Vulnerability

    kernel

Affected

    FreeBSD 4.x

Description

    Ofir Arkin found following.  It is long known that FreeBSD uses  a
    wrong IP Identification number with its ICMP Error Messages.  This
    fact was discovered by Fyodor  long ago.  Let's identify  were the
    problem is.

    The next example is with FreeBSD 4.1:

        00:52:19.055758 ppp0 > x.x.x.x.1393 > y.y.y.y.0: udp 0 [tos 0x8]
        (ttl 64, id 58965)
			         4508 001c e655 0000 4011 3f63 xxxx xxxx
			         yyyy yyyy 0571 0000 0008 a55c

        00:52:19.464548 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 0
        unreachable Offending pkt: x.x.x.x.1393 > y.y.y.y.0: udp 0 [tos 0x8]
        (ttl 47, id 21990, bad cksum 5063!) (ttl 238, id 27639)
			         4500 0038 6bf7 0000 ee01 0bbd yyyy yyyy
			         xxxx xxxx 0303 87f3 0000 0000 4508 001c
			         55e6 0000 2f11 5063 xxxx xxxx yyyy yyyy
			         0571 0000 0008 0000

    A udp  datagram sent  to a  closed udp  port (port  0, can  be any
    port).   The  original  udp  datagram  used  e655  hex  as  its IP
    Identification field value.  The echoed IP Header inside the  ICMP
    Error message states that this value was 55e6 (with the  offending
    datagram).

    FreeBSD 4.x simply flips between  the first 8bits to the  second 8
    bits.

Solution

    This has been addressed in  both FreeBSD-curent and -stable.   The
    4.1.1 release (network d/l only) contains the relevant patch.