-------- Original Message --------
Subject: [ESA-20011106-01] kernel: Syncookie vulnerability
Date: Tue, 6 Nov 2001 01:04:34 -0500 (EST)
From: EnGarde Secure Linux <security@guardiandigital.com>
To:
engarde-security@guardiandigital.com,
bugtraq@securityfocus.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory November 06, 2001 |
| http://www.engardelinux.org/
ESA-20011106-01 |
| |
| Package: kernel |
| Summary: Syncookie vulnerability |
+------------------------------------------------------------------------+
EnGarde Secure Linux is a secure distribution of Linux that features
improved access control, host and network intrusion detection, Web
based secure remote management, complete e-commerce using AllCommerce,
and integrated open source security tools.
OVERVIEW
- --------
There are is a vulnerability in the kernel's syncookie code which can
allow a remote attacker to potentially guess the cookie and bypass
firewall rules.
DETAIL
- ------
Some firewall systems implement rules based on the TCP flags set.
They may drop or reject incoming packets that have the SYN bit set,
which normally indicates the start of a new connection. It is
possible for an attacker to flood the server with SYN packets, causing
a DoS attack. To protect against this DoS the kernel implements
something called "syncookies".
In the syncookie model, the server sends a cryptographically secure
"cookie" back to the client with the "SYN ACK" packet. To finish the
handshake, the client sends a final ACK, with the cookie, back to the
server. This cookie is comprised of various bits including the
source/destination address and port.
The problem lies in the fact that:
a) Many firewalls implement rules based upon the SYN flag.
b) With syncookies enabled, the client need only send an ACK with a
valid cookie.
c) All the cookies come from the same source.
While the cookies themselves are secure, they can be brute forced in a
few hours on a fast connection. To fix this problem the syncookies are
now tied into a particular port.
Syncookies are enabled by default on EnGarde.
SOLUTION
- --------
All users should upgrade to the most recent version, as outlined in
this advisory.
Please note that kernel upgrades are not available through Guardian
Digital Secure Update. Please follow the steps outlined below to
upgrade your system manually. Updates can be obtained from:
ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
http://ftp.engardelinux.org/pub/engarde/stable/updates/
Please read and understand this entire section before you attempt to
upgrade the kernel.
Initial Steps
-------------
1) Verify the machine is either:
a) booted into a "standard" kernel; or
b) LIDS is disabled (/sbin/lidsadm -S -- -LIDS_GLOBAL)
2) Determine which kernels you currently have installed:
# rpm -qa --qf "%{NAME}\n" | grep kernel
3) Download the new kernels that match what you have installed
(based on step 2) from the "UPDATED PACKAGES" section of this
advisory.
Installation Steps
------------------
4) Install the new packages. The packages will automagically
update /etc/lilo.conf by commenting out any old EnGarde images
and replacing them with the new ones:
# rpm --replacefiles -i <kernel 1> <kernel 2> ...
5) Re-run LILO. If you see any errors then open /etc/lilo.conf in
your favorite text editor and make the appropriate changes:
# /sbin/lilo
Final Steps
-----------
6) If you did not see any LILO errors then your new kernel is now
installed and your machine is ready to be rebooted:
# reboot
UPDATED PACKAGES
- ----------------
These updated packages are for EnGarde Secure Linux 1.0.1 (Finestra).
Source Packages:
SRPMS/kernel-2.2.19-1.0.21.src.rpm
MD5 Sum: 08257690f8af73feab70e8720611100c
Binary Packages:
i386/kernel-2.2.19-1.0.21.i386.rpm
MD5 Sum: 39618bc729d2b92a354f426ae794dbbd
i386/kernel-lids-mods-2.2.19-1.0.21.i386.rpm
MD5 Sum: 9135e610cd5ebd9e16e823a4b8d76995
i386/kernel-smp-lids-mods-2.2.19-1.0.21.i386.rpm
MD5 Sum: 02a90cd041e405fa008fbb5f29e59ffb
i386/kernel-smp-mods-2.2.19-1.0.21.i386.rpm
MD5 Sum: de5734faa2fa08b6b30954524ba5197b
i686/kernel-2.2.19-1.0.21.i686.rpm
MD5 Sum: a52ba054ae0ee1c298963c2f511fce97
i686/kernel-lids-mods-2.2.19-1.0.21.i686.rpm
MD5 Sum: 01d004993e324cabf4305816f9a85d0e
i686/kernel-smp-lids-mods-2.2.19-1.0.21.i686.rpm
MD5 Sum: f2d980723f90988b0c4fe0cfa2189dfe
i686/kernel-smp-mods-2.2.19-1.0.21.i686.rpm
MD5 Sum: 9b21a28a31b4f7cba4f30db9d68e53d8
REFERENCES
- ----------
Guardian Digital's public key:
http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY
Credit for the discovery/fixing of this bug goes to:
Manfred Spraul
Andi Kleen <ak@suse.de>
Official Web Site of the Linux Kernel:
http://www.kernel.org/
Security Contact:
security@guardiandigital.com
EnGarde Advisories:
http://www.engardelinux.org/advisories.html
- --------------------------------------------------------------------------
$Id: ESA-20011106-01-kernel,v 1.1 2001/11/06 05:58:24 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple, <ryan@guardiandigital.com>
Copyright 2001, Guardian Digital, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7531+HD5cqd57fu0RAkQoAJ9CilSgHhx8mm/+Tz3rv2ZXpxTCygCePVF/
tTcRXcfrB+u/FmNIxctui54=
=l5kN
-----END PGP SIGNATURE-----