Bug 969340 (CVE-2004-0230) - VUL-1: CVE-2004-0230: kernel: TCP RST insertion attacks when using large windows
Summary: VUL-1: CVE-2004-0230: kernel: TCP RST insertion attacks when using large windows
Status: RESOLVED FIXED
Alias: CVE-2004-0230
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Jiri Bohac
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv2:SUSE:CVE-2004-0230:4.3:(AV:N/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-03-03 13:00 UTC by Marcus Meissner
Modified: 2020-06-08 23:22 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-03-03 13:00:47 UTC 
via mitre

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0230

TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP. 

This issue seems to be addressed by e.g. RFC 5961 
( https://tools.ietf.org/html/rfc5961 )
"Improving TCP's Robustness to Blind In-Window Attacks"
Comment 1 Marcus Meissner 2016-03-03 13:01:13 UTC 
Fixed by:

commit 282f23c6ee343126156dd41218b22ece96d747e3
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Jul 17 10:13:05 2012 +0200

    tcp: implement RFC 5961 3.2
    
    Implement the RFC 5691 mitigation against Blind
    Reset attack using RST bit.
    
    Idea is to validate incoming RST sequence,
    to match RCV.NXT value, instead of previouly accepted
    window : (RCV.NXT <= SEG.SEQ < RCV.NXT+RCV.WND)
    
    If sequence is in window but not an exact match, send
    a "challenge ACK", so that the other part can resend an
    RST with the appropriate sequence.
    
    Add a new sysctl, tcp_challenge_ack_limit, to limit
    number of challenge ACK sent per second.
    
    Add a new SNMP counter to count number of challenge acks sent.
    (netstat -s | grep TCPChallengeACK)
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Kiran Kumar Kella <kkiran@broadcom.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
Comment 2 Marcus Meissner 2016-03-03 13:03:29 UTC 
Which was added in the Linux 3.5 release.
Comment 3 Marcus Meissner 2016-03-03 13:08:48 UTC 
The patch looks not so hard to backport.
Comment 4 Swamp Workflow Management 2016-03-03 23:00:44 UTC 
bugbot adjusting priority
Comment 8 Jiri Bohac 2016-06-08 08:44:30 UTC 
Got off my radar because this was assigned to an account I didn't even know existed  ;)
Going to work on this now.
Comment 9 Borislav Petkov 2016-06-08 08:51:14 UTC 
Whoops, my bad. I'll try to remember to use your @suse.com account in the future.

Thanks.
Comment 10 Jiri Bohac 2016-06-08 16:30:50 UTC 
The patch arrived via the 3.0.58 stable update into the 3.0-based kernels
but was reverted by Jiri Slaby in 
patches.kabi/0001-Revert-tcp-RFC-5961-5.2-Blind-Data-Injection-Attack-.patch
and
patches.kabi/0004-Revert-tcp-implement-RFC-5961-4.2.patch:


	From: Jiri Slaby <jslaby@suse.cz>
	Subject: Revert "tcp: RFC 5961 5.2 Blind Data Injection Attack Mitigation"
	Patch-mainline: never, kABI

	This reverts commit 8d15569e14cfcf9151e9e3b4c0cb98369943a2bb, upstream
	commit 354e4aa391ed50a4d827ff6fc11e0667d0859b25. We cannot take these
	patches as they change public SNMP interface indices.

Jiri, why is it a problem to add a new MIB index at the end of the table?

Should we drop the revert?
Or should we just revert the new SNMP counter and keep the rest of the patch?

The problem will be identical for SLE10.
Comment 11 Jiri Slaby 2016-06-09 07:07:05 UTC 
(In reply to Jiri Bohac from comment #10)
> The patch arrived via the 3.0.58 stable update into the 3.0-based kernels
> but was reverted by Jiri Slaby in 
> patches.kabi/0001-Revert-tcp-RFC-5961-5.2-Blind-Data-Injection-Attack-.patch
> and
> patches.kabi/0004-Revert-tcp-implement-RFC-5961-4.2.patch:

Only in 11-SP2 and older, fortunately.

> Jiri, why is it a problem to add a new MIB index at the end of the table?

The problem is that it also removes an entry: LINUX_MIB_TCPSYNCHALLENGE

If you, as an authorized person for net/, think it is OK and won't break userspace, feel free to drop the reverts from the respective LTSS branches. I wasn't so keen to do that at the times :).
Comment 12 Jiri Bohac 2017-01-06 10:28:13 UTC 
I decided to modify the reverts in patches.kabi to only revert the parts modifying the SNMP interface and keep all the functional parts of the fixes.
This way the security problem will be fixed but the SNMP acccounting of the challenge ACKs won't be done.

Pushed to users/jbohac/cve/linux-3.0/for-next (db5164ee).

I'll prepare a similar patch for 2.6.16.
Comment 15 Swamp Workflow Management 2017-01-30 19:18:51 UTC 
SUSE-SU-2017:0333-1: An update that solves 46 vulnerabilities and has 31 fixes is now available.

Category: security (important)
Bug References: 1003077,1003925,1004517,1007944,1008645,1008831,1008833,1009443,1010150,1010467,1010501,1010507,1010711,1010716,1011482,1011685,1012422,1012832,1013038,1013531,1013542,1014746,1017710,1021258,835175,839104,863873,874145,896484,908069,914939,922947,927287,940966,950998,954984,956514,958000,960689,963053,967716,968500,969340,971360,971944,978401,978821,979213,979274,979548,979595,979879,979915,980363,980371,980725,981267,983143,983213,984755,986362,986365,986445,986572,989261,991608,991665,992566,993890,993891,994296,994436,994618,994759,995968,997059,999932
CVE References: CVE-2004-0230,CVE-2012-6704,CVE-2013-4312,CVE-2015-1350,CVE-2015-7513,CVE-2015-7833,CVE-2015-8956,CVE-2015-8962,CVE-2015-8964,CVE-2016-0823,CVE-2016-10088,CVE-2016-1583,CVE-2016-2187,CVE-2016-2189,CVE-2016-3841,CVE-2016-4470,CVE-2016-4482,CVE-2016-4485,CVE-2016-4565,CVE-2016-4569,CVE-2016-4578,CVE-2016-4580,CVE-2016-4805,CVE-2016-4913,CVE-2016-4997,CVE-2016-4998,CVE-2016-5244,CVE-2016-5829,CVE-2016-6480,CVE-2016-6828,CVE-2016-7042,CVE-2016-7097,CVE-2016-7117,CVE-2016-7425,CVE-2016-7910,CVE-2016-7911,CVE-2016-7916,CVE-2016-8399,CVE-2016-8632,CVE-2016-8633,CVE-2016-8646,CVE-2016-9555,CVE-2016-9685,CVE-2016-9756,CVE-2016-9793,CVE-2017-5551
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    kernel-default-3.0.101-0.7.53.1, kernel-ec2-3.0.101-0.7.53.1, kernel-pae-3.0.101-0.7.53.1, kernel-source-3.0.101-0.7.53.1, kernel-syms-3.0.101-0.7.53.1, kernel-trace-3.0.101-0.7.53.1, kernel-xen-3.0.101-0.7.53.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    kernel-default-3.0.101-0.7.53.1, kernel-ec2-3.0.101-0.7.53.1, kernel-pae-3.0.101-0.7.53.1, kernel-trace-3.0.101-0.7.53.1, kernel-xen-3.0.101-0.7.53.1
Comment 16 Jiri Bohac 2017-02-02 17:07:18 UTC 
pushed to users/jbohac/cve/linux-2.6.16/for-next (commit 4d59c035)
Reassigning to security-team.
Comment 17 Marcus Meissner 2017-02-06 08:13:15 UTC 
thanks!
Comment 18 Swamp Workflow Management 2017-02-09 20:25:31 UTC 
SUSE-SU-2017:0437-1: An update that solves 20 vulnerabilities and has 79 fixes is now available.

Category: security (important)
Bug References: 1003813,1005877,1007615,1008557,1008645,1008831,1008833,1008893,1009875,1010150,1010175,1010201,1010467,1010501,1010507,1010711,1010713,1010716,1011685,1011820,1012183,1012411,1012422,1012832,1012851,1012852,1012917,1013018,1013038,1013042,1013070,1013531,1013542,1014410,1014454,1014746,1015561,1015752,1015760,1015796,1015803,1015817,1015828,1015844,1015848,1015878,1015932,1016320,1016505,1016520,1016668,1016688,1016824,1016831,1017686,1017710,1019079,1019148,1019165,1019348,1019783,1020214,1021258,748806,786036,790588,795297,800999,821612,824171,851603,853052,871728,901809,909350,909491,913387,914939,919382,924708,925065,953233,961589,962846,969340,973691,987333,987576,989152,989680,989896,990245,992991,993739,993832,996541,996557,997401,999101
CVE References: CVE-2004-0230,CVE-2012-6704,CVE-2013-6368,CVE-2015-1350,CVE-2015-8962,CVE-2015-8964,CVE-2016-10088,CVE-2016-5696,CVE-2016-7910,CVE-2016-7911,CVE-2016-7916,CVE-2016-8399,CVE-2016-8632,CVE-2016-8633,CVE-2016-8646,CVE-2016-9555,CVE-2016-9685,CVE-2016-9756,CVE-2016-9793,CVE-2017-5551
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    kernel-docs-3.0.101-94.2
SUSE Linux Enterprise Server 11-SP4 (src):    kernel-bigmem-3.0.101-94.1, kernel-default-3.0.101-94.1, kernel-ec2-3.0.101-94.1, kernel-pae-3.0.101-94.1, kernel-ppc64-3.0.101-94.1, kernel-source-3.0.101-94.1, kernel-syms-3.0.101-94.1, kernel-trace-3.0.101-94.1, kernel-xen-3.0.101-94.1
SUSE Linux Enterprise Server 11-EXTRA (src):    kernel-default-3.0.101-94.1, kernel-pae-3.0.101-94.1, kernel-ppc64-3.0.101-94.1, kernel-trace-3.0.101-94.1, kernel-xen-3.0.101-94.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    kernel-bigmem-3.0.101-94.1, kernel-default-3.0.101-94.1, kernel-ec2-3.0.101-94.1, kernel-pae-3.0.101-94.1, kernel-ppc64-3.0.101-94.1, kernel-trace-3.0.101-94.1, kernel-xen-3.0.101-94.1
Comment 19 Swamp Workflow Management 2017-02-17 17:18:11 UTC 
SUSE-SU-2017:0494-1: An update that solves 27 vulnerabilities and has 48 fixes is now available.

Category: security (important)
Bug References: 1001419,1002165,1003077,1003253,1003925,1004517,1007944,1008374,1008645,1008831,1008833,1008850,1009875,1010150,1010467,1010501,1010507,1010711,1010713,1010716,1011685,1011820,1012183,1012422,1012832,1012851,1012852,1012895,1013038,1013042,1013531,1013542,1014454,1014746,1015878,1017710,1018446,1019079,1019783,1021258,821612,824171,914939,929141,935436,956514,961923,966826,967716,969340,973691,979595,987576,989152,989261,991665,992566,992569,992906,992991,993890,993891,994296,994618,994759,995968,996329,996541,996557,997059,997401,997708,998689,999932,999943
CVE References: CVE-2004-0230,CVE-2012-6704,CVE-2015-1350,CVE-2015-8956,CVE-2015-8962,CVE-2015-8964,CVE-2015-8970,CVE-2016-0823,CVE-2016-10088,CVE-2016-3841,CVE-2016-6828,CVE-2016-7042,CVE-2016-7097,CVE-2016-7117,CVE-2016-7425,CVE-2016-7910,CVE-2016-7911,CVE-2016-7916,CVE-2016-8399,CVE-2016-8632,CVE-2016-8633,CVE-2016-8646,CVE-2016-9555,CVE-2016-9685,CVE-2016-9756,CVE-2016-9793,CVE-2017-5551
Sources used:
SUSE OpenStack Cloud 5 (src):    kernel-bigsmp-3.0.101-0.47.96.1, kernel-default-3.0.101-0.47.96.1, kernel-ec2-3.0.101-0.47.96.1, kernel-source-3.0.101-0.47.96.1, kernel-syms-3.0.101-0.47.96.1, kernel-trace-3.0.101-0.47.96.1, kernel-xen-3.0.101-0.47.96.1
SUSE Manager Proxy 2.1 (src):    kernel-bigsmp-3.0.101-0.47.96.1, kernel-default-3.0.101-0.47.96.1, kernel-ec2-3.0.101-0.47.96.1, kernel-source-3.0.101-0.47.96.1, kernel-syms-3.0.101-0.47.96.1, kernel-trace-3.0.101-0.47.96.1, kernel-xen-3.0.101-0.47.96.1
SUSE Manager 2.1 (src):    kernel-bigsmp-3.0.101-0.47.96.1, kernel-default-3.0.101-0.47.96.1, kernel-ec2-3.0.101-0.47.96.1, kernel-source-3.0.101-0.47.96.1, kernel-syms-3.0.101-0.47.96.1, kernel-trace-3.0.101-0.47.96.1, kernel-xen-3.0.101-0.47.96.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    kernel-bigsmp-3.0.101-0.47.96.1, kernel-default-3.0.101-0.47.96.1, kernel-ec2-3.0.101-0.47.96.1, kernel-pae-3.0.101-0.47.96.1, kernel-source-3.0.101-0.47.96.1, kernel-syms-3.0.101-0.47.96.1, kernel-trace-3.0.101-0.47.96.1, kernel-xen-3.0.101-0.47.96.1
SUSE Linux Enterprise Server 11-EXTRA (src):    kernel-bigsmp-3.0.101-0.47.96.1, kernel-default-3.0.101-0.47.96.1, kernel-pae-3.0.101-0.47.96.1, kernel-ppc64-3.0.101-0.47.96.1, kernel-trace-3.0.101-0.47.96.1, kernel-xen-3.0.101-0.47.96.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    kernel-default-3.0.101-0.47.96.1, kernel-ec2-3.0.101-0.47.96.1, kernel-pae-3.0.101-0.47.96.1, kernel-source-3.0.101-0.47.96.1, kernel-syms-3.0.101-0.47.96.1, kernel-trace-3.0.101-0.47.96.1, kernel-xen-3.0.101-0.47.96.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    kernel-bigsmp-3.0.101-0.47.96.1, kernel-default-3.0.101-0.47.96.1, kernel-ec2-3.0.101-0.47.96.1, kernel-pae-3.0.101-0.47.96.1, kernel-trace-3.0.101-0.47.96.1, kernel-xen-3.0.101-0.47.96.1
Comment 20 Marcus Meissner 2017-03-01 13:04:19 UTC 
released updates
Comment 22 Swamp Workflow Management 2017-04-25 19:32:25 UTC 
SUSE-SU-2017:1102-1: An update that solves 27 vulnerabilities and has 114 fixes is now available.

Category: security (important)
Bug References: 1003077,1003344,1003568,1003677,1003813,1003866,1003925,1004517,1004520,1005857,1005877,1005896,1005903,1006917,1006919,1007615,1007944,1008557,1008645,1008831,1008833,1008893,1009875,1010150,1010175,1010201,1010467,1010501,1010507,1010711,1010716,1011685,1011820,1012411,1012422,1012832,1012851,1012917,1013018,1013038,1013042,1013070,1013531,1013533,1013542,1013604,1014410,1014454,1014746,1015561,1015752,1015760,1015796,1015803,1015817,1015828,1015844,1015848,1015878,1015932,1016320,1016505,1016520,1016668,1016688,1016824,1016831,1017686,1017710,1019148,1019165,1019348,1019783,1020214,1021258,748806,763198,771065,786036,790588,795297,799133,800999,803320,821612,824171,851603,853052,860441,863873,865783,871728,901809,907611,908458,908684,909077,909350,909484,909491,909618,913387,914939,919382,922634,924708,925065,928138,929141,953233,956514,960689,961589,962846,963655,967716,968010,969340,973203,973691,979681,984194,986337,987333,987576,989152,989680,989764,989896,990245,992566,992991,993739,993832,995968,996541,996557,997401,998689,999101,999907
CVE References: CVE-2004-0230,CVE-2012-6704,CVE-2013-6368,CVE-2015-1350,CVE-2015-8956,CVE-2015-8962,CVE-2015-8964,CVE-2016-10088,CVE-2016-3841,CVE-2016-5696,CVE-2016-7042,CVE-2016-7097,CVE-2016-7117,CVE-2016-7910,CVE-2016-7911,CVE-2016-7916,CVE-2016-8399,CVE-2016-8632,CVE-2016-8633,CVE-2016-8646,CVE-2016-9555,CVE-2016-9576,CVE-2016-9685,CVE-2016-9756,CVE-2016-9793,CVE-2016-9794,CVE-2017-5551
Sources used:
SUSE Linux Enterprise Real Time Extension 11-SP4 (src):    kernel-rt-3.0.101.rt130-68.1, kernel-rt_trace-3.0.101.rt130-68.1, kernel-source-rt-3.0.101.rt130-68.1, kernel-syms-rt-3.0.101.rt130-68.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    kernel-rt-3.0.101.rt130-68.1, kernel-rt_debug-3.0.101.rt130-68.1, kernel-rt_trace-3.0.101.rt130-68.1