Bug#310804: marked as done (kernel-source-2.6.8: CAN-2005-0356 RFC1323 spec DoS)

To: Horms <horms@debian.org>
Cc: Debian kernel team <debian-kernel@lists.debian.org>
Subject: Bug#310804: marked as done (kernel-source-2.6.8: CAN-2005-0356 RFC1323 spec DoS)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Mon, 20 Jun 2005 23:33:13 -0700
Message-id: <[🔎] handler.310804.D310804.111933508223415.ackdone@bugs.debian.org>
In-reply-to: <20050621062405.GA8604@verge.net.au>
References: <20050621062405.GA8604@verge.net.au> <20050526060315.E4D0E390001@carthanach.mel.strategicdata.com.au>

Your message dated Tue, 21 Jun 2005 15:24:06 +0900
with message-id <20050621062405.GA8604@verge.net.au>
and subject line Bug#310804: kernel-source-2.6.8: CAN-2005-0356 RFC1323 spec DoS
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 26 May 2005 06:03:18 +0000
>From geoff.crompton@strategicdata.com.au Wed May 25 23:03:18 2005
Return-path: <geoff.crompton@strategicdata.com.au>
Received: from sdcarl02.strategicdata.com.au (sd01.mel.strategicdata.com.au) [203.214.67.82] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DbBSf-0002rT-00; Wed, 25 May 2005 23:03:17 -0700
Received: from sd01 (localhost [127.0.0.1])
	by mail-int.strategicdata.com.au (Postfix) with ESMTP id 76FA6C00150D
	for <submit@bugs.debian.org>; Thu, 26 May 2005 16:03:16 +1000 (EST)
Received: 
	from sd01.mel.strategicdata.com.au (localhost [])
	by localhost ([127.0.0.1]);
	Thu, 26 May 2005 06:03:16 +0000
Received: from carthanach.mel.strategicdata.com.au (carthanach.mel.strategicdata.com.au [192.168.1.64])
	by sd01.mel.strategicdata.com.au (Postfix) with ESMTP id 594DEC00150D
	for <submit@bugs.debian.org>; Thu, 26 May 2005 16:03:16 +1000 (EST)
Received: by carthanach.mel.strategicdata.com.au (Postfix, from userid 1188)
	id E4D0E390001; Thu, 26 May 2005 16:03:15 +1000 (EST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Geoff Crompton <geoff.crompton@strategicdata.com.au>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: kernel-source-2.6.8: CAN-2005-0356 RFC1323 spec DoS
X-Mailer: reportbug 3.8
Date: Thu, 26 May 2005 16:03:15 +1000
Message-Id: <20050526060315.E4D0E390001@carthanach.mel.strategicdata.com.au>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: kernel-source-2.6.8
Version: 2.6.8-15
Severity: important

See http://www.securityfocus.com/bid/13676 for more information. In
short, a DoS exists when a machine uses PAWS (Protection Against Wrapped
Sequence Numbers).

Quoting from securityfocus:
>The issue manifests if an attacker transmits a sufficient TCP PAWS
>packet to a vulnerable computer. A large value is set by the 
>attacker as the packet timestamp. When the target computer processes 
>this packet, the internal timer is updated to the large attacker supplied 
>value.
>This causes all other valid packets that are received subsequent to an
>attack to be dropped as they are deemed to be too old, or invalid. 
>This type of attack will effectively deny service for a target connection.

The securityfocus article doesn't mention linux as vulnerable, however
RFC1323 is implemented in linux, and this issue can be enabled/disabled 
via proc/sys/net/ipv4/tcp_timestamps

---------------------------------------
Received: (at 310804-done) by bugs.debian.org; 21 Jun 2005 06:24:42 +0000
>From horms@koto.vergenet.net Mon Jun 20 23:24:42 2005
Return-path: <horms@koto.vergenet.net>
Received: from koto.vergenet.net [210.128.90.7] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DkcBe-000652-00; Mon, 20 Jun 2005 23:24:42 -0700
Received: by koto.vergenet.net (Postfix, from userid 7100)
	id DA34634028; Tue, 21 Jun 2005 14:55:37 +0900 (JST)
Date: Tue, 21 Jun 2005 15:24:06 +0900
From: Horms <horms@debian.org>
To: Geoff Crompton <geoff.crompton@strategicdata.com.au>,
	310804-done@bugs.debian.org
Subject: Re: Bug#310804: kernel-source-2.6.8: CAN-2005-0356 RFC1323 spec DoS
Message-ID: <20050621062405.GA8604@verge.net.au>
References: <20050526060315.E4D0E390001@carthanach.mel.strategicdata.com.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20050526060315.E4D0E390001@carthanach.mel.strategicdata.com.au>
X-Cluestick: seven
User-Agent: Mutt/1.5.9i
Delivered-To: 310804-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

On Thu, May 26, 2005 at 04:03:15PM +1000, Geoff Crompton wrote:
> Package: kernel-source-2.6.8
> Version: 2.6.8-15
> Severity: important
> 
> See http://www.securityfocus.com/bid/13676 for more information. In
> short, a DoS exists when a machine uses PAWS (Protection Against Wrapped
> Sequence Numbers).
> 
> Quoting from securityfocus:
> >The issue manifests if an attacker transmits a sufficient TCP PAWS
> >packet to a vulnerable computer. A large value is set by the 
> >attacker as the packet timestamp. When the target computer processes 
> >this packet, the internal timer is updated to the large attacker supplied 
> >value.
> >This causes all other valid packets that are received subsequent to an
> >attack to be dropped as they are deemed to be too old, or invalid. 
> >This type of attack will effectively deny service for a target connection.
> 
> The securityfocus article doesn't mention linux as vulnerable, however
> RFC1323 is implemented in linux, and this issue can be enabled/disabled 
> via proc/sys/net/ipv4/tcp_timestamps

Apparently Linux is not vulnerable,
though I'd need to spend more time
browsing the code to understand 
exactly why.

http://www.kb.cert.org/vuls/id/JGEI-6ABPN4
http://www.kb.cert.org/vuls/id/637934

http://www.redhat.com/archives/fedora-legacy-list/2005-May/msg00213.html
http://www.redhat.com/archives/fedora-legacy-list/2005-May/msg00210.html


Incidently, this seems to be CAN-2005-0356
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0356

-- 
Horms

Reply to:

Prev by Date: Bug#315011: entire machine hangs after upgrading libc6
Next by Date: Bug#315011: entire machine hangs after upgrading libc6
Previous by thread: Bug#315011: entire machine hangs after upgrading libc6
Next by thread: Processing of kernel-image-2.6.11-i386_2.6.11-7_i386.changes
Index(es):
- Date
- Thread