SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   TCP/IP Stack Implementation Vendors:   FreeBSD, NetBSD, OpenBSD
(OpenBSD Issues Fix) Re: FreeBSD, NetBSD, and OpenBSD TCP Implementation Errors Fail to Reject TCP Broadcast Connection Requests from Remote Users
SecurityTracker Alert ID:  1003865
SecurityTracker URL:  http://securitytracker.com/id/1003865
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 21 2002
Impact:   Host/resource access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A potential vulnerability was reported in the FreeBSD, NetBSD, and OpenBSD TCP stack implementation. The stack will fail to properly reject TCP connection requests made to IP broadcast addresses on the system

It is reported that TCP connections should not be considered valid when the destination address is a broadcast or multicast address. According to the report, FRC 1122 specifies that "a TCP implementation MUST silently discard an incoming SYN segment that is addressed to a broadcast or multicast address." Apparently, several BSD-based operating systems check only the packet's link layer address for this condition and not the IP address.

The vendors have reportedly been notified.

Impact:   In certain cases, a remote user could make an unauthorized connection to a misconfigured host. According to the report, the main risk is that a firewall administrator may (incorrectly) assume that it is not possible to establish TCP connections to a broadcast address and therefore may not protect it adequately.

Some exploit scenarios and conditions are described in the Source Message.

Solution:   The vendor has issued a fix:

http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/tcp_input.c.diff?r1=1.109&r2=1.110

Vendor URL:  www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/tcp_input.c.diff?r1=1.109&r2=1.110 (Links to External Site)
Cause:   State error
Underlying OS:  UNIX (OpenBSD)

Message History:   This archive entry is a follow-up to the message listed below.
Mar 19 2002 FreeBSD, NetBSD, and OpenBSD TCP Implementation Errors Fail to Reject TCP Broadcast Connection Requests from Remote Users



 Source Message Contents

Subject:  Re: TCP Connections to a Broadcast Address on BSD-Based Systems


>Actions:
>
>I notified security-officer@{free,open,net}bsd.org on Feburary
>17th. From examining OpenBSD source code, it appears to have the
>flaw. I have confirmed that NetBSD is vulnerable. I have been unable
>to actually test the vulnerability on an operational OpenBSD system. I
>have not heard anything from either NetBSD or OpenBSD, and no changes
>related to this bug appear to have been committed to their code. Patches
>for NetBSD and OpenBSD are attached below.

	the changes were made into both openbsd and netbsd repository
	as shown below:

	http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/tcp_input.c.diff?r1=1.109&r2=1.110
	http://cvsweb.netbsd.org/bsdweb.cgi/syssrc/sys/netinet/tcp_input.c.diff?r1=1.136&r2=1.137

	thank you for the report.

itojun

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC