Re: Debian and recent TCP vulnerability

To: debian-security@lists.debian.org
Subject: Re: Debian and recent TCP vulnerability
From: Nick Boyce <nick@glimmer.adsl24.co.uk>
Date: Fri, 11 Sep 2009 15:11:24 +0100
Message-id: <[🔎] 4AAA5A8C.9010304@glimmer.adsl24.co.uk>
In-reply-to: <[🔎] 3773e0ee0909110323x4609ca33ua08113137c0c82a0@mail.gmail.com>
References: <[🔎] 3773e0ee0909110323x4609ca33ua08113137c0c82a0@mail.gmail.com>

Mlor Apac wrote:

> What's the status of debian (and linux kernel in general) regarding this
> recent TCP vulnerability? I have been unable to find any precise
> information. 

I too am wondering about this.

The basic Linux stance is presumably that stated in the Redhat advisory
you referenced :
http://kbase.redhat.com/faq/docs/DOC-18730

  "Due to upstream's decision not to release
  updates, Red Hat do not plan to release updates
  to resolve these issues"

Microsoft's bulletin
http://www.microsoft.com/technet/security/Bulletin/MS09-048.mspx
for the same problem-set is similarly half-hearted :

  "The architecture to properly support TCP/IP
  protection does not exist on Microsoft
  Windows 2000 systems, making it infeasible to
  build the fix ... To do so would require
  rearchitecting a very significant amount of
  ... Microsoft Windows 2000"

  "By default, Windows XP [does] not have a
  listening service configured in the
  client firewall and [is] therefore not affected
  by this vulnerability ... [what kind of
  answer is that !] ... a system would become
  unresponsive due to memory consumption ...
  the system will recover once the flood ceases
  .... Microsoft recommends [customers] use
  [a firewall] to block access to the
  affected ports."

[duh]Using a firewall to block access to listening ports is no use at
all as a solution for a system which runs services which must remain
accessible.[/duh]

I'm guessing the Linux kernel folks' stance is some combination of the
above Microsoft statements, but haven't found any significant discussion
of it yet.  Redhat's recommendation is also to use firewalling to
mitigate the problem (though admittedly 'iptables' features are better
able to help than those of most firewalls [AFAIK]).

I worried about this bit :

  "The following iptables example [ensures that]
  if 10 connection attempts to any TCP port are
  received within 5 minutes, they are dropped"

Imagine how quickly that limit of 10 TCP connections in 5 minutes would
be reached by a web browser talking to a web service - especially if the
browser wasn't using HTTP 1.1 pipelining for some reason (proxy issues ?).

Cheers
Nick Boyce
-- 
But if we find we have left our bones to bleach in these desert
sands for nothing, beware the fury of the legions...
      -- Centurion in a letter home from North Africa
         3rd Century

Reply to:

Follow-Ups:
- Re: Debian and recent TCP vulnerability
  - From: Mike Mestnik <cheako911@gmail.com>

References:
- Debian and recent TCP vulnerability
  - From: Mlor Apac <mlor.apac@gmail.com>

Prev by Date: Debian and recent TCP vulnerability
Next by Date: Re: Please help test openssl update
Previous by thread: Debian and recent TCP vulnerability
Next by thread: Re: Debian and recent TCP vulnerability
Index(es):
- Date
- Thread