Re: CVE-2004-0230 RST DoS vulnerability in Lenny?
JW said (in 2010):
> Recently we've had a scanning vendor tell us our Debian Lenny 5.0.3 is
> vulnerable to CVE-2004-0230:
>
> TCP/IP Sequence Prediction Blind Reset Spoofing DoS
>
> "It may be possible to send spoofed RST packets to the remote system."
>
> " . . . vulnerable to a sequence number
> approximation bug, which may allow an attacker to send
> spoofed RST packets to the remote host and close established
> connections . . . "
>
> When I tried to look up info about it - one pages lists "Linux" as vulnerable
> (with no additional information) and I am not able to find anything about
> Debian's status or relationship to it except possibly for
> http://www.mail-archive.com/secure-testing-commits@lists.alioth.debian.org/msg01390.html
> which possibly indicates it's fixed, or someone tried to fix it in 2005.
RFC 5961 provides some SHOULD's for "Improving TCP's Robustness to Blind
In-Window Attacks"
https://tools.ietf.org/html/rfc5961
Linux 3.6 implemented two SHOULD's (and an accompanying challenge ACK
throttling mechanism) in commits 282f23c6ee343126156dd41218b22ece96d747e3 and
0c24604b68fc7810d429d6c3657b6f148270e528
I've seen CVE-2004-0230 in some places (e.g. OP's message) refer just to TCP,
and in other places (e.g. NVD) refer to TCP "when using a large Window Size".
RFC 5961 (and one of the two SHOULD's implemented in Linux) sees to it that
injected RST packets need to guess the exact TCP sequence number, not just fall
within the TCP window.
Is this enough to have Jessie, Stretch and Sid marked as Not Vulnerable at
https://security-tracker.debian.org/tracker/CVE-2004-0230 (provided their
kernels incorporate the fix introduced in 3.6) and start to clean up the mess
that this "issue" has made, or am I off-base in thinking that RFC 5961 should
sufficiently mitigate the (arguably non-) issue that CVE-2004-0230 claims to
be.
Cheers
--
Justin
Reply to: