PAWS security vulnerability

Tim Traver tt-list at simplenet.com
Thu May 19 13:31:20 PDT 2005


Ted,

thanks for taking a look at this. I'm not sure I have the ability to 
test out your patch. Maybe someone else on this fine list can ?

But this sounds like a pretty severe DOS issue that seems to be 
relatively simple to implement.

Do you know if the 5.x branch is affected by this as well ?

Tim.


Ted Mittelstaedt wrote:

>Hi Tim,
>
>  Here is a slight mod of the OpenBSD patch for OpenBSD 3.6 that has been
>rewritten for FreeBSD 4.11.  YMMV  If it works I would submit it to the
>FreeBSD
>security list.  The only change I made is OpenBSD defines "tiflags"
>FreeBSD defines
>"thflags" I assume they are the same thing.  The file is in
>/usr/src/sys/netinet
>
>Turning off the timestamps would be a good way to make your network go
>slow.
>
>*** tcp_input.c.original        Thu May 19 11:52:30 2005
>--- tcp_input.c Thu May 19 12:00:14 2005
>***************
>*** 976,984 ****
>--- 976,992 ----
>                 * record the timestamp.
>                 * NOTE that the test is modified according to the latest
>                 * proposal of the tcplw at cray.com list (Braden
>1993/04/26).
>+                * NOTE2 additional check added as a result of PAWS
>vulnerability
>+                * documented in Cisco security notice
>cisco-sn-20050518-tcpts
>+                * from OpenBSD patch for OpenBSD 3.6 015_tcp.patch
>                 */
>                if ((to.to_flags & TOF_TS) != 0 &&
>                    SEQ_LEQ(th->th_seq, tp->last_ack_sent)) {
>+                       if (SEQ_LEQ(tp->last_ack_sent, th->th_seq + tlen
>+
>+                               ((thflags & (TH_SYN|TH_FIN)) != 0)))
>+                                 tp->ts_recent = to.to_tsval;
>+                       else
>+                               tp->ts_recent = 0;
>                        tp->ts_recent_age = ticks;
>                        tp->ts_recent = to.to_tsval;
>                }
>
>Ted
>
>  
>
>>-----Original Message-----
>>From: owner-freebsd-questions at freebsd.org
>>[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Tim Traver
>>Sent: Thursday, May 19, 2005 10:09 AM
>>To: bsd
>>Subject: PAWS security vulnerability
>>
>>
>>Hi all,
>>
>>ok, this article was just published about a PAWS TCP DOS
>>vulnerability,
>>and lists freeBSD 4.x as affected.
>>
>>http://www.securityfocus.com/bid/13676/info/
>>
>>Does anyone know how to turn the TCP timestamps off on FreeBSD 4.x ?
>>
>>and is 5.4 affected too ?
>>
>>Tim.
>>
>>_______________________________________________
>>freebsd-questions at freebsd.org mailing list
>>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>To unsubscribe, send any mail to
>>"freebsd-questions-unsubscribe at freebsd.org"
>>
>>    
>>
>
>  
>


More information about the freebsd-questions mailing list