exploit the possibilities

FreeBSD Security Advisory 2003.3

FreeBSD Security Advisory 2003.3
Posted Feb 25, 2003
Authored by The FreeBSD Project | Site freebsd.org

FreeBSD Security Advisory FreeBSD-SA-03:03 - The FreeBSD syncookie implementation uses keys that are only 32 bits in length, allowing remote attackers to recover the ISN, which can be valid for up to four seconds, allowing ACL's to be bypassed and TCP connections forged. syncookies may be disabled using the 'net.inet.tcp.syncookies' sysctl(8) by running the following command as root: "sysctl net.inet.tcp.syncookies=0".

tags | remote, root, tcp
systems | freebsd
SHA-256 | f1a19443f25751c44cb233a1222d580467975bb2b27cfee7560380c7d12c6f71

FreeBSD Security Advisory 2003.3

Change Mirror Download
Hash: SHA1

FreeBSD-SA-03:03.syncookies Security Advisory
The FreeBSD Project

Topic: Brute force attack on SYN cookies

Category: core
Module: sys_netinet
Announced: 2003-02-24
Credits: Mike Silbersack <silby@FreeBSD.org>
Affects: FreeBSD 4.5-RELEASE
FreeBSD 4.6-RELEASE prior to 4.6.2-RELEASE-p9
FreeBSD 4.7-RELEASE prior to 4.7-RELEASE-p6
FreeBSD 4.7-STABLE prior to the correction date
FreeBSD 5.0-RELEASE prior to 5.0-RELEASE-p3
Corrected: 2003-02-23 19:04:58 UTC (RELENG_4)
2003-02-23 20:18:48 UTC (RELENG_5_0)
2003-02-23 20:19:29 UTC (RELENG_4_7)
2003-02-24 02:42:06 UTC (RELENG_4_6)
FreeBSD only: YES

I. Background

SYN cookies are a technique used to mitigate the effects of SYN flood
attacks by choosing initial TCP sequence numbers (ISNs) that can be
verified cryptographically. FreeBSD implements this technique in the
TCP stack (where it is referred to as `syncookies') by default.

II. Problem Description

The FreeBSD syncookie implementation protects the generated ISN using
a MAC that is keyed on one of several internal secret keys which are
rotated periodically. However, the keys are only 32 bits in length,
allowing brute force attacks on the secrets to be feasible.

III. Impact

Once a syncookie key has been recovered, an attacker may construct
valid ISNs until the key is rotated (typically up to four seconds).
The ability to construct a valid ISN may be used to spoof a TCP
connection in exactly the same way as in the well-known ISN prediction
attacks (see `References'). Spoofing may allow an attacker to bypass
IP-based access control lists such as those implemented by
tcp_wrappers and many firewalls. Similarly, SMTP and other
connections may be forged, increasing the difficulty of tracing
abusers. Recovery of a syncookie key will also allow the attacker to
reset TCP connections initiated within the same 31.25ms window.

IV. Workaround

syncookies may be disabled using the `net.inet.tcp.syncookies'
sysctl(8). Execute the following command as root:

# sysctl net.inet.tcp.syncookies=0

To disable syncookies at system startup time, add the following line
to sysctl.conf(5):


V. Solution

1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_4_7
(4.7-RELEASE-p6), RELENG_4_6 (4.6.2-RELEASE-p9), or RELENG_5_0
(5.0-RELEASE-p3) security branch dated after the correction date.

2) To patch your present system:

The following patch has been verified to apply to FreeBSD 4.6, 4.7, and
5.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:03/syncookie.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:03/syncookie.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html >
and reboot the system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Path Revision
- -------------------------------------------------------------------------
- -------------------------------------------------------------------------

VII. References

<URL: http://cr.yp.to/syncookies.html >
<URL: http://www.cert.org/advisories/CA-2001-09.html >
Version: GnuPG v1.2.1 (FreeBSD)


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security-notifications" in the body of the message
Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    6 Files
  • 24
    May 24th
    19 Files
  • 25
    May 25th
    5 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By