Red Hat Bugzilla – Bug 314381
CVE-NONE kernel syn+fin firewall bypass (VU#464113)
Last modified: 2007-10-04 09:29:00 EDT
It was reported that the Linux kernel is being flagged by Nessus as vulnerable
In response to that VU# a fix was applied to the upstream kernel from 2.4.20+
which added a (th->rst) check but not a (th->fin) check.
However I believe OpenLinux implemented a fin check too, because they issued an
advisory mentioning they corrected this issue and it led to this plugin being
The original report of this issue contains some minor, but basic errors:
SYN|data|FIN is a legal frame in T/TCP and arguably in basic TCP as well
(although not used for that).
Thus you need to write rules that correctly handle SYN|data|FIN packets.
The code to handle this in Linux is, as far as our kernel experts can tell,
entirely correct. The kernel was changed after the publication of the report to
be suspicious of SYN|RST as that isn't a legal packet, but not SYN|FIN as that
is a legal packet.
We therefore believe that Linux (and hence Red Hat Enterprise Linux) does the
correct thing in handling these packets, and that the Nessus test is giving a
false positive as this is not a vulnerability.