FreeBSD syncookies Internal Key Generation Weakness

2003-02-24T00:00:00
ID OSVDB:19785
Type osvdb
Reporter Mike Silbersack(silby@FreeBSD.org)
Modified 2003-02-24T00:00:00

Description

Vulnerability Description

FreeBSD contains a flaw that may allow a malicious user to spoof TCP connections. The issue is triggered when 32-bit internal keys are used to generate syncookies. It is possible that the flaw may allow a malicious user to bypass IP-based access control lists and/or reset TCP connections, resulting in a loss of integrity.

Technical Description

The FreeBSD implimentation of syncookies was designed to tackle SYN flooding attacks, while at the same time refrain from changing TCP implimentations used by clients. As such, syncookies are encrypted as 32 bit values and stored as Initial Sequence Number (ISN) values in the sequence field of SYN-ACK segments sent from a server to a client.

If a malicious user receives a syncookie from a server, it is feasible to extract a syncookie key from the ISN via a brute force attack. The syncookie key will permit the construction of valid ISNs for a fake ACK reply until the key is rotated on the server (typically up to four seconds). It is possible that this flaw may allow bypassing IP-based access control lists implemented by tcp_wrappers and many firewalls, as well as reset TCP connections.

Solution Description

Upgrade to version 4-STABLE; or to the RELENG_4_7 (4.7-RELEASE-p6), RELENG_4_6 (4.6.2-RELEASE-p9), or RELENG_5_0 (5.0-RELEASE-p3) security branch dated after the correction date, as it has been reported to fix this vulnerability. In addition, FreeBSD has released a patch for some older versions.

It is also possible to correct the flaw by implementing the following workaround:

Execute the following command as root:

sysctl net.inet.tcp.syncookies=0

Disable syncookies at system startup time by adding the following line to sysctl.conf(5): net.inet.tcp.syncookies=0

Short Description

FreeBSD contains a flaw that may allow a malicious user to spoof TCP connections. The issue is triggered when 32-bit internal keys are used to generate syncookies. It is possible that the flaw may allow a malicious user to bypass IP-based access control lists and/or reset TCP connections, resulting in a loss of integrity.

References:

Vendor Specific Solution URL: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:03/syncookie.patch.asc Vendor Specific Solution URL: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:03/syncookie.patch Vendor Specific Advisory URL Secunia Advisory ID:8142 Mail List Post: http://archives.neohapsis.com/archives/freebsd/2003-02/0083.html Mail List Post: http://archives.neohapsis.com/archives/freebsd/2003-02/0084.html ISS X-Force ID: 11397 CVE-2003-1230 Bugtraq ID: 6920