Vulnerability Note VU#395670
FreeBSD fails to limit number of TCP segments held in reassembly queue
FreeBSD fails to limit the number of TCP segments held in a reassembly queue which could allow an attacker to exhaust all available memory buffers (mbufs) on the destination system resulting in a denial-of-service condition.
The Transmission Control Protocol (TCP) is part of the TCP/IP protocol suite and designed to provide reliable and connection-oriented service. In order to provide reliable service, TCP is designed to process packets that are delivered out of order so that these packets can later be re-assembled to create the entire TCP segment. There is a vulnerability in the way FreeBSD handles out-of-sequence TCP segments. When network packets making up a TCP segment are received out-of-sequence, these packets are held in a reassembly queue on the destination system so that they can be re-ordered and re-assembled. By sending a large number of out-of-sequence TCP packets, an unauthenticated, remote attacker could exhaust all memory buffers (mbufs) on the destination system resulting in a denial-of-service condition.
An unauthenticated, remote attacker could exhaust all memory buffers (mbufs) on the destination system resulting in a denial-of-service condition.
According to FreeBSD:
Upgrade to the FreeBSD stable branch (4-STABLE) or to the RELENG_5_2, RELENG_4_9, or RELENG_4_8 security branch dated after the correction date.
According to FreeBSD:
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp52.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp52.patch.asc
[FreeBSD 4.8, 4.9]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp47.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp47.patch.asc
b) Apply the patch.
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|FreeBSD||Affected||-||04 Mar 2004|
CVSS Metrics (Learn More)
This vulnerability was reported by iDEFENSE.
This document was written by Damon Morda.
- CVE IDs: CAN-2004-0171
- Date Public: 18 Feb 2004
- Date First Published: 04 Mar 2004
- Date Last Updated: 04 Mar 2004
- Severity Metric: 6.83
- Document Revision: 26
If you have feedback, comments, or additional information about this vulnerability, please send us email.