Date: Tue, 6 Nov 2001 09:18:50 -0700
From: Support Info <[email protected]>
To: [email protected], [email protected],
Subject: Security Update: [CSSA-2001-38.0] Linux - syncookies firewall breaking problem
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
Caldera International, Inc. Security Advisory
Subject: Linux - syncookies firewall breaking problem
Advisory number: CSSA-2001-038.0
Issue date: 2001, November 05
Cross reference:
______________________________________________________________________________
1. Problem Description
The Linux kernel implements a method called 'syn cookies' to avoid
denial of service attacks by using a stateless connection setup.
There is also a common form of firewalls, which are based on SYN
filtering to block only incoming TCP connections, but let outgoing
connections pass.
Unfortunately the syncookies design allows a remote attacker to
bypass SYN filtering firewalls in case there is one open port which
the attacker can flood.
The Linux 2.2 and 2.4 kernels had the syncookies state as a systemwide
global, so it was enabled for all sockets at once in case of flood to
an open port, allowing a remote attacker to gain access to firewalled
ports, effectively bypassing the firewall.
Even though the attack requires a very large number of IP packets,
it is not unthinkable for a determined attacker to exploit this problem.
2. Vulnerable Versions
System Package
-----------------------------------------------------------
OpenLinux 2.3 All packages previous to
linux-2.2.10-14
OpenLinux eServer 2.3.1 All packages previous to
and OpenLinux eBuilder linux-2.2.14-13S
OpenLinux eDesktop 2.4 All packages previous to
linux-2.2.14-9
OpenLinux Server 3.1 All packages previous to
linux-2.4.2-14S
OpenLinux Workstation 3.1 All packages previous to
linux-2.4.2-14D
3. Solution
Workaround
Disable syncookies by doing:
echo -n 0 > /proc/sys/net/ipv4/tcp_syncookies
The proper solution is to upgrade to the latest packages.
4. OpenLinux 2.3
4.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/SRPMS
4.2 Verification
f112b7346070972c44770b562df912db linux-kernel-binary-2.2.10-14.i386.rpm
7a8d2803e68227576998b9c12fb90976 linux-kernel-doc-2.2.10-14.i386.rpm
8c9a3a28c69d03efb6e325e1f83eca9a linux-kernel-include-2.2.10-14.i386.rpm
29020f946a358838cde15d54ee6a294c linux-source-alpha-2.2.10-14.i386.rpm
0a841ec165ee97425afb8d86f74a2eb4 linux-source-arm-2.2.10-14.i386.rpm
dead286ad1491ceccabde12fd24eab88 linux-source-common-2.2.10-14.i386.rpm
b8e37b6be024ceb02dbcff7e9191e067 linux-source-i386-2.2.10-14.i386.rpm
9789e6ea513b88f8dbdf4fd58405c69f linux-source-m68k-2.2.10-14.i386.rpm
14ae8aa4e6e075b1ce891048b4eb25ed linux-source-mips-2.2.10-14.i386.rpm
d85b4cc17890c262a776bef9c100aa07 linux-source-ppc-2.2.10-14.i386.rpm
9a4398514eea89a9cae7bd28038b7d6b linux-source-sparc-2.2.10-14.i386.rpm
5f0c0e296f83cc1a0ed8e8f2b03087ba linux-source-sparc64-2.2.10-14.i386.rpm
25901d75de5b22e8eda388895a261564 pcmcia-cs-3.0.14-5.i386.rpm
dfe1a96017b6a43949d740a5a2f17369 linux-2.2.10-14.src.rpm
f07c67c7eeb6778d2b7320591bbecd14 pcmcia-cs-3.0.14-5.src.rpm
4.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
/sbin/modprobe loop
rpm -Fvh --force linux-kernel-binary-2.2.10-14.i386.rpm \
linux-kernel-doc-2.2.10-14.i386.rpm \
linux-kernel-include-2.2.10-14.i386.rpm \
linux-source-alpha-2.2.10-14.i386.rpm \
linux-source-arm-2.2.10-14.i386.rpm \
linux-source-common-2.2.10-14.i386.rpm \
linux-source-i386-2.2.10-14.i386.rpm \
linux-source-m68k-2.2.10-14.i386.rpm \
linux-source-mips-2.2.10-14.i386.rpm \
linux-source-ppc-2.2.10-14.i386.rpm \
linux-source-sparc-2.2.10-14.i386.rpm \
linux-source-sparc64-2.2.10-14.i386.rpm \
pcmcia-cs-3.0.14-5.i386.rpm
5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0
5.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/SRPMS
5.2 Verification
e2f0150caeb4d7318716d05d5d4cb32e linux-kernel-binary-2.2.14-13S.i386.rpm
9c0940b9a84ff72c8a40e8a10add3d4b linux-kernel-doc-2.2.14-13S.i386.rpm
8cdfa9651a5e75d04a095696d4681663 linux-kernel-include-2.2.14-13S.i386.rpm
db564909d2065c238271ae63c9ffd49a linux-source-alpha-2.2.14-13S.i386.rpm
4f80288d523347ec39e9cc38e7230f50 linux-source-arm-2.2.14-13S.i386.rpm
9c915c6026e86680299522da3e053e72 linux-source-common-2.2.14-13S.i386.rpm
c7f9415335c293a9878b18abb5ed1864 linux-source-i386-2.2.14-13S.i386.rpm
3218946ecbd2b98c6661770757fa4e8d linux-source-m68k-2.2.14-13S.i386.rpm
6ab8925bdf73efe2b014ebcd3c2188bc linux-source-mips-2.2.14-13S.i386.rpm
035a4e5970bf0dc709c301daf751bc67 linux-source-ppc-2.2.14-13S.i386.rpm
d611132b945774cb4b3a0e57ef323f1b linux-source-sparc-2.2.14-13S.i386.rpm
3b4048225724cab325a247d66bac2afe linux-source-sparc64-2.2.14-13S.i386.rpm
d653ecbe3fa48e87f6c6ebbce81d8345 pcmcia-cs-3.1.4-5.i386.rpm
222e40903ce9f4fa823485984764369e linux-2.2.14-13S.src.rpm
d78e703763fe9828627006706d65292e pcmcia-cs-3.1.4-5.src.rpm
5.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
/sbin/modprobe loop
rpm -Fvh linux-kernel-binary-2.2.14-13S.i386.rpm \
linux-kernel-doc-2.2.14-13S.i386.rpm \
linux-kernel-include-2.2.14-13S.i386.rpm \
linux-source-alpha-2.2.14-13S.i386.rpm \
linux-source-arm-2.2.14-13S.i386.rpm \
linux-source-common-2.2.14-13S.i386.rpm \
linux-source-i386-2.2.14-13S.i386.rpm \
linux-source-m68k-2.2.14-13S.i386.rpm \
linux-source-mips-2.2.14-13S.i386.rpm \
linux-source-ppc-2.2.14-13S.i386.rpm \
linux-source-sparc-2.2.14-13S.i386.rpm \
linux-source-sparc64-2.2.14-13S.i386.rpm \
pcmcia-cs-3.1.4-5.i386.rpm
6. OpenLinux eDesktop 2.4
6.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/SRPMS
6.2 Verification
3274fe3fbb7b302d6d0bee7186820fef hwprobe-20000214-6.i386.rpm
064ebec44665beb14eaa85ad4ecfc838 iBCS-2.1-12.i386.rpm
d87d3c6f0cb937a0e51e68c6984b2c62 iBCS-extras-2.1-12.i386.rpm
7fd4443b17bc58f072572548b3c54886 iBCS-module-2.1_2.2.14-12.i386.rpm
4366e46e2ff02f9dadde291a483f1cf2 linux-kernel-binary-2.2.14-9.i386.rpm
d54b1d4e4ad58022d5298e8c5359dad9 linux-kernel-doc-2.2.14-9.i386.rpm
320d182140b90c771993b031c66f2d4a linux-kernel-include-2.2.14-9.i386.rpm
ad69ebbc9d8ee30de552e81f5c3b3cdf linux-source-alpha-2.2.14-9.i386.rpm
3f5434fc2fe4486e258a5981cd65dc36 linux-source-arm-2.2.14-9.i386.rpm
a8fc5f92bf99b27674772966f390ce1d linux-source-common-2.2.14-9.i386.rpm
6fd8bde1cd3caf58195f6be09983a9cf linux-source-i386-2.2.14-9.i386.rpm
997e6d546da8149c8a9b4e78932a3ab5 linux-source-m68k-2.2.14-9.i386.rpm
27dcf591ef399c3b1a02011900cf92e3 linux-source-mips-2.2.14-9.i386.rpm
ce4998917dcded5161b954672b9e7728 linux-source-ppc-2.2.14-9.i386.rpm
7b258bc6c66ac6d9305bc71e41ecd24c linux-source-sparc-2.2.14-9.i386.rpm
fb5d48c243c3b10067f59f58f6f922f4 linux-source-sparc64-2.2.14-9.i386.rpm
d4fbca082ccb49d9a9ed26b2e4868767 pcmcia-cs-3.1.8-5.i386.rpm
b5465215f5dbe5c430e684a9899af9f7 hwprobe-20000214-6.src.rpm
ccbfc2eab5d5111866abcba90e551116 iBCS-2.1-12.src.rpm
ada8415ed350c5013bf29fc84931741b linux-2.2.14-9.src.rpm
14b4fb11304a0083ee44edd27dba4543 pcmcia-cs-3.1.8-5.src.rpm
6.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
/sbin/modprobe loop
rpm -Fvh hwprobe-20000214-6.i386.rpm iBCS-2.1-12.i386.rpm \
iBCS-extras-2.1-12.i386.rpm \
iBCS-module-2.1_2.2.14-12.i386.rpm \
linux-kernel-binary-2.2.14-9.i386.rpm \
linux-kernel-doc-2.2.14-9.i386.rpm \
linux-kernel-include-2.2.14-9.i386.rpm \
linux-source-alpha-2.2.14-9.i386.rpm \
linux-source-arm-2.2.14-9.i386.rpm \
linux-source-common-2.2.14-9.i386.rpm \
linux-source-i386-2.2.14-9.i386.rpm \
linux-source-m68k-2.2.14-9.i386.rpm \
linux-source-mips-2.2.14-9.i386.rpm \
linux-source-ppc-2.2.14-9.i386.rpm \
linux-source-sparc-2.2.14-9.i386.rpm \
linux-source-sparc64-2.2.14-9.i386.rpm \
pcmcia-cs-3.1.8-5.i386.rpm
7. OpenLinux 3.1 Server
7.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS
7.2 Verification
87b5f36b72bb16e6e834c59233106b37 linux-kernel-binary-2.4.2-14S.i386.rpm
5188757fbd1cbcc307d53c0bbbba6aed linux-kernel-include-2.4.2-14S.i386.rpm
4723ba116d77e1afaaab9108d4f67392 linux-source-alpha-2.4.2-14S.i386.rpm
8d5b667a2238e549d01523a9028d0def linux-source-arm-2.4.2-14S.i386.rpm
7b1040fce5eb2c13069f12e0f98f459f linux-source-common-2.4.2-14S.i386.rpm
d4d72adbd977c3cd736d6d292fa96f66 linux-source-i386-2.4.2-14S.i386.rpm
e13ee045818e08ea58ebac07e3a7683b linux-source-ia64-2.4.2-14S.i386.rpm
63f8af9364b41a5ed8529922b2b86085 linux-source-m68k-2.4.2-14S.i386.rpm
1efcb66cef3cfb73267bc383192977e5 linux-source-mips-2.4.2-14S.i386.rpm
eb531f7e844276dadcfb64a61e14d91b linux-source-ppc-2.4.2-14S.i386.rpm
bdbb2c789f16563881f1bb24384a1e13 linux-source-s390-2.4.2-14S.i386.rpm
afab346de67d5298b680d9f3f585df85 linux-source-sparc-2.4.2-14S.i386.rpm
4365699de967a365b09f92f683447b90 linux-source-superH-2.4.2-14S.i386.rpm
38226719588775988ffdd5db0adacb10 linux-2.4.2-14S.src.rpm
7.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
/sbin/modprobe loop
rpm -Fvh linux-kernel-binary-2.4.2-14S.i386.rpm \
linux-kernel-include-2.4.2-14S.i386.rpm \
linux-source-alpha-2.4.2-14S.i386.rpm \
linux-source-arm-2.4.2-14S.i386.rpm \
linux-source-common-2.4.2-14S.i386.rpm \
linux-source-i386-2.4.2-14S.i386.rpm \
linux-source-ia64-2.4.2-14S.i386.rpm \
linux-source-m68k-2.4.2-14S.i386.rpm \
linux-source-mips-2.4.2-14S.i386.rpm \
linux-source-ppc-2.4.2-14S.i386.rpm \
linux-source-s390-2.4.2-14S.i386.rpm \
linux-source-sparc-2.4.2-14S.i386.rpm \
linux-source-superH-2.4.2-14S.i386.rpm
/sbin/depmod -a
8. OpenLinux 3.1 Workstation
8.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS
8.2 Verification
b170636148d3d057237913b3870d916f linux-kernel-binary-2.4.2-14D.i386.rpm
a1f3dd1fe8ac717999a8fc963227c40e linux-kernel-include-2.4.2-14D.i386.rpm
b033e7f2b3bea97b65b636cc5ab67de9 linux-source-alpha-2.4.2-14D.i386.rpm
c8fd9e36df0d6008fad4c3beb31e3bdb linux-source-arm-2.4.2-14D.i386.rpm
452b0df69c68d10f3bdac57c08e9cf17 linux-source-common-2.4.2-14D.i386.rpm
d7e8c4157df7a7b9bb0116f673c67b1d linux-source-i386-2.4.2-14D.i386.rpm
25911c50aa631b48712da3b877eb4c72 linux-source-ia64-2.4.2-14D.i386.rpm
3ea9d607e08b15ff646d45100754c05f linux-source-m68k-2.4.2-14D.i386.rpm
339be8f2e0fd2eafefb41c256acf0412 linux-source-mips-2.4.2-14D.i386.rpm
47ce33f13fde399aa62b0d20b677150b linux-source-ppc-2.4.2-14D.i386.rpm
9a3f948f6e104bb7bbc8c2105b218bcf linux-source-s390-2.4.2-14D.i386.rpm
fa3416e60a2af27c529a72cf446885ed linux-source-sparc-2.4.2-14D.i386.rpm
07f6fc32a1002845413fc77bdd7c61f0 linux-source-superH-2.4.2-14D.i386.rpm
1d13bd90b32d5fa065b0afa2484df0f2 linux-2.4.2-14D.src.rpm
8.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
/sbin/modprobe loop
rpm -Fvh linux-kernel-binary-2.4.2-14D.i386.rpm \
linux-kernel-include-2.4.2-14D.i386.rpm \
linux-source-alpha-2.4.2-14D.i386.rpm \
linux-source-arm-2.4.2-14D.i386.rpm \
linux-source-common-2.4.2-14D.i386.rpm \
linux-source-i386-2.4.2-14D.i386.rpm \
linux-source-ia64-2.4.2-14D.i386.rpm \
linux-source-m68k-2.4.2-14D.i386.rpm \
linux-source-mips-2.4.2-14D.i386.rpm \
linux-source-ppc-2.4.2-14D.i386.rpm \
linux-source-s390-2.4.2-14D.i386.rpm \
linux-source-sparc-2.4.2-14D.i386.rpm \
linux-source-superH-2.4.2-14D.i386.rpm
/sbin/depmod -a
9. References
This and other Caldera security resources are located at:
http://www.caldera.com/support/security/index.html
This security fix closes Caldera's internal Problem Report 10835.
10. Disclaimer
Caldera International, Inc. is not responsible for the misuse of
any of the information we provide on this website and/or through our
security advisories. Our advisories are a service to our customers
intended to promote secure installation and use of Caldera OpenLinux.
11. Acknowledgements
Caldera International Inc. wants to thank Andi Kleen of SuSE for
spotting and sending a patch and David Miller for refining it.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE75qM/18sy83A/qfwRAmQWAJ9+1yMqGz7TmiV5qO1bvgYpQjASuQCgtP6q
+bK2B7diVD8AM78+qv5yYkI=
=8D+y
-----END PGP SIGNATURE-----