Author: JT Smith
“There are is a vulnerability in the kernel’s syncookie code which can
allow a remote attacker to potentially guess the cookie and bypass
firewall rules.”
allow a remote attacker to potentially guess the cookie and bypass
firewall rules.”
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 +------------------------------------------------------------------------+ | EnGarde Secure Linux Security Advisory November 06, 2001 | | http://www.engardelinux.org/ ESA-20011106-01 | | | | Package: kernel | | Summary: Syncookie vulnerability | +------------------------------------------------------------------------+ EnGarde Secure Linux is a secure distribution of Linux that features improved access control, host and network intrusion detection, Web based secure remote management, complete e-commerce using AllCommerce, and integrated open source security tools. OVERVIEW - -------- There are is a vulnerability in the kernel's syncookie code which can allow a remote attacker to potentially guess the cookie and bypass firewall rules. DETAIL - ------ Some firewall systems implement rules based on the TCP flags set. They may drop or reject incoming packets that have the SYN bit set, which normally indicates the start of a new connection. It is possible for an attacker to flood the server with SYN packets, causing a DoS attack. To protect against this DoS the kernel implements something called "syncookies". In the syncookie model, the server sends a cryptographically secure "cookie" back to the client with the "SYN ACK" packet. To finish the handshake, the client sends a final ACK, with the cookie, back to the server. This cookie is comprised of various bits including the source/destination address and port. The problem lies in the fact that: a) Many firewalls implement rules based upon the SYN flag. b) With syncookies enabled, the client need only send an ACK with a valid cookie. c) All the cookies come from the same source. While the cookies themselves are secure, they can be brute forced in a few hours on a fast connection. To fix this problem the syncookies are now tied into a particular port. Syncookies are enabled by default on EnGarde. SOLUTION - -------- All users should upgrade to the most recent version, as outlined in this advisory. Please note that kernel upgrades are not available through Guardian Digital Secure Update. Please follow the steps outlined below to upgrade your system manually. Updates can be obtained from: ftp://ftp.engardelinux.org/pub/engarde/stable/updates/http://ftp.engardelinux.org/pub/engarde/stable/updates/ Please read and understand this entire section before you attempt to upgrade the kernel. Initial Steps ------------- 1) Verify the machine is either: a) booted into a "standard" kernel; or b) LIDS is disabled (/sbin/lidsadm -S -- -LIDS_GLOBAL) 2) Determine which kernels you currently have installed: # rpm -qa --qf "%{NAME}n" | grep kernel 3) Download the new kernels that match what you have installed (based on step 2) from the "UPDATED PACKAGES" section of this advisory. Installation Steps ------------------ 4) Install the new packages. The packages will automagically update /etc/lilo.conf by commenting out any old EnGarde images and replacing them with the new ones: # rpm --replacefiles -i <kernel 1> <kernel 2> ... 5) Re-run LILO. If you see any errors then open /etc/lilo.conf in your favorite text editor and make the appropriate changes: # /sbin/lilo Final Steps ----------- 6) If you did not see any LILO errors then your new kernel is now installed and your machine is ready to be rebooted: # reboot UPDATED PACKAGES - ---------------- These updated packages are for EnGarde Secure Linux 1.0.1 (Finestra). Source Packages: SRPMS/kernel-2.2.19-1.0.21.src.rpm MD5 Sum: 08257690f8af73feab70e8720611100c Binary Packages: i386/kernel-2.2.19-1.0.21.i386.rpm MD5 Sum: 39618bc729d2b92a354f426ae794dbbd i386/kernel-lids-mods-2.2.19-1.0.21.i386.rpm MD5 Sum: 9135e610cd5ebd9e16e823a4b8d76995 i386/kernel-smp-lids-mods-2.2.19-1.0.21.i386.rpm MD5 Sum: 02a90cd041e405fa008fbb5f29e59ffb i386/kernel-smp-mods-2.2.19-1.0.21.i386.rpm MD5 Sum: de5734faa2fa08b6b30954524ba5197b i686/kernel-2.2.19-1.0.21.i686.rpm MD5 Sum: a52ba054ae0ee1c298963c2f511fce97 i686/kernel-lids-mods-2.2.19-1.0.21.i686.rpm MD5 Sum: 01d004993e324cabf4305816f9a85d0e i686/kernel-smp-lids-mods-2.2.19-1.0.21.i686.rpm MD5 Sum: f2d980723f90988b0c4fe0cfa2189dfe i686/kernel-smp-mods-2.2.19-1.0.21.i686.rpm MD5 Sum: 9b21a28a31b4f7cba4f30db9d68e53d8 REFERENCES - ---------- Guardian Digital's public key: http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY Credit for the discovery/fixing of this bug goes to: Manfred Spraul Andi Kleen <ak@suse.de> Official Web Site of the Linux Kernel: http://www.kernel.org/ Security Contact: security@guardiandigital.com EnGarde Advisories: http://www.engardelinux.org/advisories.html - -------------------------------------------------------------------------- $Id: ESA-20011106-01-kernel,v 1.1 2001/11/06 05:58:24 rwm Exp $ - -------------------------------------------------------------------------- Author: Ryan W. Maple, <ryan@guardiandigital.com> Copyright 2001, Guardian Digital, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7531+HD5cqd57fu0RAkQoAJ9CilSgHhx8mm/+Tz3rv2ZXpxTCygCePVF/ tTcRXcfrB+u/FmNIxctui54= =l5kN -----END PGP SIGNATURE----- ------------------------------------------------------------------------ To unsubscribe email engarde-security-request@engardelinux.org with "unsubscribe" in the subject of the message. Copyright(c) 2001 Guardian Digital, Inc. EnGardeLinux.org ------------------------------------------------------------------------
Category:
- Linux
