-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2015-009 ================================= Topic: TCP LAST_ACK state memory exhaustion Version: NetBSD-current: source prior to Mon, Jul 24th 2015 NetBSD 7.0: not affected NetBSD 6.1 - 6.1.5: affected NetBSD 6.0 - 6.0.6: affected NetBSD 5.2 - 5.2.3: affected NetBSD 5.1 - 5.1.5: affected Severity: Potential remote denial of service Fixed: NetBSD-current: Jul 24th, 2015 NetBSD-7 branch: Jul 24th, 2015 NetBSD-6 branch: Jul 24th, 2015 NetBSD-6-1 branch: Jul 24th, 2015 NetBSD-6-0 branch: Jul 24th, 2015 NetBSD-5 branch: Jul 24th, 2015 NetBSD-5-2 branch: Jul 24th, 2015 NetBSD-5-1 branch Jul 24th, 2015 Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== TCP sockets that remain in the LAST_ACK state may hold resources for an unspecified amount of time, which may lead to denial of service due to memory exhaustion. This vulnerability has been assigned CVE-2015-5358. Technical Details ================= When closing a connection the TCP socket is entering the LAST_ACK state in which kernel waits for acknowledgement that FIN was delivered to the peer or failure of all packet retransmission. In certain circumstances a socket in this state may hold a significant amount of memory (mbufs) which can be held for indefinite time, because the "persist" timer responsible for cleaning up that memory was previously deactivated. If an attacker is able to make the attacked systems sockets enter that state, then remote denial of service is possible due to memory exhaustion. Solutions and Workarounds ========================= + Fix from NetBSD autobuild +-------------------------- The fastest way to upgrade to an unaffected kernel, if you are running or can run a standard kernel built as part of the NetBSD release process, is to obtain the corresponding kernel from the daily NetBSD autobuild output and install it on your system. You can obtain such kernels from http://nyftp.netbsd.org/pub/NetBSD-daily/ where they are sorted by NetBSD branch, date, and architecture. To fix a system running e.g. NetBSD 6.0 or the stable NetBSD 6.0 branch, the most appropriate kernel will be the "netbsd-6-0" kernel. To fix a system running NetBSD-current, the "HEAD" kernel should be used. In all cases, a kernel from an autobuild dated newer than the fix date for the branch you are using must be used to fix the problem. + Fix from source +---------------- For all NetBSD versions, if you want to upgrade to a safe kernel from source, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. NEWVERSION with the CVS version of the fix File versions containing the fix: FILE HEAD netbsd-7 netbsd-6 netbsd-6-1 netbsd-6-0 +--------------------------- ----- --------- --------- ---------- ---------- src/sys/netinet/tcp_input.c 1.343 1.334.2.2 1.321.2.1 1.321.8.1 1.321.6.1 src/sys/netinet/tcp_output.c 1.184 1.176.2.5 1.173.2.2 1.173.8.2 1.173.6.2 FILE netbsd-5 netbsd-5-2 netbsd-5-1 +--------------------------- ---------- -------------- ------------- src/sys/netinet/tcp_input.c 1.291.4.6 1.291.4.5.6.1 1.291.4.5.2.1 src/sys/netinet/tcp_output.c 1.167.10.2 1.167.10.1.2.1 1.167.20.2 To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P -r NEWVERSION src/sys/netinet/tcp_input.c # cvs update -d -P -r NEWVERSION src/sys/netinet/tcp_output.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/docs/guide/en/chap-kernel.html Thanks To ========= Matt Thomas for fixing this issue. Lawrence Stewart (Netflix, Inc.) and Jonathan Looney (Juniper SIRT) for reporting this issue. Revision History ================ 2015-10-22 Initial release 2016-06-23 PR/50379, correct version More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2015-009.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2015, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $Id: NetBSD-SA2015-009.txt,v 1.3 2016/06/23 20:14:08 christos Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJXbEMyAAoJEAZJc6xMSnBucIEP/3qDKkNR1Y0LBj/KkS4jFXj/ kO9CuxksBtAzBt//ESRGu5mfyJcfdpO9A5Sf88Wg2hUPppb0NJDYqOKLjdgyEUlp JYMc1enk7WQrIGf5Q//UbZ9QZHVkhBOTtkHq3xhv/bXXOSt/9piNqJ/sYH+up33R BqU1zQiKVi/rtg/y94y2RHHdYv4qzW2JW0XVLVxczeZ8zmkfqApR440f5rmh6n3f SH8LFbFaYZgnGu9HriVCU7JDZcVBfpykIEjnD480xz1knZeXFRk9nD4bn7PkX2gv TLzjb/Zl/tP5sX/9NulFhapY7W3sdXLO8VHh4BRXf+mcAcNCbKT4hTyutcafCs6I nKIY3Ct5Y+GfBMJcIvagtV/bpIZWC0N2QuVQOvEdogBu29xPhSyjYHuNBQ4DYd9G IhF1sO/V+HCncTDpQKkQEIiVrMv1hdrsos71tkq/Vgs0xB2FIDU4xza64m1kd6S8 s92JGX6g2EantMoBAMoHP0O0GW0JoLOv+UI9+rcd1Vhwd0Lypw864PLr4+8hdSoZ emya/jt0HxvBKgeRp9QyLzx1PVCEbQs20EQ6f9xUDnc4OQCdMSQq+75/TV/UKZG4 yJvc0Ti8UmIX8DyPK2H678OHoGKIzff/+KgFqUTuAUWG6GXSEkhtZMY//duyFEUw HqkwBGdSaKIFY/uRGo+i =P2n0 -----END PGP SIGNATURE-----