Hey Simon, Hey all,
it took even longer for me to respond this time ;o)
I took the FreeBSD approach and Nessus scans no longer show the vulnerability.
You can check out the changes here:
The build is compiling with all unit-tests still passing:
but that RST behavior is not covered by the unit tests yet…:
it’s compact and even makes the code more readable imho (because that “acceptable = 1” thingie vanishes)
From: lwip-users-bounces+address@hidden [mailto:lwip-users-bounces+address@hidden
On Behalf Of address@hidden
Sent: Montag, 19. Mai 2014 21:06
To: Mailing list for lwIP users
Subject: Re: [lwip-users] handle RST spoofing? CVE-2004-0230
according to a nessus scan, LwIP is vulnerable to CVE-2004-0230, which means that it accepts a spoofed Packet with RST flag if the
packets sequence number fits somewhere in the current window.
The easiest way to handle this attack would be only accept an incoming RST if the ackno matches the expected sequence. In the other
case currently implemented in tcp_process() where the number only matched into the current window, only an ACK is sent back, expecting a re-send of the RST with a correct pair of sequence and ackno.
(also the way FreeBSD fixed it)
Do you think that would be feasible for LwIP or are you more in the Linux Boat, saying “meh.”?
Sorry for replying so late, this question might have been better off on the lwip-devel list...
As an lwIP user, after reading the CVE description, I think we're good with leaving it the way it is. I think so because I can't say to fully understand the implications of the suggested change.
Things might look differently depending on the kind of application used, though, so we might want to fix this anyway...
Would you care for a patch implementing the suggested change?