[ESA-20011106-01] kernel: Syncookie vulnerability

From: EnGarde Secure Linux (securityat_private)
Date: Mon Nov 05 2001 - 22:04:34 PST

  • Next message: masaat_private: "Copying and Deleting Files Using PHP-Nuke" 

    -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory               November 06, 2001 |
| http://www.engardelinux.org/                           ESA-20011106-01 |
|                                                                        |
| Package:  kernel                                                       |
| Summary:  Syncookie vulnerability                                      |
+------------------------------------------------------------------------+

  EnGarde Secure Linux is a secure distribution of Linux that features
  improved access control, host and network intrusion detection, Web
  based secure remote management, complete e-commerce using AllCommerce,
  and integrated open source security tools.


OVERVIEW
- --------
  There are is a vulnerability in the kernel's syncookie code which can
  allow a remote attacker to potentially guess the cookie and bypass
  firewall rules.


DETAIL
- ------
  Some firewall systems implement rules based on the TCP flags set.
  They may drop or reject incoming packets that have the SYN bit set,
  which normally indicates the start of a new connection.  It is
  possible for an attacker to flood the server with SYN packets, causing
  a DoS attack.  To protect against this DoS the kernel implements
  something called "syncookies".

  In the syncookie model, the server sends a cryptographically secure
  "cookie" back to the client with the "SYN ACK" packet.  To finish the
  handshake, the client sends a final ACK, with the cookie, back to the
  server.  This cookie is comprised of various bits including the
  source/destination address and port.

  The problem lies in the fact that:

    a) Many firewalls implement rules based upon the SYN flag.
    b) With syncookies enabled, the client need only send an ACK with a
         valid cookie.
    c) All the cookies come from the same source.

  While the cookies themselves are secure, they can be brute forced in a
  few hours on a fast connection.  To fix this problem the syncookies are
  now tied into a particular port.

  Syncookies are enabled by default on EnGarde.


SOLUTION
- --------
  All users should upgrade to the most recent version, as outlined in
  this advisory.

  Please note that kernel upgrades are not available through Guardian
  Digital Secure Update.  Please follow the steps outlined below to
  upgrade your system manually.  Updates can be obtained from:

    ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
    http://ftp.engardelinux.org/pub/engarde/stable/updates/

  Please read and understand this entire section before you attempt to
  upgrade the kernel.

  Initial Steps
  -------------
    1) Verify the machine is either:

       a) booted into a "standard" kernel; or
       b) LIDS is disabled (/sbin/lidsadm -S -- -LIDS_GLOBAL)

    2) Determine which kernels you currently have installed:

         # rpm -qa --qf "%{NAME}\n" | grep kernel

    3) Download the new kernels that match what you have installed
       (based on step 2) from the "UPDATED PACKAGES" section of this
       advisory.


  Installation Steps
  ------------------
    4) Install the new packages.  The packages will automagically
       update /etc/lilo.conf by commenting out any old EnGarde images
       and replacing them with the new ones:

         # rpm --replacefiles -i <kernel 1> <kernel 2> ...

    5) Re-run LILO.  If you see any errors then open /etc/lilo.conf in
       your favorite text editor and make the appropriate changes:

         #  /sbin/lilo

  
  Final Steps
  -----------
    6) If you did not see any LILO errors then your new kernel is now
       installed and your machine is ready to be rebooted:

         # reboot


UPDATED PACKAGES
- ----------------
  These updated packages are for EnGarde Secure Linux 1.0.1 (Finestra).

  Source Packages:

    SRPMS/kernel-2.2.19-1.0.21.src.rpm
      MD5 Sum:  08257690f8af73feab70e8720611100c

  Binary Packages:

    i386/kernel-2.2.19-1.0.21.i386.rpm
      MD5 Sum:  39618bc729d2b92a354f426ae794dbbd

    i386/kernel-lids-mods-2.2.19-1.0.21.i386.rpm
      MD5 Sum:  9135e610cd5ebd9e16e823a4b8d76995

    i386/kernel-smp-lids-mods-2.2.19-1.0.21.i386.rpm
      MD5 Sum:  02a90cd041e405fa008fbb5f29e59ffb

    i386/kernel-smp-mods-2.2.19-1.0.21.i386.rpm
      MD5 Sum:  de5734faa2fa08b6b30954524ba5197b


    i686/kernel-2.2.19-1.0.21.i686.rpm
      MD5 Sum:  a52ba054ae0ee1c298963c2f511fce97

    i686/kernel-lids-mods-2.2.19-1.0.21.i686.rpm
      MD5 Sum:  01d004993e324cabf4305816f9a85d0e

    i686/kernel-smp-lids-mods-2.2.19-1.0.21.i686.rpm
      MD5 Sum:  f2d980723f90988b0c4fe0cfa2189dfe

    i686/kernel-smp-mods-2.2.19-1.0.21.i686.rpm
      MD5 Sum:  9b21a28a31b4f7cba4f30db9d68e53d8


REFERENCES
- ----------

  Guardian Digital's public key:
    http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY

  Credit for the discovery/fixing of this bug goes to:
    Manfred Spraul
    Andi Kleen <akat_private>

  Official Web Site of the Linux Kernel:
    http://www.kernel.org/

  Security Contact:    securityat_private
  EnGarde Advisories:  http://www.engardelinux.org/advisories.html

- --------------------------------------------------------------------------
$Id: ESA-20011106-01-kernel,v 1.1 2001/11/06 05:58:24 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple, <ryanat_private> 
Copyright 2001, Guardian Digital, Inc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7531+HD5cqd57fu0RAkQoAJ9CilSgHhx8mm/+Tz3rv2ZXpxTCygCePVF/
tTcRXcfrB+u/FmNIxctui54=
=l5kN
-----END PGP SIGNATURE-----

    This archive was generated by hypermail 2b30 : Thu Nov 08 2001 - 16:51:32 PST