[sclug] Server patch
Alex Butcher
lug at assursys.co.uk
Mon Sep 5 14:50:40 UTC 2005
On Mon, 5 Sep 2005, Peter Brewer wrote:
> I have been asked to patch the following problem on a Suse 9.3 server:
>
> **************
> The remote host does not discard TCP SYN packets which
> have the FIN flag set.
>
> Depending on the kind of firewall you are using, an
> attacker may use this flaw to bypass its rules.
>
> See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
> http://www.kb.cert.org/vuls/id/464113
>
> Solution : Contact your vendor for a patch
> Risk factor : Medium
> BID : 7487
> **************
>
> I haven't been able to find a patch. Anyone get any ideas?
You need to use iptables/netfilter's '--tcp-flags' predicate together with
the 'DROP' target rather than the 'REJECT' target.
Something like this at the top of your policy should do the trick:
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
(untested - if it breaks, you get to keep both pieces)
I'm pretty sure that if you use netfilter connection tracking, this invalid
combination is taken care of automagically.
> Many thanks
> Peter
Best Regards,
Alex.
--
Alex Butcher Brainbench MVP for Internet Security: www.brainbench.com
Bristol, UK Need reliable and secure network systems?
PGP/GnuPG ID:0x271fd950 <http://www.assursys.com/>
More information about the Sclug
mailing list