Vulnerability Note VU#395670

FreeBSD fails to limit number of TCP segments held in reassembly queue

Original Release date: 04 Mar 2004 | Last revised: 04 Mar 2004

Overview

FreeBSD fails to limit the number of TCP segments held in a reassembly queue which could allow an attacker to exhaust all available memory buffers (mbufs) on the destination system resulting in a denial-of-service condition.

Description

The Transmission Control Protocol (TCP) is part of the TCP/IP protocol suite and designed to provide reliable and connection-oriented service. In order to provide reliable service, TCP is designed to process packets that are delivered out of order so that these packets can later be re-assembled to create the entire TCP segment. There is a vulnerability in the way FreeBSD handles out-of-sequence TCP segments. When network packets making up a TCP segment are received out-of-sequence, these packets are held in a reassembly queue on the destination system so that they can be re-ordered and re-assembled. By sending a large number of out-of-sequence TCP packets, an unauthenticated, remote attacker could exhaust all memory buffers (mbufs) on the destination system resulting in a denial-of-service condition.

Impact

An unauthenticated, remote attacker could exhaust all memory buffers (mbufs) on the destination system resulting in a denial-of-service condition.

Solution

Upgrade

According to FreeBSD:


    Upgrade to the FreeBSD stable branch (4-STABLE) or to the RELENG_5_2, RELENG_4_9, or RELENG_4_8 security branch dated after the correction date.

Apply Patch

According to FreeBSD:

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
FreeBSDAffected-04 Mar 2004
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was reported by iDEFENSE.

This document was written by Damon Morda.

Other Information

  • CVE IDs: CAN-2004-0171
  • Date Public: 18 Feb 2004
  • Date First Published: 04 Mar 2004
  • Date Last Updated: 04 Mar 2004
  • Severity Metric: 6.83
  • Document Revision: 26

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.