CVE-2002-0381
CVSS5.0
发布时间 :2002-06-25 00:00:00
修订时间 :2008-09-05 16:27:52
NMCO    

[原文]The TCP implementation in various BSD operating systems (tcp_input.c) does not properly block connections to broadcast addresses, which could allow remote attackers to bypass intended filters via packets with a unicast link layer address and an IP broadcast address.


[CNNVD]BSD TCP/IP广播地址连接检查漏洞(CNNVD-200206-069)

        
        多个BSD操作系统的TCP/IP实现存在错误,包括FreeBSD和NetBSD,OpenBSD可能也有此问题。
        RFC 1122定义的TCP实现对于进入的SYN分段的地址是去向多播或广播地址的必需丢弃不作任何反应。受影响的BSD在实现上是基于链路层地址丢弃包而不是检查目标IP地址。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:netbsd:netbsd:2.0.4NetBSD 2.0.4
cpe:/o:freebsd:freebsd:4.5FreeBSD 4.5
cpe:/o:openbsd:openbsdOpenBSD

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0381
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0381
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200206-069
(官方数据源) CNNVD

- 其它链接及资源

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=35022
(VENDOR_ADVISORY)  MISC  http://www.FreeBSD.org/cgi/query-pr.cgi?pr=35022
http://online.securityfocus.com/archive/1/262733
(VENDOR_ADVISORY)  BUGTRAQ  20020317 TCP Connections to a Broadcast Address on BSD-Based Systems
http://www.securityfocus.com/bid/4309
(UNKNOWN)  BID  4309
http://www.osvdb.org/5308
(UNKNOWN)  OSVDB  5308
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/tcp_input.c.diff?r1=1.109&r2=1.110
(UNKNOWN)  CONFIRM  http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/tcp_input.c.diff?r1=1.109&r2=1.110
http://www.iss.net/security_center/static/8485.php
(UNKNOWN)  XF  bsd-broadcast-address(8485)
http://cvsweb.netbsd.org/bsdweb.cgi/syssrc/sys/netinet/tcp_input.c.diff?r1=1.136&r2=1.137
(UNKNOWN)  CONFIRM  http://cvsweb.netbsd.org/bsdweb.cgi/syssrc/sys/netinet/tcp_input.c.diff?r1=1.136&r2=1.137
ftp://patches.sgi.com/support/free/security/advisories/20030604-01-I
(UNKNOWN)  SGI  20030604-01-I

- 漏洞信息

BSD TCP/IP广播地址连接检查漏洞
中危 设计错误
2002-06-25 00:00:00 2005-05-02 00:00:00
远程  
        
        多个BSD操作系统的TCP/IP实现存在错误,包括FreeBSD和NetBSD,OpenBSD可能也有此问题。
        RFC 1122定义的TCP实现对于进入的SYN分段的地址是去向多播或广播地址的必需丢弃不作任何反应。受影响的BSD在实现上是基于链路层地址丢弃包而不是检查目标IP地址。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 不打补丁实在没有好的临时解决方法。
        厂商补丁:
        FreeBSD
        -------
        2002-2-25 (CVS revision 1.148) FreeBSD 5-CURRENT和2002-2-28 (revision 1.107.2.21) FreeBSD 4-STABLE修复了这个安全问题,请到厂商的主页下载:
        
        http://www.freebsd.org/

        NetBSD
        ------
        NetBSD补丁 (已经测试):
        Index: src/sys/netinet/tcp_input.c
        ===================================================================
        RCS file: /export/netbsd/ncvs/syssrc/sys/netinet/tcp_input.c,v
        retrieving revision 1.108.4.10
        diff -u -r1.108.4.10 tcp_input.c
        --- src/sys/netinet/tcp_input.c 24 Jan 2002 22:44:21 -0000 1.108.4.10
        +++ src/sys/netinet/tcp_input.c 16 Mar 2002 23:14:14 -0000
        @@ -677,7 +677,8 @@
         * Make sure destination address is not multicast.
         * Source address checked in ip_input().
         */
        - if (IN_MULTICAST(ip->ip_dst.s_addr)) {
        + if (IN_MULTICAST(ip->ip_dst.s_addr) ||
        + in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif)) {
         /* XXX stat */
         goto drop;
         }
        @@ -2183,6 +2184,11 @@
         */
         if (tiflags & TH_RST)
         goto drop;
        +
        + if (IN_MULTICAST(ip->ip_dst.s_addr) ||
        + in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif))
        + goto drop;
        +
         {
         /*
         * need to recover version # field, which was overwritten on
        OpenBSD
        -------
        OpenBSD补丁 (没有测试):
        Index: src/sys/netinet/tcp_input.c
        ===================================================================
        RCS file: /export/openbsd/ncvs/src/sys/netinet/tcp_input.c,v
        retrieving revision 1.109
        diff -u -r1.109 tcp_input.c
        --- src/sys/netinet/tcp_input.c 15 Mar 2002 18:19:52 -0000 1.109
        +++ src/sys/netinet/tcp_input.c 17 Mar 2002 01:08:35 -0000
        @@ -1080,8 +1080,6 @@
        
         /*
         * RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN
        - * in_broadcast() should never return true on a received
        - * packet with M_BCAST not set.
         */
         if (m->m_flags & (M_BCAST|M_MCAST))
         goto drop;
        @@ -1094,7 +1092,8 @@
         break;
         #endif /* INET6 */
         case AF_INET:
        - if (IN_MULTICAST(ip->ip_dst.s_addr))
        + if (IN_MULTICAST(ip->ip_dst.s_addr) ||
        + in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif)) {
         goto drop;
         break;
         }
        @@ -2139,7 +2138,8 @@
         break;
         #endif /* INET6 */
         case AF_INET:
        - if (IN_MULTICAST(ip->ip_dst.s_addr))
        + if (IN_MULTICAST(ip->ip_dst.s_addr) ||
        + in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif))
         goto drop;
         }
         if (tiflags & TH_ACK) {

- 漏洞信息

5308
Multiple BSD Broadcast Address Filter Bypass
Local Access Required, Remote / Network Access Infrastructure
Loss of Integrity

- 漏洞描述

Multiple BSD OSs contain a flaw that may allow a malicious attacker to bypass firewall rulesets. The issue is triggered when a packet is sent with a unicast link-layer address that contains an IP broadcast address. It is possible that the flaw may allow a TCP connection to a broadcast address resulting in a loss of integrity.

- 时间线

2002-02-16 Unknow
Unknow Unknow

- 解决方案

Upgrade to IRIX version 6.5.17 or higher, as it has been reported to fix this vulnerability. In addition, Apple, FreeBSD, NetBSD and OpenBSD have released patches for some older versions.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站