FreeBSD fails to limit the number of TCP segments held in a reassembly queue which could allow an attacker to exhaust all available memory buffers (mbufs) on the destination system resulting in a denial-of-service condition.
The Transmission Control Protocol (TCP) is part of the TCP/IP protocol suite and designed to provide reliable and connection-oriented service. In order to provide reliable service, TCP is designed to process packets that are delivered out of order so that these packets can later be re-assembled to create the entire TCP segment. There is a vulnerability in the way FreeBSD handles out-of-sequence TCP segments. When network packets making up a TCP segment are received out-of-sequence, these packets are held in a reassembly queue on the destination system so that they can be re-ordered and re-assembled. By sending a large number of out-of-sequence TCP packets, an unauthenticated, remote attacker could exhaust all memory buffers (mbufs) on the destination system resulting in a denial-of-service condition.
An unauthenticated, remote attacker could exhaust all memory buffers (mbufs) on the destination system resulting in a denial-of-service condition.
According to FreeBSD:
This vulnerability was reported by iDEFENSE
This document was written by Damon Morda.
|Date First Published:||2004-03-04|
|Date Last Updated:||2004-03-04 20:08 UTC|