|
From: | Fabian Koch |
Subject: | [lwip-users] handle RST spoofing? CVE-2004-0230 |
Date: | Tue, 29 Apr 2014 13:02:24 +0000 |
Hey all, according to a nessus scan, LwIP is vulnerable to CVE-2004-0230, which means that it accepts a spoofed Packet with RST flag if the packets sequence number fits somewhere in the current window. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0230 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0230 the handling is done in tcp_in.c in the first few lines of tcp_process(). The CVE has a CVSS v2 score of 5.0 and arguably, most big “players” ignore it (Ubuntu, Debian,…). On the other hand, it might be an easy fix in LwIP and cisco also patched it in their appliances because for important, long-lasting connections (like BGP) it is a good idea to protect them from this attack. (other patches included OpenBSD, FreeBSD, Windows,…) The easiest way to handle this attack would be only accept an incoming RST if the ackno matches the expected sequence. In the other case currently implemented in tcp_process() where the number only matched into the current
window, only an ACK is sent back, expecting a re-send of the RST with a correct pair of sequence and ackno. (also the way FreeBSD fixed it) Do you think that would be feasible for LwIP or are you more in the Linux Boat, saying “meh.”? Kind regards, |
[Prev in Thread] | Current Thread | [Next in Thread] |