Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.2668 TCP LAST_ACK state memory exhaustion 22 October 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: tcp Publisher: NetBSD Operating System: NetBSD Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2015-5358 Reference: ESB-2015.1911 ESB-2015.1804 Original Bulletin: http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2015-009.txt.asc - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 NetBSD Security Advisory 2015-009 ================================= Topic: TCP LAST_ACK state memory exhaustion Version: NetBSD-current: source prior to Mon, Jul 24th 2015 NetBSD 7.0: not affected NetBSD 6.1 - 6.1.5: affected NetBSD 6.0 - 6.0.6: affected NetBSD 5.2 - 5.2.3: affected NetBSD 5.1 - 5.1.5: affected Severity: Potential remote denial of service Fixed: NetBSD-current: Jul 24th, 2015 NetBSD-7 branch: Jul 24th, 2015 NetBSD-6 branch: Jul 24th, 2015 NetBSD-6-1 branch: Jul 24th, 2015 NetBSD-6-0 branch: Jul 24th, 2015 NetBSD-5 branch: Jul 24th, 2015 NetBSD-5-2 branch: Jul 24th, 2015 NetBSD-5-1 branch Jul 24th, 2015 Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== TCP sockets that remain in the LAST_ACK state may hold resources for an unspecified amount of time, which may lead to denial of service due to memory exhaustion. This vulnerability has been assigned CVE-2015-5358. Technical Details ================= When closing a connection the TCP socket is entering the LAST_ACK state in which kernel waits for acknowledgement that FIN was delivered to the peer or failure of all packet retransmission. In certain circumstances a socket in this state may hold a significant amount of memory (mbufs) which can be held for indefinite time, because the "persist" timer responsible for cleaning up that memory was previously deactivated. If an attacker is able to make the attacked systems sockets enter that state, then remote denial of service is possible due to memory exhaustion. Solutions and Workarounds ========================= + Fix from NetBSD autobuild +-------------------------- The fastest way to upgrade to an unaffected kernel, if you are running or can run a standard kernel built as part of the NetBSD release process, is to obtain the corresponding kernel from the daily NetBSD autobuild output and install it on your system. You can obtain such kernels from http://nyftp.netbsd.org/pub/NetBSD-daily/ where they are sorted by NetBSD branch, date, and architecture. To fix a system running e.g. NetBSD 6.0 or the stable NetBSD 6.0 branch, the most appropriate kernel will be the "netbsd-6-0" kernel. To fix a system running NetBSD-current, the "HEAD" kernel should be used. In all cases, a kernel from an autobuild dated newer than the fix date for the branch you are using must be used to fix the problem. + Fix from source +---------------- For all NetBSD versions, if you want to upgrade to a safe kernel from source, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. NEWVERSION with the CVS version of the fix File versions containing the fix: FILE HEAD netbsd-7 netbsd-6 netbsd-6-1 netbsd-6-0 +--------------------------- ----- --------- --------- ---------- ---------- src/sys/netinet/tcp_input.c 1.179 1.334.2.2 1.321.2.1 1.321.8.1 1.321.6.1 src/sys/netinet/tcp_output.c 1.184 1.176.2.5 1.173.2.2 1.173.8.2 1.173.6.2 FILE netbsd-5 netbsd-5-2 netbsd-5-1 +--------------------------- ---------- -------------- ------------- src/sys/netinet/tcp_input.c 1.291.4.6 1.291.4.5.6.1 1.291.4.5.2.1 src/sys/netinet/tcp_output.c 1.167.10.2 1.167.10.1.2.1 1.167.20.2 To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P -r NEWVERSION src/sys/netinet/tcp_input.c # cvs update -d -P -r NEWVERSION src/sys/netinet/tcp_output.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/docs/guide/en/chap-kernel.html Thanks To ========= Matt Thomas for fixing this issue. Lawrence Stewart (Netflix, Inc.) and Jonathan Looney (Juniper SIRT) for reporting this issue. Revision History ================ 2015-10-22 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2015-009.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2015, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $Id: NetBSD-SA2015-009.txt,v 1.2 2015/10/22 00:02:31 tonnerre Exp $ - -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWKCf8AAoJEAZJc6xMSnBuY9oP/RH37ROEHowkj0UiusDCeap5 OwMQzgtD9x+eeI2ceieyvqdOh2IuwHKq0CYniY/nBNSWKaMMp/zfY+Ap7FOtfpTq OpxxwgUW/3X9TC5n+gedBN2vTtUWPMzcOWT3yjbaOcNk1vjhKS1WFF9T9UcEK4Dz MN76O4gIJ7tZQLRXy425gYviwwNQedlXp5ddwAN1dnMGtsXFkPh+1uN1uQepH9hB 3iJoZgfJFYgeyFCj1ZdFKOP8RE1cFH1w3H6OKtKTS0XPu+wIO8r/p9OA28GAcbum Tny2P0WNkeqNNPjUEGBcJ8cBvu3lwx1NUJ+EUVH1fpvNTIMFIxdd5EYgwGd6Z0/C YgoJBVpFoUOC4JeSiFS9Tz7NAD5ats0eBle+fkUNxIRuA29HreROZglDPJ7RVKMe cyzCpstc8dhkREPawe4syNqppi6YMZepORyBFlc5kjDm9PBLEwpVJ/grY7hBUJU3 Ti1/hEhGAGplue9dhAn6BaJmKGqS0yRpBy700ADn6bMFZj9K/dWKjG7sxDbsZPvH 95IaV5S2dffW4ZwwobS/TkY+e6uwrQvqT2PLd74eRb5WeaHEx8cQyipmX8Ibh0o1 5TUOpDR+5Fqs5UfPV+rAOApg6TQtWqVitKV18vaIsnJ+ws+pKpEqLBaxXUw8sjCx iRvWrDRL1CE/MH8gJOgE =ZaFJ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVihg+H6ZAP0PgtI9AQI5sRAAt1amnDP1PADQUB1I7rHUP120/misyTQH PRkV3Xq0MC/Hz0Bj+f8FTMvJ/iKUTZRZFogDABZQafxNybpNyMxn325QJYLKGIg9 N6ydyeKq/eRO91hFkw3k2bmHeV4bA3PIB7596ly0ueCy335xT9yioglLKWGSpqov q+mtW79vRHP7tGCDwE9+5+u21RnYc94jei58CiMj8KbQQ3kqOHoJ9PawOvbrW1xq cr574znzXBqhpxpYRSwpTVIYJjzEAd65JhW+DyYH9Eo+U8FuOriOnKstQQJgckhD 6oVWPbto7GqZJBZ7YFq9L5t2jhwX6JW+4KLJ2SidrFgamecc9ffuOADKxoTnz/zN 77n/u3kmBcWwPMNU3nbJEAh1jNI/wOCcQOTNd0feUS6IlN1N1PW+IpFTnoZ22A5L ncH5/pyt4eG6B3kQkh0Lf+1cXuXsFWCD7U7vOIBBup/f6saAG4TdXckEaTDeHZ11 X2/C4s/0bctynQo7bYwccW5lG57ZgiPo8w30eEBytl7Ld4RplWOTHTtTNzce3jM6 V5N+HHgIFwIRWx5238IzDWAYzJktc6bbSGiQOOgu3+u8EAU7VCHTWqST6OJkl6/f MkUJqWqDujlQJ/kc4Ar/J22LrsTz0B4ECXsaFwHiTPsHOyM7E+nvDrbrIJRCj4Zp S96H/KiNMY4= =6r0v -----END PGP SIGNATURE-----