff?r1=1.109&r2=1.110
	http://cvsweb.netbsd.org/bsdweb.cgi/syssrc/sys/netinet/tcp_input.c.diff?r1=1.136&r2=1.137

	thank you for the report.

itojun

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2013, SecurityGlobal.net LLC