From security-advisories@freebsd.org Sat Jan 14 08:33:10 2006 From: FreeBSD Security Advisories To: Bugtraq Date: Wed, 11 Jan 2006 08:19:22 GMT Subject: FreeBSD Security Advisory FreeBSD-SA-06:04.ipfw -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:04.ipfw Security Advisory The FreeBSD Project Topic: ipfw IP fragment denial of service Category: core Module: ipfw Announced: 2006-01-11 Credits: Oleg Bulyzhin Affects: FreeBSD 6.0-RELEASE Corrected: 2006-01-11 08:02:16 UTC (RELENG_6, 6.0-STABLE) 2006-01-11 08:03:18 UTC (RELENG_6_0, 6.0-RELEASE-p2) CVE Name: CVE-2006-0054 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background ipfw(8) is a system facility which provides IP packet filtering, accounting, and redirection. Among the many features, while discarding packets it can perform actions defined by the user, such as sending back TCP reset or ICMP unreachable packets. These operations can be performed by using the reset, reject or uncreach actions. II. Problem Description The firewall maintains a pointer to layer 4 header information in the event that it needs to send a TCP reset or ICMP error message to discard packets. Due to incorrect handling of IP fragments, this pointer fails to get initialized. III. Impact An attacker can cause the firewall to crash by sending ICMP IP fragments to or through firewalls which match any reset, reject or unreach actions. IV. Workaround Change any reset, reject or unreach actions to deny. It should be noted that this will result in packets being silently discarded. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE or to the RELENG_6_0 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:04/ipfw.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:04/ipfw.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/sys/netinet/ip_fw2.c 1.106.2.6 RELENG_6_0 src/UPDATING 1.416.2.3.2.7 src/sys/conf/newvers.sh 1.69.2.8.2.3 src/sys/netinet/ip_fw2.c 1.106.2.3.2.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2006-0054 The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:04.ipfw.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDxL4vFdaIBMps37IRAmrZAJ4qRzdR0zR0u9ZY5RTTsMF5ZcGBUACfa5Gn 9kbuhOTex8BBlNFRHYCd9e4= =WcS+ -----END PGP SIGNATURE-----