COMMAND

	FreeBSD syncache/syncookies denial of service

SYSTEMS AFFECTED

	 FreeBSD 4.5-RELEASE

	 FreeBSD 4.4-STABLE after 2001-12-14 19:53:01 UTC

	 FreeBSD 4.5-STABLE prior to the correction date 

	

	 Corrected:      2002-02-20 16:48:49 UTC (RELENG_4)

	                 2002-02-21 16:38:39 UTC (RELENG_4_5, 4.5-RELEASE-p1)

	

PROBLEM

	In FreeBSD Security Advisory FreeBSD-SA-02:20.syncache a  bug  regarding
	syncache and syncookie mechanism has been detected and corrected :
	

	

	 Background

	 ==========

	

	The SYN cache (\"syncache\") and SYN  cookie  mechanism  (\"syncookie\")
	are features of the TCP/IP stack intended to  improve  resistance  to  a
	class of denial of service attacks known as SYN floods.
	

	 Problem Description

	 ===================

	

	Two related problems with syncache were triggered when  syncookies  were
	implemented.
	

	1) When a SYN was accepted via a syncookie,  it  used  an  uninitialized
	pointer to find the TCP options for the new socket. This pointer may  be
	a null pointer, which will cause the machine to crash.
	

	2) A syncache entry is created when a SYN arrives on  a  listen  socket.
	If the application which  created  the  listen  socket  was  killed  and
	restarted  ---  and  therefore  recreated  the  listen  socket  with   a
	different inpcb --- an ACK (or duplicate SYN) which  later  arrived  and
	matched the existing syncache entry would cause a reference to  the  old
	inpcb pointer. Depending on the pointer\'s contents, this  might  result
	in a system crash.
	

	Because syncache/syncookies support was added prior to  the  release  of
	FreeBSD 4.5-RELEASE, no other releases are affected.
	

	 Impact

	 ======

	

	Legitimate TCP/IP traffic may cause the machine to crash.
	

	

SOLUTION

	 Workaround

	 ==========

	

	The first issue described may be worked around by  disabling  syncookies
	using sysctl.  Issue the following command as root:
	

	

	  # sysctl -w net.inet.tcp.syncookies=0

	

	

	However, there is no workaround for the second issue.
	

	 Solution

	 ========

	

	1) Upgrade your  vulnerable  system  to  4.5-STABLE  or  the  RELENG_4_5
	security branch dated after the respective correction dates.
	

	2) To patch your present system: download the relevant  patch  from  the
	below location, and execute the following commands as root:
	

	

	# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:20/syncache.patch

	# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:20/syncache.patch.asc

	

	

	This patch has been verified to apply to 4.5-RELEASE only.
	

	Verify the detached PGP signature using your PGP utility.
	

	Execute the following commands as root:
	

	

	# cd /usr/src

	# patch -p < /path/to/patch

	

	

	Recompile        your        kernel        as        described        in
	http://www.freebsd.org/handbook/kernelconfig.html   and    reboot    the
	system.
	

	 Correction details

	 ==================

	

	The following list contains the revision numbers of each file  that  was
	corrected in the FreeBSD ports collection.
	

	

	Path                                                             Revision

	  Branch

	- -------------------------------------------------------------------------

	src/sys/conf/newvers.sh

	  RELENG_4_5                                                1.44.2.20.2.2

	src/sys/netinet/tcp_syncache.c

	  RELENG_4                                                        1.5.2.5

	  RELENG_4_5                                                  1.5.2.4.2.1

	- -------------------------------------------------------------------------