FreeBSD Security Advisory FreeBSD-SA-14:08.tcp
Xin Li
delphij at delphij.net
Fri May 2 16:58:27 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 05/01/14 12:38, Ronald F. Guilmette wrote:
> I also have a question....
>
> If one manages a system where (a) all local user accounts are
> completely and 100% trustworthy and where (b) one has in place ipfw
> rules which reject all incoming packet *fragments* on all
> outward-facing interfaces, then is this security problem (relating
> to the reassembly queue) an issue at all for said system? Or is it
> rather a non-event in such contexts?
(a) doesn't matter, systems with only root user can be affected if they
provide TCP service.
(b) I'm not 100% sure on ipfw details (haven't used it for ~10 years
now) but IP fragmentation itself have nothing to do with this issue
since it's a different layer. Assuming you can't do TCP reassemble
with ipfw, it's still a problem.
Cheers,
- --
Xin LI <delphij at delphij.net> https://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAEBCgAGBQJTY86uAAoJEJW2GBstM+nsz9QQAI33s2CPVNuk1sWZ+OTdmIK9
2lDgJcVCRkDgX0MXph1CPO0NGkrXs8M7Ct3UtP91gagkkwiEZ6zO7jWK81GrEaNC
zBbYUyazWUx37mPUzLHf06a0NnvLFKLkJZZMrXfxYlX/BwFArAzsXY0i+JiGzKe3
Yd686PE2k4HU2RdGzm6H0T4eN5TJgNVb0AD4LIsvFfRcNUlqB0E+wrUrMeX6mmbi
3D1RnSjmD4SV5kFsvgiE3DVpTujwcfyYOQeJyEA7GTaBx/ZNHUI1GOCkCJ34SKzW
5qHwOKwFBPTmiFCmFxALrGv9cHM4M5iykvAqdbAM3tuPyQIUBVRLBCH/BtjzIj6n
tV6a7kHVNYamY8HDL3B9BLb/9EtVVNJxPLWWnOwpnhTrxBj79oxe+DCXZPCpYiy6
Od9ljRgS2GozsA0poUo3GNO7zr+mkegLVvg++GuZN2tIsOqWHhKDNQrzOxc27TP0
OHfQXkU6k34SgcVyfjSRKXUdt6ZCJ66FCZHZA7NpxDk2gyuFrYUiFXEJh90qs9QD
AUpXXEznNnId+OMEnwiCb5t+4o7TvMsra0XaZfS9+Q87U0owKUT0jOBt054QYtsn
IkyiyyjjB1xWtxgICuuBwK9B7D75D4if6z68pkHUsd5jptO84S7auXF1qTYlonPC
LG+xvLDPTbXErzcpK+om
=zQbC
-----END PGP SIGNATURE-----
More information about the freebsd-security
mailing list