Contributed by jcs on from the get-your-patches dept.
010: RELIABILITY FIX: January 10, 2005
A bug in the tcp(4) stack allows an invalid argument to be used in in calculating the TCP retransmit timeout. By sending packets with specific values in the TCP timestamp option, an attacker can cause a system panic.
The patches for 3.5 and 3.6 are available (or will be shortly) from your local FTP mirror. Ryan McBride notes:
"On OpenBSD 3.6 and newer, pf's 'scrub reassemble tcp' TCP timestamp sanity checks provide some (but not complete) protection against this problem."
Although your best bet is to just apply the patch and recompile your kernel.
(Comments are closed)
By Anonymous Coward (131.130.1.143) on
Comments
By Anonymous Coward (193.62.218.79) on
By Anonymous Coward (193.167.7.18) on
Comments
By Sean Brown (204.209.209.129) on
Comments
By Anonymous Coward (131.130.1.143) on
Regards,
j.
By Anonymous Coward (62.65.145.30) on
Comments
By tedu (64.173.147.27) on
option 2: i can prevent you from running your code on your computer.
By Rob Sessink (24.132.54.18) rob@animoid-row.org on
Comments
By djm (218.214.226.34) on
By Anonymous Coward (216.238.113.174) on
By Anonymous Coward (80.90.29.23) on
supasecure openbsd tcp stack is vuln, what about nbsd/fbsd?
Comments
By Valery (195.98.50.58) on
By Frank Denis (213.41.131.17) j@pureftpd.org on http://www.00f.net
By Nicram (62.87.244.34) nicram@bsdzine.org on http://nicram.sytes.net/
Comments
By Eduardo Alvarenga (66.110.114.5) eduardo.alvarenga()gmail.com on
People forgot to list it on errata.html.
Comments
By x (81.56.211.110) on
Comments
By Hunger (213.163.11.138) www-undeadly-org@hunger.hu on http://hunger.hu./
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0940
By Brad (65.110.162.62) brad at comstyle dot com on
Comments
By Anonymous Coward (67.34.129.203) on
If you want to have something to be paranoid about, go look at Linux kernel....
By Anonymous Coward (195.217.242.33) on
<http://www.openbsd.org/cgi-bin/cvsweb/www/errata.html>
Comments
By Brad (204.101.180.70) brad at comstyle dot com on
By OpenBSDFan (207.171.180.101) on
Comments
By Jim (68.250.26.213) on
By mcbride (216.187.75.132) on
Hmmm, this is a remotely exploitable kernel memory screw.
No. Why are you making statements like this when you clearly don't understand what's going on?
It's just a bit of bad math that results in the TCP stack attempting to schedule a packet retransmit in the past. A sanity check in timeout(9) notices this, and panic()'s the system rather than continue in a state which doesn't make sense.
Does this count as a remote-root-exploit?
No.
Has it been shown that it can't be, or does someone have to write a proof-of-concept exploit to qualify?
The fact that you're even asking these questions about this particular bug makes it clear to me that you're neither qualified to write such an exploit if it actually was exploitable, nor qualified to understand a proof of non-exploitability if one were presented to you.
In a more general sense, yes. If there is a bug which is obviously not exploitable, I will demand to see a working exploit before I change my mind.
Comments
By Anonymous Coward (207.171.180.101) on
The fact that I asked a question before understanding the problem fully does NOT entitle you to step up to the dealer-of-bitch-slaps plate.
Further, I'm a huge fan of OpenBSD, having contributed a fair amount of money (if not much code) to it over the years.
Back down off your soapbox, doofus. We're all on the same team here.
By Anonymous Coward (195.217.242.33) on
<http://www.internetnews.com/dev-news/article.php/3458961>
By Anonymous Coward (64.62.253.241) on
pf is not on by default so a 3.6 machine is remotely DoS'able. Cheers!
Comments
By Brad (216.220.57.68) brad at comstyle dot com on
By Anonymous Coward (81.165.99.242) on