BSDSec

deadsimple BSD Security Advisories and Announcements

NetBSD Security Advisory 2015-009: TCP LAST_ACK state memory exhaustion

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


		 NetBSD Security Advisory 2015-009
		 =================================

Topic:		TCP LAST_ACK state memory exhaustion


Version:	NetBSD-current:		source prior to Mon, Jul 24th 2015
		NetBSD 7.0: 		not affected
		NetBSD 6.1 - 6.1.5:	affected
		NetBSD 6.0 - 6.0.6: 	affected
		NetBSD 5.2 - 5.2.3: 	affected
		NetBSD 5.1 - 5.1.5: 	affected

Severity:	Potential remote denial of service

Fixed:		NetBSD-current:		Jul 24th, 2015 
		NetBSD-7 branch:	Jul 24th, 2015
		NetBSD-6 branch:	Jul 24th, 2015
		NetBSD-6-1 branch:	Jul 24th, 2015
		NetBSD-6-0 branch:	Jul 24th, 2015
		NetBSD-5 branch:	Jul 24th, 2015
		NetBSD-5-2 branch:	Jul 24th, 2015
		NetBSD-5-1 branch	Jul 24th, 2015

Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

TCP sockets that remain in the LAST_ACK state may hold resources
for an unspecified amount of time, which may lead to denial of
service due to memory exhaustion. This vulnerability has been
assigned CVE-2015-5358.


Technical Details
=================

When closing a connection the TCP socket is entering the LAST_ACK
state in which kernel waits for acknowledgement that FIN was
delivered to the peer or failure of all packet retransmission. In
certain circumstances a socket in this state may hold a significant
amount of memory (mbufs) which can be held for indefinite time,
because the "persist" timer responsible for cleaning up that memory
was previously deactivated. If an attacker is able to make the
attacked systems sockets enter that state, then remote denial of
service is possible due to memory exhaustion.


Solutions and Workarounds
=========================

+ Fix from NetBSD autobuild
+--------------------------

The fastest way to upgrade to an unaffected kernel, if you are
running or can run a standard kernel built as part of the NetBSD
release process, is to obtain the corresponding kernel from the
daily NetBSD autobuild output and install it on your system.

You can obtain such kernels from http://nyftp.netbsd.org/pub/NetBSD-daily/
where they are sorted by NetBSD branch, date, and architecture. To
fix a system running e.g. NetBSD 6.0 or the stable NetBSD 6.0
branch, the most appropriate kernel will be the "netbsd-6-0" kernel.

To fix a system running NetBSD-current, the "HEAD" kernel should
be used.  In all cases, a kernel from an autobuild dated newer than
the fix date for the branch you are using must be used to fix the
problem.

+ Fix from source
+----------------

For all NetBSD versions, if you want to upgrade to a safe kernel
from source, you need to obtain fixed kernel sources, rebuild
and install the new kernel, and reboot the system.
                                      
The fixed source may be obtained from the NetBSD CVS repository.        
The following instructions briefly summarise how to upgrade your        
kernel.  In these instructions, replace:

  ARCH     with your architecture (from uname -m), and                  
  KERNCONF with the name of your kernel configuration file.    
  NEWVERSION  with the CVS version of the fix

File versions containing the fix:

FILE                         HEAD   netbsd-7  netbsd-6  netbsd-6-1 netbsd-6-0
+--------------------------- -----  --------- --------- ---------- ----------
src/sys/netinet/tcp_input.c  1.179  1.334.2.2 1.321.2.1 1.321.8.1  1.321.6.1
src/sys/netinet/tcp_output.c 1.184  1.176.2.5 1.173.2.2 1.173.8.2  1.173.6.2

FILE                         netbsd-5   netbsd-5-2     netbsd-5-1
+--------------------------- ---------- -------------- -------------
src/sys/netinet/tcp_input.c  1.291.4.6  1.291.4.5.6.1  1.291.4.5.2.1
src/sys/netinet/tcp_output.c 1.167.10.2 1.167.10.1.2.1 1.167.20.2


To update from CVS, re-build, and re-install the kernel:

	# cd src
	# cvs update -d -P -r NEWVERSION src/sys/netinet/tcp_input.c
	# cvs update -d -P -r NEWVERSION src/sys/netinet/tcp_output.c
	# ./build.sh kernel=KERNCONF
	# mv /netbsd /netbsd.old
	# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd 
	# shutdown -r now

For more information on how to do this, see:    

   http://www.NetBSD.org/docs/guide/en/chap-kernel.html


Thanks To
=========

Matt Thomas for fixing this issue.
Lawrence Stewart (Netflix, Inc.) and Jonathan Looney (Juniper SIRT) for
reporting this issue.


Revision History
================

	2015-10-22	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2015-009.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .

Copyright 2015, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$Id: NetBSD-SA2015-009.txt,v 1.2 2015/10/22 00:02:31 tonnerre Exp $


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWKCf8AAoJEAZJc6xMSnBuY9oP/RH37ROEHowkj0UiusDCeap5
OwMQzgtD9x+eeI2ceieyvqdOh2IuwHKq0CYniY/nBNSWKaMMp/zfY+Ap7FOtfpTq
OpxxwgUW/3X9TC5n+gedBN2vTtUWPMzcOWT3yjbaOcNk1vjhKS1WFF9T9UcEK4Dz
MN76O4gIJ7tZQLRXy425gYviwwNQedlXp5ddwAN1dnMGtsXFkPh+1uN1uQepH9hB
3iJoZgfJFYgeyFCj1ZdFKOP8RE1cFH1w3H6OKtKTS0XPu+wIO8r/p9OA28GAcbum
Tny2P0WNkeqNNPjUEGBcJ8cBvu3lwx1NUJ+EUVH1fpvNTIMFIxdd5EYgwGd6Z0/C
YgoJBVpFoUOC4JeSiFS9Tz7NAD5ats0eBle+fkUNxIRuA29HreROZglDPJ7RVKMe
cyzCpstc8dhkREPawe4syNqppi6YMZepORyBFlc5kjDm9PBLEwpVJ/grY7hBUJU3
Ti1/hEhGAGplue9dhAn6BaJmKGqS0yRpBy700ADn6bMFZj9K/dWKjG7sxDbsZPvH
95IaV5S2dffW4ZwwobS/TkY+e6uwrQvqT2PLd74eRb5WeaHEx8cQyipmX8Ibh0o1
5TUOpDR+5Fqs5UfPV+rAOApg6TQtWqVitKV18vaIsnJ+ws+pKpEqLBaxXUw8sjCx
iRvWrDRL1CE/MH8gJOgE
=ZaFJ
-----END PGP SIGNATURE-----