[olug] Fw: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-03:14.arp

Brian Roberson roberson at olug.org
Wed Sep 24 15:45:48 UTC 2003


----- Original Message ----- 
From: "FreeBSD Security Advisories" <security-advisories at freebsd.org>
To: "FreeBSD Security Advisories" <security-advisories at freebsd.org>
Sent: Wednesday, September 24, 2003 9:29 AM
Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-03:14.arp


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
============================================================================
=
> FreeBSD-SA-03:14.arp                                        Security
Advisory
>                                                           The FreeBSD
Project
>
> Topic:          denial of service due to ARP resource starvation
>
> Category:       core
> Module:         sys
> Announced:      2003-09-23
> Credits:        Apple Product Security <product-security at apple.com>
> Affects:        All releases of FreeBSD
>                 FreeBSD 4-STABLE prior to the correction date
> Corrected:      2003-09-23 16:42:59 UTC (RELENG_4, 4.9-PRERELEASE)
>                 2003-09-23 20:08:42 UTC (RELENG_5_1, 5.1-RELEASE-p6)
>                 2003-09-23 20:07:06 UTC (RELENG_5_0, 5.0-RELEASE-p15)
>                 2003-09-23 16:44:58 UTC (RELENG_4_8, 4.8-RELEASE-p8)
>                 2003-09-23 16:47:34 UTC (RELENG_4_7, 4.7-RELEASE-p18)
>                 2003-09-23 16:49:46 UTC (RELENG_4_6, 4.6-RELEASE-p21)
>                 2003-09-23 16:51:24 UTC (RELENG_4_5, 4.5-RELEASE-p33)
>                 2003-09-23 16:52:45 UTC (RELENG_4_4, 4.4-RELEASE-p43)
>                 2003-09-23 16:54:39 UTC (RELENG_4_3, 4.3-RELEASE-p39)
> FreeBSD only:   NO
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit
> <URL:http://www.freebsd.org/security/>.
>
> I.   Background
>
> The Address Resolution Protocol (ARP) is fundamental to the operation
> of IP with a variety of network technologies, such as Ethernet and
> WLAN.  It is used to map IP addresses to MAC addresses, which enables
> hosts on a local network segment to communicate with each other
> directly.  These mappings are stored in the system's ARP cache.
>
> FreeBSD's ARP cache is implemented within the kernel routing table as
> a set of routes for the address family in use that have the LLINFO
> flag set.  This is most commonly often AF_INET (for IPv4).  Normally,
> when a FreeBSD system receives an ARP request for a network address
> configured on one of its interfaces from a system on a local network,
> it adds a reciprocal ARP entry to the cache for the system from where
> the request originated.  Expiry timers are used to purge unused
> entries from the ARP cache.  A reference count is maintained for each
> ARP entry.  If the reciprocal ARP entry is not in use by an upper
> layer protocol, the reference count will be zero.
>
> II.  Problem Description
>
> Under certain circumstances, it is possible for an attacker to flood a
> FreeBSD system with spoofed ARP requests, causing resource starvation
> which eventually results in a system panic.  (The critical condition
> is that a route exists for the apparent source of the ARP request.
> This is always the case if the system has a default route configured
> for that protocol family.)
>
> If a large number of ARP requests with different network protocol
> addresses are sent in a small space of time, resource starvation can
> result, as the arplookup() function does not delete unnecessary ARP
> entries cached as the result of responding to an ARP request.
>
> NOTE WELL: Other BSD-derived systems may also be affected, as the
> affected code dates well back to the CSRG branches.
>
> III. Impact
>
> An attacker on the local network may be able to cause the system to
> hang or crash.  The attacker must have physical access to the shared
> network medium.  In the case of a wireless network obtaining this
> access may be trivial.  Networks where proxy ARP is used to direct
> traffic between LANs may be particularly vulnerable to the attack,
> as the spoofed ARP requests could be bounced through to the target
> via routers implementing proxy ARP.
>
> Because the attack operates at Layer 2, the use of strong encryption
> technologies such as IPsec cannot protect a system against the attack.
>
> IV.  Workaround
>
> There is no known workaround at this time.
>
> V.   Solution
>
> Do one of the following:
>
> 1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_5_1,
> RELENG_5_0, RELENG_4_8, or RELENG_4_7 security branch dated after the
> correction date.
>
> 2) To patch your present system:
>
> The following patch has been verified to apply to FreeBSD 5-CURRENT,
> 4.9-PRERELEASE, and 4.8 systems.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:14/arp.patch
> ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:14/arp.patch.asc
>
> b) Execute the following commands as root:
>
> # cd /usr/src
> # patch < /path/to/patch
>
> c) Rebuild your kernel as described in
> <URL:http://www.freebsd.org/handbook/kernelconfig.html>
> and reboot the system.
>
> VI.  Correction details
>
> The following list contains the revision numbers of each file that was
> corrected in FreeBSD.
>
> Branch                                                           Revision
>   Path
> - ------------------------------------------------------------------------
-
> RELENG_4
>   src/sys/netinet/if_ether.c                                    1.64.2.25
> RELENG_5_1
>   src/UPDATING                                                  1.251.2.8
>   src/sys/conf/newvers.sh                                        1.50.2.8
>   src/sys/netinet/if_ether.c                                    1.104.2.1
> RELENG_5_0
>   src/UPDATING                                                 1.229.2.21
>   src/sys/conf/newvers.sh                                       1.48.2.16
>   src/sys/netinet/if_ether.c                                     1.96.2.1
> RELENG_4_8
>   src/UPDATING                                             1.73.2.80.2.10
>   src/sys/conf/newvers.sh                                   1.44.2.29.2.9
>   src/sys/netinet/if_ether.c                                1.64.2.22.2.1
> RELENG_4_7
>   src/UPDATING                                             1.73.2.74.2.21
>   src/sys/conf/newvers.sh                                  1.44.2.26.2.20
>   src/sys/netinet/if_ether.c                                1.64.2.19.2.1
> RELENG_4_6
>   src/UPDATING                                             1.73.2.68.2.50
>   src/sys/conf/newvers.sh                                  1.44.2.23.2.38
>   src/sys/netinet/if_ether.c                                1.64.2.18.2.1
> RELENG_4_5
>   src/UPDATING                                             1.73.2.50.2.50
>   src/sys/conf/newvers.sh                                  1.44.2.20.2.34
>   src/sys/netinet/if_ether.c                                1.64.2.15.2.1
> RELENG_4_4
>   src/UPDATING                                             1.73.2.43.2.51
>   src/sys/conf/newvers.sh                                  1.44.2.17.2.42
>   src/sys/netinet/if_ether.c                                1.64.2.11.2.1
> RELENG_4_3
>   src/UPDATING                                             1.73.2.28.2.38
>   src/sys/conf/newvers.sh                                  1.44.2.14.2.28
>   src/sys/netinet/if_ether.c                                1.64.2.10.2.1
> - ------------------------------------------------------------------------
-
>
> VII. References
>
> <URL:http://docs.info.apple.com/article.html?artnum=61798>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (FreeBSD)
>
> iD8DBQE/caZOFdaIBMps37IRApJAAJoDBwhwQXQli7PKuVigYwgTSaDaqwCfUoFD
> 5CupjAoAR1irbq9TSn3Id+4=
> =G144
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-announce at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-announce
> To unsubscribe, send any mail to
"freebsd-announce-unsubscribe at freebsd.org"
>



More information about the OLUG mailing list