-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
ESB-1999.003 -- NetBSD Security Advisory 1999-001
select(2)/accept(2) race condition in TCP servers
21 January 1999
The NetBSD Foundation, Inc. has released the following advisory concerning
a vulnerability in the way many TCP based network services are provided.
This vulnerability may allow remote attackers to wedge many TCP services
causing denial of service.
- ---------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 1999-001
Topic: select(2)/accept(2) race condition in TCP servers
Version: All current versions of NetBSD
Severity: Problem may allow denial of service.
A problem has been identified which allows remote attackers to wedge
many TCP services running on 4.4BSD-derived systems, including X
servers and all services run from inetd. Other (non-BSD) systems are
believed to be affected as well.
Many TCP servers open a TCP socket in the default blocking mode, use
select(2) to wait for connections, and then accept(2) connections in
blocking mode. Under some circumstances, the accept(2) may hang
waiting for another connection, denying service to clients trying to
connect to other ports.
The scenario which causes this is:
* Connection is initiated by client; 3WHS completes.
* Server process is awakened and select(2) succeeds.
* Connection is closed by client (e.g. by sending a RST). Connection
is removed from accept(2) queue on server.
* Server process does an accept(2), which hangs waiting for a
This scenario is sometimes difficult to reproduce, particularly if the
server is very fast and the network is relatively slow. It is most
effective if the server is slow and/or must do a lot of work between
the select(2) and accept(2).
Solutions and Workarounds
Two solutions are possible:
1) Modify all TCP servers to use non-blocking listening sockets.
Unfortunately, this requires changing a large amount of code, much
of it maintained by third parties.
2) Modify the kernel to not remove sockets from the accept(2) queue
when they are closed. A change that implements this has been added
to NetBSD-current, and is available at:
Thanks go to Fyodor for providing nmap, with which this vulnerability
was discovered. See http://www.insecure.org/nmap/ for more information.
Thanks to Charles M. Hannum <firstname.lastname@example.org> for providing the solution.
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 1999, The NetBSD Foundation. All Rights Reserved.
- -----BEGIN PGP SIGNATURE-----
- -----END PGP SIGNATURE-----
- ----------------------------END INCLUDED TEXT--------------------
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It will
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Internet Email: email@example.com
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----