|
Vulnerability kernel Affected FreeBSD 4.x Description Ofir Arkin found following. It is long known that FreeBSD uses a wrong IP Identification number with its ICMP Error Messages. This fact was discovered by Fyodor long ago. Let's identify were the problem is. The next example is with FreeBSD 4.1: 00:52:19.055758 ppp0 > x.x.x.x.1393 > y.y.y.y.0: udp 0 [tos 0x8] (ttl 64, id 58965) 4508 001c e655 0000 4011 3f63 xxxx xxxx yyyy yyyy 0571 0000 0008 a55c 00:52:19.464548 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 0 unreachable Offending pkt: x.x.x.x.1393 > y.y.y.y.0: udp 0 [tos 0x8] (ttl 47, id 21990, bad cksum 5063!) (ttl 238, id 27639) 4500 0038 6bf7 0000 ee01 0bbd yyyy yyyy xxxx xxxx 0303 87f3 0000 0000 4508 001c 55e6 0000 2f11 5063 xxxx xxxx yyyy yyyy 0571 0000 0008 0000 A udp datagram sent to a closed udp port (port 0, can be any port). The original udp datagram used e655 hex as its IP Identification field value. The echoed IP Header inside the ICMP Error message states that this value was 55e6 (with the offending datagram). FreeBSD 4.x simply flips between the first 8bits to the second 8 bits. Solution This has been addressed in both FreeBSD-curent and -stable. The 4.1.1 release (network d/l only) contains the relevant patch.