Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: Need FreeBSD-SA-00:52(TCP uses weak initial sequence numbers)

2 views
Skip to first unread message

Brahmanand Reddy

unread,
Jan 11, 2018, 12:24:45 PM1/11/18
to
>
> Dear Team,
>
> Thanks for responding.
>
> Please share the corresponding FreeBSD-SA-00:52(*TCP uses weak initial
> sequence numbers*) latest patch.
>
> the original problem reported on :
> https://www.freebsd.org/security/advisories/FreeBSD-SA-00%3A52.tcp-iss.asc
>
> below list of similar CVEs
>
> CVE-2001-0328
> CVE- 1999-0077
> CVE-2000-0916
>
>
> Thanks and regards,
> Brahma
>
> On Thu, Jan 11, 2018 at 7:37 PM, <freebsd-sec...@freebsd.org>
> wrote:
>
>> Your request to the freebsd-security mailing list
>>
>> Posting of your message titled "Need FreeBSD-SA-00:52 patch on
>> FreeBSd 10.2 Kernel"
>>
>> has been rejected by the list moderator. The moderator gave the
>> following reason for rejecting your request:
>>
>> "As noted in the rejection message for the attempt to post to
>> freebsd-security-notifications, that list is only for messages from
>> the FreeBSD Security Officer. Accordingly, it should never be Cc:ed
>> on a message from anyone else.
>>
>> You may re-submit your message without the Cc:, but you should be
>> aware that FreeBSD-10.2 reached end-of-life 31 December, 2016 -- just
>> over a year ago (Please refer to
>> https://www.freebsd.org/security/unsupported.html).
>>
>> -- postm...@freebsd.org"
>>
>> Any questions or comments should be directed to the list administrator
>> at:
>>
>> freebsd-sec...@freebsd.org
>>
>
>
_______________________________________________
freebsd-...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-securi...@freebsd.org"

Brahmanand Reddy

unread,
Jan 11, 2018, 8:55:22 PM1/11/18
to
Hi Kurt,

Thanks lot responding my mail,

Please explain why you think this should be an issue for FreeBSD 10.2 ?

Currently i am using 10.2 and 10.4, i found this problem/vulnerability
still exist using below script

#!/usr/local/bin/python
from scapy.all import *

# VARIABLES
src = str(input('IP SRC: '))
dst = str(input('IP DST: '))

sport = random.randint(1024,65535)
dport = int(input("DST PORT: "))


# SYN
ip=IP(src=src,dst=dst)
SYN=TCP(sport=sport,dport=dport,flags='S',seq=random.randint(1024,1048576),
ack=0)
SYNACK=sr1(ip/SYN)
print('Seq1 Number is :',SYNACK[TCP].seq) ==> Seq1

# RST
RST=TCP(sport=sport, dport=dport, flags='R', seq=SYNACK.ack, ack=0)
send(ip/RST)

#SYN
SYN2=TCP(sport=sport,dport=dport,flags='S',seq=random.randint(1024,1048576),
ack=0)
SYNACK2=sr1(ip/SYN2)
print('Seq2 Number is :',SYNACK2[TCP].seq) ==>
same ISN number i observed/receiving.

I mean seq1=seq2, TCP ISN reusing.

i think the patch is available on 10.4 on wards, but i dint found
exactly/similar patch from https://www.freebsd.org/security/patches/

It could be great to confirm what is the corresponding latest patch this
problem would be solved. Kindly correct me anything i am missing.


Sincerely,
Brahma




On Thu, Jan 11, 2018 at 10:45 PM, Kurt Jaeger <p...@freebsd.org> wrote:

> Hi!
>
> > Please share the corresponding FreeBSD-SA-00:52(*TCP uses weak initial
> > sequence numbers*) latest patch.
> >
> > the original problem reported on :
> > https://www.freebsd.org/security/advisories/FreeBSD-
> SA-00%3A52.tcp-iss.asc
>
> That's a security annoucement for FreeBSD 3.x to 5.x.
>
> Please explain why you think this should be an issue for FreeBSD 10.2 ?
>
> And, by the way: FreeBSD 10.2 is a old, no-longer supported version.
>
> https://www.freebsd.org/releases/
>
> lists which versions are still supported.
>
> --
> p...@FreeBSD.org +49 171 3101372 2 years to go !

Lowell Gilbert

unread,
Jan 11, 2018, 9:21:09 PM1/11/18
to
Brahmanand Reddy <brahm...@gmail.com> writes:

>>
>> Dear Team,
>>
>> Thanks for responding.
>>
>> Please share the corresponding FreeBSD-SA-00:52(*TCP uses weak initial
>> sequence numbers*) latest patch.
>>
>> the original problem reported on :
>> https://www.freebsd.org/security/advisories/FreeBSD-SA-00%3A52.tcp-iss.asc
>>
>> below list of similar CVEs
>>
>> CVE-2001-0328
>> CVE- 1999-0077
>> CVE-2000-0916
>>
>>
>> Thanks and regards,
>> Brahma

Those reports were fixed in FreeBSD almost 20 years ago,
so you already have the fixes.

Moreover, it seems silly to worry about minor security
patches when you're running a FreeBSD release that has
been out of support for over a year.

Brahmanand Reddy

unread,
Jan 11, 2018, 10:45:25 PM1/11/18
to
Hi Lowell,

Yes its has been fixed 20 years back, but this patch not available on
10.2/10.4 source code, still the problem exist on 10.4 too, Please find
below snip of patch


Index: tcp_seq.h
===================================================================
RCS file: /usr2/ncvs/src/sys/netinet/tcp_seq.h,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- tcp_seq.h 1999/12/29 04:41:02 1.11
+++ tcp_seq.h 2000/09/29 01:37:19 1.12
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*
* @(#)tcp_seq.h 8.3 (Berkeley) 6/21/95
- * $FreeBSD: src/sys/netinet/tcp_seq.h,v 1.11 1999/12/29 04:41:02 peter
Exp $
+ * $FreeBSD: src/sys/netinet/tcp_seq.h,v 1.12 2000/09/29 01:37:19 kris Exp
$
*/

#ifndef _NETINET_TCP_SEQ_H_
@@ -91,7 +91,7 @@
* number in the range [0-0x3ffff] that is hard to predict.
*/
#ifndef tcp_random18
-#define tcp_random18() ((random() >> 14) & 0x3ffff)
+#define tcp_random18() (arc4random() & 0x3ffff)
#endif
#define TCP_ISSINCR (122*1024 + tcp_random18())

Index: tcp_subr.c
===================================================================
RCS file: /usr2/ncvs/src/sys/netinet/tcp_subr.c,v
retrieving revision 1.80
retrieving revision 1.81
diff -u -r1.80 -r1.81
--- tcp_subr.c 2000/09/25 23:40:22 1.80
+++ tcp_subr.c 2000/09/29 01:37:19 1.81
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*
* @(#)tcp_subr.c 8.2 (Berkeley) 5/24/95
- * $FreeBSD: src/sys/netinet/tcp_subr.c,v 1.80 2000/09/25 23:40:22
bmilekic Exp $
+ * $FreeBSD: src/sys/netinet/tcp_subr.c,v 1.81 2000/09/29 01:37:19 kris
Exp $
*/

#include "opt_compat.h"
@@ -178,7 +178,7 @@
{
int hashsize;

- tcp_iss = random(); /* wrong, but better than a constant */
+ tcp_iss = arc4random(); /* wrong, but better than a constant */
tcp_ccgen = 1;
tcp_cleartaocache();

i suspect 10.4.& above the patch is released, but i didn't found exactly
/corresponding from https://www.freebsd.org/security/patches/

i would expecting .. confirm the relevant patch for this problem

Kindly correct me anything missing


Regards,
Brahma

Peter Jeremy

unread,
Jan 12, 2018, 1:15:41 AM1/12/18
to
On 2018-Jan-12 08:16:38 +0530, Brahmanand Reddy <brahm...@gmail.com> wrote:
>Yes its has been fixed 20 years back, but this patch not available on
>10.2/10.4 source code, still the problem exist on 10.4 too, Please find
>below snip of patch

That code (now r66433) has been completely superseded by r82122 so the
code no longer exists in that form. Please advise what problem you
believe still exists in FreeBSD 10.4.

--
Peter Jeremy
signature.asc

Peter Jeremy

unread,
Jan 12, 2018, 2:42:00 AM1/12/18
to
On 2018-Jan-12 12:33:21 +0530, Brahmanand Reddy <brahm...@gmail.com> wrote:
>TCP uses weak initial sequence numbers
>https://www.freebsd.org/security/advisories/FreeBSD-SA-00%3A52.tcp-iss.asc

As has been pointed out to you several times in this thread, that SA is
nearly 20 years old and there is no evidence that TCP on any recent FreeBSD
uses weak ISNs.

>actually "arc4random()" will take care on https://github.com/freebsd/
>freebsd/blob/master/sys/netinet/tcp_subr.c#L2374

Without studying the code in detail, that code appears to correctly use
arc4random() to initialise the ISN - which is as expected.

> I suspecting 10.4 already having fix... but i didn't found on exactly
>which this problem from https://www.freebsd.org/security/patches/

Well, the original patch is
https://www.freebsd.org/security/patches/SA-00%3A52/ and was committed
as what is now https://svnweb.freebsd.org/base?view=revision&revision=66433
Since that patch is integrated into the FreeBSD codebase, there's no need
to update the contents of https://www.freebsd.org/security/patches/SA-00%3A52/
and it is not relevant to the current codebase.

> i would like expecting where is the fix in 10,4 kernel.

That code was re-written in r82122, retaining the use of arc4random() for
ISN initialisation. As a result, it's no longer possible to point at
specific code and say "that code fixes weak TCP ISNs".

--
Peter Jeremy
signature.asc

Brahmanand Reddy

unread,
Jan 17, 2018, 11:17:20 AM1/17/18
to
Hi Peter,

My last question on this , recently "Replaced the kernel RC4(arc4random)
with Chacha20" on 11.0 kernel should we apply on 10.4 kernel ??
please find the corresponding review and fix
https://reviews.freebsd.org/D10048 and https://reviews.freebsd.org/rS317015


Thanks in advance,
Brahma

Kevin Day

unread,
Jan 17, 2018, 12:25:18 PM1/17/18
to
I think the confusion here is that your test program below has a bug - your RST packet is invalid so it's not closing the socket on the other side.

If you look at how a normal RST is generated normally:

17:13:42.626365 IP src.26057 > dst.22: Flags [S], seq 472216885, win 65535, length 0
17:13:42.626504 IP dst.22 > src.26057: Flags [S.], seq 3592434473, ack 472216886, win 65535, length 0
17:13:42.626512 IP src.26057 > dst.22: Flags [R], seq 472216886, win 0, length 0

Notice that the third packet (the RST packet) uses the sequence number that the SYN had plus 1. Your program is using the SYNACK packet's sequence number in the RST, which would look like this instead:


17:13:42.626365 IP src.26057 > dst.22: Flags [S], seq 472216885, win 65535, length 0
17:13:42.626504 IP dst.22 > src.26057: Flags [S.], seq 3592434473, ack 472216886, win 65535, length 0
17:13:42.626512 IP src.26057 > dst.22: Flags [R], seq 3592434473, win 0, length 0

The dst system is treating this as an invalid RST packet because the sequence number is incorrect and completely ignoring it, leaving the socket still half open. When you send the SYN2 packet with the same source and destination port, and the dst system still has the socket open, it's going to repeat the same SYNACK back to you.

If you change your program to send a RST with a sequence of the initial SYN plus 1, you'll actually reset the connection and see the behavior you're looking for. You're seeing the same ISN because your RST isn't closing the connection on the other side, so the dst system is still trying to open the original socket.

Dag-Erling Smørgrav

unread,
Jan 18, 2018, 3:55:14 AM1/18/18
to
Brahmanand Reddy <brahm...@gmail.com> writes:
> My last question on this , recently "Replaced the kernel RC4(arc4random)
> with Chacha20" on 11.0 kernel should we apply on 10.4 kernel ??

This has not yet been merged to 11 and will not be merged to 10, which
is now in maintenance mode.

DES
--
Dag-Erling Smørgrav - d...@des.no

Brahmanand Reddy

unread,
Jan 31, 2018, 8:31:00 PM1/31/18
to
Dear Peter/ Team,

My final call on this thread, "RST not happens as quickly in 10.4 and 11
FreeBSD, like 9.2". it takes 10 to 15 seconds delay to reset and generate
new ISN number on 80/443/ports.

Example-
# RST
RST=TCP(sport=sport, dport=dport, flags='R', seq=SYNACK.ack, ack=0)
send(ip/RST)
* time.sleep(15*)
SYN2=TCP(sport=sport,dport=dport,flags='S',seq=random.randint(1024,18576),
ack=0)

Kindly clarify and conclude, 1) it could be the expected behavior or any
new enhancement causes this delay what are those.?
2) we have to be configure any
thing like in 'sysctl.conf 'or corresponding fix is available ?

Note: In 9.2 with out delay . i dint observed any issue. the standards say
it must respond quickly with a RST.

Sincerely,
Brahma



On Fri, Jan 12, 2018 at 1:11 PM, Peter Jeremy <pe...@rulingia.com> wrote:

0 new messages