FreeBSD has patched a denial-of-service vulnerability that could affect a host of third-party packages built atop the UNIX-like operating system.
The vulnerability—found in the way FreeBSD processes TCP packets—was discovered by a member of Juniper Networks’ incident response team. FreeBSD’s advisory warns that a hacker spoofing IP traffic can “tear down” a TCP connection with only two packets if they have knowledge of the target network and both TPC port numbers.
“When a segment with the SYN flag for an already existing connection arrives, the TCP stack tears down the connection, bypassing a check that the sequence number in the segment is in the expected window,” the advisory said.
A hacker could also successfully exploit the flaw with knowledge of only one TCP port number.
“In case one of the two port numbers is unknown, a successful attack requires less than 2**17 packets spoofed, which can be generated within less than a second on a decent connection to the Internet,” FreeBSD said in its advisory.
The organization said enterprises can ward off attacks by creating stateful traffic inspection for every connection. “Even a default ruleset to allow all traffic would be sufficient to mitigate this issue,” the advisory said.
The patches are available from the following sources, FreeBSD said:
- fetch http://security.FreeBSD.org/patches/SA-14:19/tcp.patch
- fetch http://security.FreeBSD.org/patches/SA-14:19/tcp.patch.asc
- gpg –verify tcp.patch.asc
SANS Internet Storm Center handler Mark Hofman cautioned that products such as Apple’s OS X operating system and even security products from Check Point, Netscaler and Blue Coat are built upon FreeBSD. More than 24,000 applications, including some email programs and Web browsers, are also built on FreeBSD.
“For those of you that don’t have FreeBSD in your environment, you probably do,” Hofman said.
Juniper has already published a patch for its products; other vendors are soon to follow suit.
Two FreeBSD Project servers used to build third-party software were breached in late 2012 forcing FreeBSD to warn users that any software built and/or installed during a two-month period could have been at risk. The base FreeBSD code, including kernel, system libraries, compiler and daemons are maintained separately and were not accessed during the breach.
As a result of the intrusion, FreeBSD considered a number of changes to how updates were distributed; hackers used a stolen SSH key to access the infrastructure housing the servers.