COMMAND

    TCP/IP

SYSTEMS AFFECTED

    BSDi 3.1, FreeBSD prior to 2.2.8 and FreeBSD 3.0, OpenBSD 2.3, 2.4

PROBLEM

    Following is based on CERT  Advisory CA-98-13.  Some systems  with
    BSD-derived  TCP/IP  stacks.   Intruders  can  disrupt  service or
    crash systems with vulnerable TCP/IP stacks. No special access  is
    required, and intruders can use source-address spoofing to conceal
    their true location.

    By  carefully  constructing  a  sequence  of  packets with certain
    characteristics,  an  intruder  can  cause  vulnerable  systems to
    crash,  hang,  or  behave  in  unpredictable  ways.  Specifically,
    intruders  can   use  this   vulnerability  in   conjunction  with
    IP-source-address spoofing to make  it difficult or impossible  to
    know  their  location.   They  can  also  use the vulnerability in
    conjunction with  broadcast packets  to affect  a large  number of
    vulnerable machines with  a small number  of packets.   Any remote
    user can crash or hang  a vulnerable machine, or cause  the system
    to behave in unpredictable ways.  The vulnerability was originally
    discovered by Joel Boutros.

SOLUTION

    You  can  configure  your  router  or  firewall  to  help  prevent
    source-address spoofing.  A  detailed description of this  type of
    filtering is available in RFC 2267.

    Berkeley Software Design, Inc. (BSDI)
    =====================================
    BSDI's current release BSD/OS 4.0 is not vulnerable to this
    problem.  BSD/OS 3.1 is vulnerable and a patch (M310-049) is
    available from:

        http://www.bsdi.com/support/patches
        ftp://ftp.bsdi.com/bsdi/patches/patches-3.1.

    FreeBSD, Inc.
    ===========
    FreeBSD versions prior  to 2.2.8 are  vulnerable.  FreeBSD  3.0 is
    also  vulnerable.   FreeBSD  3.0-current  as  of 1998/11/12 is not
    vulnerable.  A patch is available at:

        ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/CA-98-13/patch

    The  CERT  advisory  doesn't  go  into  any detail about the exact
    nature of the packets that trigger  the problem.   A cursory  look
    at  the  patch  suggests  that  the  problem  has to do with short
    packets with certain  options set.   Here's the patch  for FreeBSD
    3.0 and 2.2.x:

    RCS file: /home/cvsup/freebsd/CVS/src/sys/netinet/ip_input.c,v
    retrieving revision 1.104
    retrieving revision 1.105
    diff -u -r1.104 -r1.105
    --- ip_input.c  1998/10/27 09:19:03     1.104
    +++ ip_input.c  1998/11/11 21:17:59     1.105
    @@ -513,7 +513,7 @@
             */
            if (ip->ip_off & (IP_MF | IP_OFFMASK | IP_RF)) {
                    if (m->m_flags & M_EXT) {               /* XXX */
    -                       if ((m = m_pullup(m, sizeof (struct ip))) == 0) {
    +                       if ((m = m_pullup(m, hlen)) == 0) {
                                    ipstat.ips_toosmall++;
     #ifdef IPDIVERT
                                    frag_divert_port = 0;

    OpenBSD
    =======
    Security fixes for this problem are now available for 2.3 and 2.4:

        http://www.openbsd.org/errata23.html#tcpfix
        http://www.openbsd.org/errata.html#tcpfix