From security-advisories@freebsd.org Thu Apr 18 12:52:36 2002 From: FreeBSD Security Advisories To: Bugtraq Date: Wed, 17 Apr 2002 12:23:42 -0700 (PDT) Subject: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:21.tcpip Security Advisory FreeBSD, Inc. Topic: routing table memory leak Category: core Module: net Announced: 2002-04-17 Credits: Jayanth Vijayaraghavan Ruslan Ermilov Affects: FreeBSD 4.5-RELEASE FreeBSD 4-STABLE after 2001-12-07 09:23:11 UTC and prior to the correction date Corrected: 2002-03-22 16:54:19 UTC (RELENG_4) 2002-04-15 17:12:08 UTC (RELENG_4_5) FreeBSD only: YES I. Background The TCP/IP stack's routing table records information about how to reach various destinations. The first time a TCP connection is established with a particular host, a so-called "cloned route" entry for that host is automatically derived from one of the predefined routes and added to the table. Each entry has a reference count that indicates how many existing connections use that entry; when the reference count reaches zero, the entry is removed from the table. II. Problem Description A bug was introduced into ip_output() wherein the processing of an ICMP echo reply message would cause a reference count on a routing table entry to never be decremented. Thus, memory allocated for the routing table entry was never deallocated. III. Impact This bug could be exploited to effect a remote denial of service attack. An attacker could cause new routing table entries (for example, by taking advantage of TCP's route cloning behavior) and then utilize this bug to cause the route entry to never be deallocated. In this fashion, the target system's memory can be exhausted. IV. Workaround Use a packet filter (see ipf(8) or ipfw(8)) to deny ICMP echo messages. V. Solution 1) Upgrade your vulnerable system to 4.5-STABLE, 4.5-RELEASE-p3, or the RELENG_4_5 security branch dated after the respective correction dates. 2) To patch your present system: a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [4.5-RELEASE, 4-STABLE between 2001-12-28 10:08:33 UTC and 2002-02-20 14:57:41 UTC] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:21/tcpip.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:21/tcpip.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Path Revision Branch - ------------------------------------------------------------------------- sys/netinet/ip_icmp.c RELENG_4 1.39.2.16 RELENG_4_5 1.39.2.14.2.1 sys/netinet/ip_mroute.c RELENG_4 1.56.2.4 RELENG_4_5 1.56.2.3.2.1 sys/netinet/ip_output.c RELENG_4 1.99.2.29 RELENG_4_5 1.99.2.24.2.1 - ------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPL3IEFUuHi5z0oilAQE56AP/X0tJA/Q0y42JDqxI2A0NRnKyR5YWoH8D i3izr0MxMTyPnuWg+uZHZhr/ve2AS2mTfNi7do0Ehdw0U2CEMnPKEVLMqt7kMFmL i+ib4HCijb4RWn3WEC6ueO14SQDCB+X9w/yCVEfeHMWd2PrQWtDoCPmurOuQCz4W IFu9kJLMhMA= =qsYz -----END PGP SIGNATURE-----