-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
              AUSCERT External Security Bulletin Redistribution
                                    
              ESB-1999.003 -- NetBSD Security Advisory 1999-001
              select(2)/accept(2) race condition in TCP servers
                                    
                              21 January 1999

===========================================================================

The NetBSD Foundation, Inc. has released the following advisory concerning
a vulnerability in the way many TCP based network services are provided.
This vulnerability may allow remote attackers to wedge many TCP services
causing denial of service.

- ---------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----


                 NetBSD Security Advisory 1999-001
                 ---------------------------------

Topic:		select(2)/accept(2) race condition in TCP servers
Version:	All current versions of NetBSD
Severity:	Problem may allow denial of service.


Abstract
========

A problem has been identified which allows remote attackers to wedge
many TCP services running on 4.4BSD-derived systems, including X
servers and all services run from inetd.  Other (non-BSD) systems are
believed to be affected as well.


Technical Details
=================

Many TCP servers open a TCP socket in the default blocking mode, use
select(2) to wait for connections, and then accept(2) connections in
blocking mode.  Under some circumstances, the accept(2) may hang
waiting for another connection, denying service to clients trying to
connect to other ports.

The scenario which causes this is:

* Connection is initiated by client; 3WHS completes.
* Server process is awakened and select(2) succeeds.
* Connection is closed by client (e.g. by sending a RST).  Connection
  is removed from accept(2) queue on server.
* Server process does an accept(2), which hangs waiting for a
  connection.

This scenario is sometimes difficult to reproduce, particularly if the
server is very fast and the network is relatively slow.  It is most
effective if the server is slow and/or must do a lot of work between
the select(2) and accept(2).


Solutions and Workarounds
=========================

Two solutions are possible:

1) Modify all TCP servers to use non-blocking listening sockets.
   Unfortunately, this requires changing a large amount of code, much
   of it maintained by third parties.

2) Modify the kernel to not remove sockets from the accept(2) queue
   when they are closed.  A change that implements this has been added
   to NetBSD-current, and is available at:
       ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/19990120-accept


Thanks To
=========

Thanks go to Fyodor for providing nmap, with which this vulnerability
was discovered.  See http://www.insecure.org/nmap/ for more information.
Thanks to Charles M. Hannum <root@ihack.net> for providing the solution.


More Information
================

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 1999, The NetBSD Foundation.  All Rights Reserved.


- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBNqWj/D5Ru2/4N2IFAQF3AwP7B/sbL1Ar8NCP/vLIaeYq698bSR2SIQRC
21yFSNY7h0qGxpsEtJ0132wIHVYp4Ho3Pbd1308ZOykx22zfZr11IlkgInW8kFKf
7K2yQOc47RAKxyaAZvgR/oqUCQE+FiZ4DYv4WDjkbUluYpcxnHmbhO/tIqbYHJqE
ue/dnlXwvcA=
=GHyB
- -----END PGP SIGNATURE-----

- ----------------------------END INCLUDED TEXT--------------------

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It will
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for emergencies.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBNrA74ih9+71yA2DNAQHKsAP+KfBAPW6RIVbUmI0jSGpQI4+msNC5gGsq
Qw6+xc7Gezdl6PfOKvtPaSFZn0FWBtmBK04Xz1L6JYztcT0FS4Ogg8Ra3m6fJRGE
ZypibDrTWJVjI22QyWkLd4HA5hhZnx4LEEaplrx/zSiywLdlhGjqB4EPSPYLQpa8
wAIHZ+wUkI8=
=8Jfz
-----END PGP SIGNATURE-----