From owner-doc-jp-work@jp.FreeBSD.org Mon Mar  8 07:36:43 2004
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) id i27MahI32145;
	Mon, 8 Mar 2004 07:36:43 +0900 (JST)
	(envelope-from owner-doc-jp-work@jp.FreeBSD.org)
Received: from smtp.eos.ocn.ne.jp (eos.ocn.ne.jp [211.6.83.117])
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) with ESMTP/inet id i27Mah732106
	for <doc-jp-work@jp.FreeBSD.org>; Mon, 8 Mar 2004 07:36:43 +0900 (JST)
	(envelope-from hrs@eos.ocn.ne.jp)
Received: from delta.allbsd.org (p54152-adsao12honb4-acca.tokyo.ocn.ne.jp [220.96.136.152])
	by smtp.eos.ocn.ne.jp (Postfix) with ESMTP id D115F11AA
	for <doc-jp-work@jp.FreeBSD.org>; Mon,  8 Mar 2004 07:36:42 +0900 (JST)
Received: from localhost (alph.allbsd.org [192.168.0.10])
	by delta.allbsd.org (8.12.9p2/8.12.9) with ESMTP id i27MaTA2085751
	for <doc-jp-work@jp.FreeBSD.org>; Mon, 8 Mar 2004 07:36:32 +0900 (JST)
	(envelope-from hrs@eos.ocn.ne.jp)
Message-Id: <20040308.073548.133830425.hrs@eos.ocn.ne.jp>
To: doc-jp-work@jp.FreeBSD.org
From: Hiroki Sato <hrs@eos.ocn.ne.jp>
In-Reply-To: <200403021955.i22Jti60024050@freefall.freebsd.org>
References: <200403021955.i22Jti60024050@freefall.freebsd.org>
X-PGPkey-fingerprint: BDB3 443F A5DD B3D0 A530  FFD7 4F2C D3D8 2793 CF2D
X-Mailer: Mew version 4.0.62 on Emacs 21.3.1 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Multipart/Signed; protocol="application/pgp-signature";
 micalg=pgp-sha1;
 boundary="--Security_Multipart0(Mon_Mar__8_07_35_49_2004_950)--"
Content-Transfer-Encoding: 7bit
Reply-To: doc-jp-work@jp.FreeBSD.org
Precedence: list
Date: Mon, 08 Mar 2004 07:35:48 +0900
X-Sequence: doc-jp-work 841
Subject: [doc-jp-work 841] Re: [FreeBSD-Announce] FreeBSD Security Advisory
 FreeBSD-SA-04:04.tcp
Sender: owner-doc-jp-work@jp.FreeBSD.org
X-Originator: hrs@eos.ocn.ne.jp
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+040307

----Security_Multipart0(Mon_Mar__8_07_35_49_2004_950)--
Content-Type: Multipart/Mixed;
 boundary="--Next_Part(Mon_Mar__8_07_35_48_2004_092)--"
Content-Transfer-Encoding: 7bit

----Next_Part(Mon_Mar__8_07_35_48_2004_092)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit

$B:4F#!wEl5~M}2JBg3X$G$9!#(B

 $B$:$C$H$5$\$C$F$$$F$9$_$^$;$s!#>/$7;~4V$,$H$l$k$h$&$K$J$C$?$N$G(B
 $B:n6H$r:F3+$7$^$9!#(B

 04:04 $B$G$9!#(Ba low-bandwidth DoS attack $B$NLu8l$,(B
 $B$$$^$$$A$J$N$G!"$40U8+Jg=8!#(B

--
| $B:4F#(B $B9-@8!wEl5~M}2JBg3X(B

----Next_Part(Mon_Mar__8_07_35_48_2004_092)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="04:04"

FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
=============================================================================
FreeBSD-SA-04:04.tcp (2004-03-02)
 * many out-of-sequence TCP packets denial-of-service
=============================================================================

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-04:04.tcp
  From: FreeBSD Security Advisories <security-advisories@freebsd.org>
  Date: Tue, 2 Mar 2004 11:55:44 -0800
  Message-Id: <200403021955.i22Jti60024050@freefall.freebsd.org>
  X-Sequence: announce-jp 1213

 $B$rF|K\8lLu$7$?$b$N$G$9!#(B

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,!"$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s!#(B
 $B=$@5%Q%C%AEy$NFbMF$,2~$6$s$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B=pL>$N(B
 $B%A%'%C%/$r$*$3$J$&$K$O!"86J8$r;2>H$7$F$/$@$5$$!#(B

 $BF|K\8lLu$*$h$S%_%i!<%5%$%HMxMQ$N>\:Y$K$D$$$F$O!"J8Kv$N!V(BA. FreeBSD
 $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F!W$r$4Mw$/$@$5$$!#(B


                                     [$BK]Lu<T(B: $B:4F#(B $B9-@8(B <hrs@jp.FreeBSD.org>]
--($B$3$3$+$i(B)

=============================================================================
FreeBSD-SA-04:04.tcp                                      Security Advisory
                                                          The FreeBSD Project

$B%H%T%C%/(B:	$B=g=x$N68$C$?B??t$N(B TCP $B%Q%1%C%H$r;H$C$?%5!<%S%9K832(B
		(many out-of-sequence TCP packets denial-of-service)

$BJ,N`(B:		core
$B%b%8%e!<%k(B:	kernel
$B9pCNF|(B:		2004-03-02
$B%/%l%8%C%H(B:	iDEFENSE
$B1F6AHO0O(B:	$B$9$Y$F$N(B FreeBSD $B%j%j!<%9(B
$B=$@5F|(B:		2004-03-02 17: 19:18 UTC (RELENG_4)
                2004-03-02 17:24:46 UTC (RELENG_5_2, 5.2.1-RELEASE-p1)
                2004-03-02 17:26:33 UTC (RELENG_4_9, 4.9-RELEASE-p3)
                2004-03-02 17:27:47 UTC (RELENG_4_8, 4.8-RELEASE-p16)
CVE Name:       CAN-2004-0171
FreeBSD $B$K8GM-$+(B:	NO


I.   $BGX7J(B - Background

The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
provides a connection-oriented, reliable, sequence-preserving data
stream service.  When network packets making up a TCP stream (``TCP
segments'') are received out-of-sequence, they are maintained in a
reassembly queue by the destination system until they can be re-ordered
and re-assembled.

TCP/IP $B%W%m%H%3%k%9%$!<%H$K4^$^$l$k(B TCP (Transmission Control Protocol) $B$O!"(B
$B@\B37?$G?.Mj@-$,9b$/!"E~Ce=g$,J]B8$5$l$k%G!<%?%9%H%j!<%`%5!<%S%9$r(B
$BDs6!$7$^$9!#(BTCP $B%9%H%j!<%`$r9=@.$9$k%M%C%H%o!<%/%Q%1%C%H(B (TCP $B%;%0%a%s%H(B) $B$,(B
$B$P$i$P$i$N=g=x$G<u?.$5$l$?>l9g!"$=$l$i$N%Q%1%C%H$O!"%Q%1%C%H=g$N@0Ns$H(B
$B:F9=@.$,40N;$9$k$^$G!"<u?.$5$l$?%7%9%F%`B&$N:F9=@.%-%e!<(B (reassembly
queue) $B$K3JG<$5$l$^$9!#(B


II.  $BLdBj$N>\:Y(B - Problem Description

FreeBSD does not limit the number of TCP segments that may be held in a
reassembly queue.

FreeBSD $B$K$*$1$k:F9=@.%-%e!<$K$O!"3JG<2DG=$J(B TCP $B%;%0%a%s%H?t$K@)8B$,(B
$BHw$o$C$F$$$^$;$s!#(B


III. $B1F6AHO0O(B - Impact

A remote attacker may conduct a low-bandwidth denial-of-service attack
against a machine providing services based on TCP (there are many such
services, including HTTP, SMTP, and FTP).  By sending many
out-of-sequence TCP segments, the attacker can cause the target machine
to consume all available memory buffers (``mbufs''), likely leading to
a system crash.

$B%j%b!<%H$N967b<T$O!"(BTCP $B$r;H$C$?%5!<%S%9(B (HTTP, SMTP, FTP $B$J$I!"(BTCP
$B$r;H$C$?%5!<%S%9$O?tB?$/$"$j$^$9(B) $B$rDs6!$7$F$$$k%^%7%s$KBP$7$F!"(B
$B$"$k<o$NDcB.%5!<%S%9K832967b$r$*$3$J$&$3$H$,$G$-$^$9!#(B
$B%Q%1%C%H=g$,$P$i$P$i$N(B TCP $B%;%0%a%s%H$rB??tAw$jIU$1$k$3$H$G!"(B
$B967b<T$O967bBP>]$N%^%7%s$NMxMQ2DG=$J%a%b%j%P%C%U%!(B (mbuf) $B$r(B
$B$9$Y$F>CHq$5$;!"%7%9%F%`$r%/%i%C%7%e$5$;$k$3$H$,2DG=$G$9!#(B


IV.  $B2sHrJ}K!(B - Workaround

It may be possible to mitigate some denial-of-service attacks by
implementing timeouts at the application level.

$B%"%W%j%1!<%7%g%s%l%Y%k$G%?%$%`%"%&%H$r<BAu$7$F$$$l$P!"(B
$B%5!<%S%9K832967b$r$"$kDxEY4KOB$9$k$3$H$,$G$-$k$+$bCN$l$^$;$s!#(B


V.   $B2r7h:v(B - Solution

Do one of the following:
$B<!$N$$$:$l$+$R$H$D$K=>$C$F$/$@$5$$!#(B

1) Upgrade your vulnerable system to 4-STABLE, or to the RELENG_5_2,
RELENG_4_9, or RELENG_4_8 security branch dated after the correction
date.
1) $B<eE@$r;}$C$?(B FreeBSD $B%7%9%F%`$r:G?7$N(B 4-STABLE,
   $B$b$7$/$O=$@5F|0J9_$N(B RELENG_5_2, RELENG_4_9, RELENG_4_8
   $B%;%-%e%j%F%#%V%i%s%A$N$$$:$l$+$K%"%C%W%0%l!<%I$9$k!#(B

OR
$B$"$k$$$O!"(B

2) Patch your present system:
2) $B8=:_$N%7%9%F%`$K=$@5%Q%C%A$rE,MQ$9$k!#(B

The following patch has been verified to apply to FreeBSD 4.x and 5.x
systems.

$B0J2<$N=$@5%Q%C%A$O!"(BFreeBSD 4.x $B$H(B FreeBSD 5.x $B$N%7%9%F%`$K(B
$BE,MQ2DG=$J$3$H$,3NG'$5$l$F$$$^$9!#(B

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
a) $B0J2<$N>l=j$+$i=$@5%Q%C%A$r%@%&%s%m!<%I$7!"(BPGP $B%f!<%F%#%j%F%#$r;H$C$F(B
   PGP $B=pL>$r3NG'$7$^$9!#(B

[FreeBSD 5.2]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp52.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp52.patch.asc

[FreeBSD 4.8, 4.9]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp47.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp47.patch.asc

b) Apply the patch.
b) $B=$@5%Q%C%A$rE,MQ$7$^$9!#(B

# cd /usr/src
# patch < /path/to/patch

 ($BLuCm(B: /path/to/patch $B$NItJ,$O=$@5%Q%C%A$N%Q%9L>$KCV$-49$($F$/$@$5$$(B)

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.
c) <URL:http://www.freebsd.org/handbook/kernelconfig.html> $B$K5-:\$5$l$F(B
   $B$$$k<j=g$G%+!<%M%k$r:F9=C[$7!"%7%9%F%`$r:F5/F0$7$^$9!#(B


VI.  $B=$@5$N>\:Y(B - Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

FreeBSD $B$K$*$$$F:#2s=$@5$5$l$?3F%U%!%$%k$N%j%S%8%g%sHV9f$O!"0J2<$N$H$*$j$G$9!#(B

Branch                                                           Revision
$B%V%i%s%A(B                                                         $B%j%S%8%g%s(B
  Path
  $B%Q%9L>(B
- -------------------------------------------------------------------------
RELENG_4
  src/UPDATING                                                  1.73.2.90
  src/sys/conf/newvers.sh                                       1.44.2.33
  src/sys/netinet/tcp_input.c                                  1.107.2.40
  src/sys/netinet/tcp_subr.c                                    1.73.2.33
  src/sys/netinet/tcp_var.h                                     1.56.2.15
RELENG_5_2
  src/UPDATING                                                  1.282.2.9
  src/sys/conf/newvers.sh                                        1.56.2.8
  src/sys/netinet/tcp_input.c                                   1.217.2.2
  src/sys/netinet/tcp_subr.c                                    1.169.2.4
  src/sys/netinet/tcp_var.h                                      1.93.2.2
RELENG_4_9
  src/UPDATING                                              1.73.2.89.2.4
  src/sys/conf/newvers.sh                                   1.44.2.32.2.4
  src/sys/netinet/tcp_input.c                              1.107.2.38.2.1
  src/sys/netinet/tcp_subr.c                                1.73.2.31.4.1
  src/sys/netinet/tcp_var.h                                 1.56.2.13.4.1
RELENG_4_8
  src/UPDATING                                             1.73.2.80.2.19
  src/sys/conf/newvers.sh                                  1.44.2.29.2.17
  src/sys/netinet/tcp_input.c                              1.107.2.37.2.1
  src/sys/netinet/tcp_subr.c                                1.73.2.31.2.1
  src/sys/netinet/tcp_var.h                                 1.56.2.13.2.1
- -------------------------------------------------------------------------


VII. $B;29M;qNA(B - References

<URL:http://www.idefense.com/application/poi/display?id=78&type=vulnerabilities>


A.   FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F(B

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G$9!#2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

 http://www.FreeBSD.org/ja/security/

$B$K$^$H$a$i$l$F$$$^$9!#(B

$B$?$@$7K]Lu<T$*$h$S(B doc-jp $B$O!"$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b(B
$B$$$?$7$^$;$s$N$G$4Cm0U$/$@$5$$!#F|K\8lLu$K$D$$$F$N$40U8+!"$4MWK>!"(B
$B$*Ld$$9g$o$;Ey$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9!#(B

$B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9!#(B
$B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a!"$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
$B9MN8$9$k$h$&$*4j$$$7$^$9!#(B

$BF|K\$N%_%i!<%5%$%H$rMxMQ$9$k$K$O!"(B
http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K!"(B
ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K!"(B
$B$=$l$>$lCV$-49$($F$/$@$5$$!#(B

$BB>$NCO0h$r4^$`%_%i!<%5%$%H$K4X$9$k>\:Y$O(B

 http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mirrors.html ($B1QJ8(B)
 http://www.FreeBSD.org/doc/ja_JP.eucJP/books/handbook/mirrors.html ($BF|K\8lLu(B)

$B$K$^$H$a$i$l$F$$$^$9!#(B

$hrs: announce-jp/FreeBSD-SA/04:04,v 1.3 2004/03/07 22:35:44 hrs Exp $

----Next_Part(Mon_Mar__8_07_35_48_2004_092)----

----Security_Multipart0(Mon_Mar__8_07_35_49_2004_950)--
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQBAS6PFTyzT2CeTzy0RAjGJAKC/lwmH4h0BYxXZ2nkM6BSzuYgfhQCgsT5j
YrPDOrY7vnv0k9F7cuG6pGo=
=c8w7
-----END PGP SIGNATURE-----

----Security_Multipart0(Mon_Mar__8_07_35_49_2004_950)----
