Bug 519126 - (CVE-2008-4609) VUL-1: CVE-2008-4609: kernel: Sockstress VU#943657
(CVE-2008-4609)
VUL-1: CVE-2008-4609: kernel: Sockstress VU#943657
Status: RESOLVED UPSTREAM
: 519131 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P5 - None : Major
: ---
Assigned To: E-mail List
Security Team bot
CVE-2008-4609: CVSS v2 Base Score: 7....
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-03 09:55 UTC by Thomas Biege
Modified: 2015-02-11 19:16 UTC (History)
4 users (show)

See Also:
Found By: Development
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2009-07-03 09:55:46 UTC
Hi.
There is a security bug in 'kernel'.

This bug is public.

There is no coordinated release date (CRD) set.


Original posting:


@crd 2009-08-11

----- Forwarded message from CERT Coordination Center <cert@cert.org> -----

Date: Thu, 2 Jul 2009 15:48:27 -0400
To: SuSE Security Team <security@suse.de>
From: CERT Coordination Center <cert@cert.org>
Old-Content-Type: text/plain
Cc: CERT Coordination Center <cert@cert.org>
Subject: [security@suse.de] Sockstress [VU#943657] - suse
Errors-To: security-bounces+thomas=suse.de@suse.de



Hello,

We are tracking several TCP attacks referred to as "sockstress" as VU#943657:

<http://www.sockstress.com/>

These techniques allow for a denial of service attack on TCP services.  Additionally, a tool has been developed by Outpost24 to demonstrate these weaknesses in TCP implementations.

CERT-FI is coordinating the scope and mitigation of these attacks with Outpost24 and vendors:

<https://www.cert.fi/haavoittuvuudet/2008/tcp-vulnerabilities.html>

CERT-FI is planning to release details of the attacks on 11 Aug 2009.  We will publish a corresponding Vulnerability Note following the CERT-FI disclosure.  CERT-FI has a more detailed advisory available on a private wiki.  For access to this wiki, please email <vulncoord@ficora.fi>.

Please note that we are coordinating this issue seperately from a general TCP "persist" condition issue, VU#723308.

Regards,

-David


--
David Warren
CERT Coordination Center
<cert@cert.org>
+1 412-268-7090

943C 0A2E 4CB8 4C8F CA53
22F8 680D 4DC1 AF30 D800


----- End forwarded message -----
Comment 1 Thomas Biege 2009-07-03 09:58:43 UTC
CRD 2009-08-11
Comment 2 Thomas Biege 2009-07-03 09:59:10 UTC
bug is NOT PUBLIC
Comment 5 Thomas Biege 2009-08-10 05:14:12 UTC
CRD: 08-09-2009
Comment 7 Marcus Meissner 2009-09-16 16:24:10 UTC
The redhat statement is here:

http://kbase.redhat.com/faq/docs/DOC-18730
Comment 9 Marcus Meissner 2009-09-17 09:04:57 UTC
Well, the short and simple answer is "even the mainline kernel has no patches for this issue".

I am trying to get a more official statement from the network subsystem maintainer, David Miller, but I think their stance currently is also firewall rules.

The RH knowledgebase article also limits the exploitability to a subnet with overtaken machines too:
"Exploiting these flaws requires the attacker to have access to a subnet where they have routable IP addresses that they can make use of. These need to be different from the IP address being used by the attacker's machine. The attacking system must send from IP addresses that are not being competed for by other hosts, and it must guarantee that its ARP poisoning is completely effective. The attacking system must create an attack which can not only generate the three-way handshake but can avoid sending RST frames in a response."



I am not happy with this, but I understand this issue not sufficiently enough yet and need to read the paper (http://www.cpni.gov.uk/Docs/tn-03-09-security-assessment-TCP.pdf ) :/
Comment 10 Anders Johansson 2009-09-24 13:15:12 UTC
IBM Japan is still pushing for a public statement and advisory on this problem. What I told them earlier apparently wasn't enough.

Could someone from the security team tell me what the ETA is on an advisory for this?
Comment 15 Marcus Meissner 2009-10-02 12:16:57 UTC
I just posted an advisory on this topic.

It will appear on the novell advisory page tonight or monday.
mailinglist archived mail (unformatted) 

http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00000.html

resolved/upstream as we will follow upstreams lead.
Comment 16 Marcus Meissner 2009-10-02 12:18:13 UTC
*** Bug 519131 has been marked as a duplicate of this bug. ***
Comment 17 Thomas Biege 2009-10-14 02:06:52 UTC
CVE-2008-4609: CVSS v2 Base Score: 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C)