FreeBSD Credential Leak

Friday, May 2, 2014 @ 05:05 PM gHale


A problem with the FreeBSD TCP ordering has emerged, with denial-of-service (DoS) and data leakage possible issues.

The issue exists in how the Unix-like operating system handles TCP packets received out-of-order. Packets end up held in a reassembly queue until they can be re-ordered and re-assembled.

RELATED STORIES
DDoS Techniques Changing
SQL Injection Attacks Still Fierce
Insider Threat: Firms Aware, but Take No Action
Insider Threat Scares DoD IT Pros

“FreeBSD may add a reassemble queue entry on the stack into the segment list when the reassembly queue reaches its limit,” said the FreeBSD advisory. “The memory from the stack is undefined after the function returns. Subsequent iterations of the reassembly function will attempt to access this entry.”

Crafted packets can cause a kernel crash, the advisory said, but “because the undefined on stack memory may be overwritten by other kernel threads, while extremely difficult, it may be possible for an attacker to construct a carefully crafted attack to obtain portion of kernel memory via a connected socket.”

One issue in this case is because FreeBSD is behind the scenes in non-obvious places, systems may never end up with a patch.

While system administrators will take care of their IT systems, almost no one except the very savvy home user will end up patching.



Leave a Reply

You must be logged in to post a comment.