SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   OpenBSD Kernel Vendors:   OpenBSD
(OpenBSD Issues Fix) netinet TCP Maximum Segment Size May Let Remote Users Deny Service
SecurityTracker Alert ID:  1009354
SecurityTracker URL:  http://securitytracker.com/id/1009354
CVE Reference:   CVE-2004-0002   (Links to External Site)
Date:  Mar 9 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): OpenBSD 3.3, 3.4
Description:   A vulnerability was reported in BSD UNIX in netinet in the TCP maximum segment size (MSS) implementation. A remote user may be able to cause denial of service attacks.

Andre Oppermann reported that a remote user can conduct resource exhaustion attacks against an affected system.

It is reported that a remote user can set an arbitrarily low MSS value during TCP connection setup to cause the target system to send many small IP packets. On fast networks, this can quickly cause the CPU on the target system to become saturated and may generate more packets-per-second than the network components can process.

It is also reported that a remote user can send TCP packets with a TCP payload of at least one byte to cause the tcp_input() function to be executed and a sowakeup() call to be signalled to the connected process on the target system, consuming excessive resources on the target system.

FreeBSD and OpenBSD are reportedly affected. NetBSD reports that NetBSD is not vulnerable [as reported in http://mail-index.netbsd.org/netbsd-announce/2004/03/04/0000.html].

Impact:   A remote user may be able to cause resources on the target system to become exhausted, resulting in denial of service conditions on the target system.
Solution:   OpenBSD has issued the following patches:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/013_tcp.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/018_tcp.patch

Vendor URL:  lists.freebsd.org/pipermail/cvs-src/2004-January/016271.html (Links to External Site)
Cause:   Configuration error, Resource error

Message History:   This archive entry is a follow-up to the message listed below.
Feb 3 2004 BSD netinet TCP Maximum Segment Size May Let Remote Users Deny Service



 Source Message Contents

Subject:  TCP reassembly DoS


OpenBSD's TCP/IP stack did not impose limits on how many out-of-order
TCP segments are queued in the system.

If an attacker was allowed to connect to an open TCP port, he could send
out-of-order TCP segments and trick the system into using all available
memory buffers.  Packet handling would be impaired, and new connections
would fail until the the attacking TCP connection is closed.

The problem is fixed in -current, 3.4-stable and 3.3-stable.

Patches are available at:

  ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/013_tcp.patch
  ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/018_tcp.patch

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC