-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings OpenBSD Project Team,
While reviewing our vulnerability reports we were notified of a bug in the code used by OpenBSD to reassemble IP fragments. We are tracking this issue as VU#243620. We do not classify this as a vulnerability and will not be publishing it to our public Vulnerability Notes database at http://www.kb.cert.org/vuls/. Nonetheless, we want to assist the reporter in whatever ways we can to help resolve this issue. Antonios Atlasis ([email protected]) reported that he sent this issue to a contact at OpenBSD previously. Have you addressed this issue as of this time? If so is there a public reference to any available fixes? A copy of the original report is included at the bottom of this message. Please be sure to include VU#243620 in the subject when replying to this email. If you have any questions or concerns, please let us know. Best Regards, Todd - -- Vulnerability Analysis Team __________________________________________________________ CERT(R) Coordination Center | [email protected] Software Engineering Institute | Hotline : +1 412.268.7090 Carnegie Mellon University | FAX : +1 412.268.6989 Pittsburgh, PA 15213-3890 | http://www.cert.org/ ========================================================== CERT and CERT Coordination Center are registered in the U.S. Patent and Trademark Office. The Software Engineering Institute is sponsored by the U.S. Department of Defense. - ----- BEGIN ORIGINAL VULNERABILITY REPORT ----- OpenBSD 5.2/5.3 accepts fragments even if the first fragment had been sent 60 seconds or more earlier the last. Specifically: According to RFC 2460 (section 4.5, p.21): "If insufficient fragments are received to complete reassembly of a packet within 60 seconds of the reception of the first-arriving fragment of that packet, reassembly of that packet must be abandoned and all the fragments that have been received for that packet must be discarded." On the contrary, OpenBSD 5.2 and 5.3 (previous versions may also be affected, but I have not tested them) discards fragments only if the time interval between two consecutive fragments is more than 60 secs. However, it does not discard them if the time interval between the first and the last fragment is a few minutes or more, as long as the time-interval between two consecutive fragments is less than 60 secs. For example, I have found that OpenBSD 5.2/5.3 accept up to 28 fragments with 30 sec intervals between them (this will take up to 14 minutes). The aforementioned behaviour can have the following security consequences. - - Easy, accurate and not-detectable fingerprinting of OpenBSD (since other major OS conform to the RFC regarding the acceptance of delayed fragments. - - IPS/IDS evasion as long as the target is OpenBSD (since usually IDS/IPS do not store incoming fragments for up to 14 minutes). - - Undesirable load of the memory, if this attack is used simultaneously by various different, real or spoofed, IPv6 sources. For testing purposes, the ICMPv6 Echo Request messages were used. I used the default installation of OpenBSD 5.2/5.3. REFERENCES RFC 2460, Dec 1998 - ----- END ORIGINAL VULNERABILITY REPORT ----- iQEVAwUBUgjzN+5xi1xMnAiGAQKBKQf/YjzJKkA6ydHUd2LYJSYF8dXUvVRo+6Il 4J7JzoM6G/+qRoc1t3qOWbDP1m0Sd7yKynGGcZP75yA7KZ3neKQ1/ZupkSv0Rr9P f56nu/m6Y2WNopDmfXAXIAW2I27aOcIybaCFDruKiucvWIW0S5KScijpEBtVATRC RvuLzXdvQgIZ/mLw8IMHO4Az8afxOCbMHRAF5cY8cSlqpFZgmjgj+wqMg/Pen2Di ZMjxIjJcFexsoHcU4XBXKV70gvLe/JHQriGL2E/ADr7qWjzJm6d2R0+9MQxSgx3S ng2FPFK2JV5VNsP8OX+FQO2PEazSB5CBu+GPOwbBE1H5zu/obnGxnw== =fasp -----END PGP SIGNATURE-----
