Fwd: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-05:15.tcp

Daniel Hartmeier daniel at benzedrine.cx
Fri Jul 1 11:01:09 GMT 2005

On Thu, Jun 30, 2005 at 09:32:27AM -0500, BB wrote:

> I assume without upgrading the mighty pf would handle this ?


The unpatched vulnerability can be exploited (to stall a connection) by
spoofing only four (4) small packets, by choosing random sequence and
timestamp values and their integer opposites[1]. Hence, exploiting it is
relatively cheap, quick, and reliable.

If you have pf in front of a peer, the attacker would have to
successfully guess the proper sequence and acknowledgment numbers within
small windows, which requires sending so many packets, it's considered
unfeasible. If he could efficiently guess those numbers, he could simply
RST the connection, or worse, inject payload, etc, anyway.

Of course, if the other peer is unprotected, the attacker would send his
spoofs there, and achieve the same effect. But if both are protected,
the vulnerability is not exploitable.


[1] http://downloads.securityfocus.com/vulnerabilities/exploits/tcp_paws.c

More information about the freebsd-pf mailing list