-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:08.sack Security Advisory The FreeBSD Project Topic: Infinite loop in SACK handling Category: core Module: netinet Announced: 2006-02-01 Credits: Scott Wood Affects: FreeBSD 5.3 and 5.4 Corrected: 2006-01-24 01:16:18 UTC (RELENG_5, 5.4-STABLE) 2006-02-01 19:43:10 UTC (RELENG_5_4, 5.4-RELEASE-p11) 2006-02-01 19:43:36 UTC (RELENG_5_3, 5.3-RELEASE-p26) CVE Name: CVE-2006-0433 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background SACK (Selective Acknowledgement) is an extension to the TCP/IP protocol that allows hosts to acknowledge the receipt of some, but not all, of the packets sent, thereby reducing the cost of retransmissions. II. Problem Description When insufficient memory is available to handle an incoming selective acknowledgement, the TCP/IP stack may enter an infinite loop. III. Impact By opening a TCP connection and sending a carefully crafted series of packets, an attacker may be able to cause a denial of service. IV. Workaround On FreeBSD 5.4, the net.inet.tcp.sack.enable sysctl can be used to disable the use of SACK: # sysctl net.inet.tcp.sack.enable=0 No workaround is available for FreeBSD 5.3. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 5-STABLE or to the RELENG_5_4 or RELENG_5_3 security branch dated after the correction date. 2) To patch your present system: The following patch have been verified to apply to FreeBSD 5.3 and 5.4 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:08/sack.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:08/sack.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_5 src/sys/netinet/tcp_sack.c 1.3.2.10 RELENG_5_4 src/UPDATING 1.342.2.24.2.20 src/sys/conf/newvers.sh 1.62.2.18.2.16 src/sys/netinet/tcp_sack.c 1.3.2.5.2.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.29 src/sys/conf/newvers.sh 1.62.2.15.2.31 src/sys/netinet/tcp_sack.c 1.3.4.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0433 The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:08.sack.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFD4RCIFdaIBMps37IRAplNAJ9sEJf5VkMOJaWO7P/wNHEzzW1aqACfcAfL e95PJAa1af/klNC+fZEipnY= =yZbN -----END PGP SIGNATURE-----