Bugzilla – Bug 519126
VUL-1: CVE-2008-4609: kernel: Sockstress VU#943657
Last modified: 2015-02-11 19:16:01 UTC
There is a security bug in 'kernel'.
This bug is public.
There is no coordinated release date (CRD) set.
----- Forwarded message from CERT Coordination Center <email@example.com> -----
Date: Thu, 2 Jul 2009 15:48:27 -0400
To: SuSE Security Team <firstname.lastname@example.org>
From: CERT Coordination Center <email@example.com>
Cc: CERT Coordination Center <firstname.lastname@example.org>
Subject: [email@example.com] Sockstress [VU#943657] - suse
We are tracking several TCP attacks referred to as "sockstress" as VU#943657:
These techniques allow for a denial of service attack on TCP services. Additionally, a tool has been developed by Outpost24 to demonstrate these weaknesses in TCP implementations.
CERT-FI is coordinating the scope and mitigation of these attacks with Outpost24 and vendors:
CERT-FI is planning to release details of the attacks on 11 Aug 2009. We will publish a corresponding Vulnerability Note following the CERT-FI disclosure. CERT-FI has a more detailed advisory available on a private wiki. For access to this wiki, please email <firstname.lastname@example.org>.
Please note that we are coordinating this issue seperately from a general TCP "persist" condition issue, VU#723308.
CERT Coordination Center
943C 0A2E 4CB8 4C8F CA53
22F8 680D 4DC1 AF30 D800
----- End forwarded message -----
bug is NOT PUBLIC
The redhat statement is here:
Well, the short and simple answer is "even the mainline kernel has no patches for this issue".
I am trying to get a more official statement from the network subsystem maintainer, David Miller, but I think their stance currently is also firewall rules.
The RH knowledgebase article also limits the exploitability to a subnet with overtaken machines too:
"Exploiting these flaws requires the attacker to have access to a subnet where they have routable IP addresses that they can make use of. These need to be different from the IP address being used by the attacker's machine. The attacking system must send from IP addresses that are not being competed for by other hosts, and it must guarantee that its ARP poisoning is completely effective. The attacking system must create an attack which can not only generate the three-way handshake but can avoid sending RST frames in a response."
I am not happy with this, but I understand this issue not sufficiently enough yet and need to read the paper (http://www.cpni.gov.uk/Docs/tn-03-09-security-assessment-TCP.pdf ) :/
IBM Japan is still pushing for a public statement and advisory on this problem. What I told them earlier apparently wasn't enough.
Could someone from the security team tell me what the ETA is on an advisory for this?
I just posted an advisory on this topic.
It will appear on the novell advisory page tonight or monday.
mailinglist archived mail (unformatted)
resolved/upstream as we will follow upstreams lead.
*** Bug 519131 has been marked as a duplicate of this bug. ***
CVE-2008-4609: CVSS v2 Base Score: 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C)