Bug 314381 - CVE-NONE kernel syn+fin firewall bypass (VU#464113)
CVE-NONE kernel syn+fin firewall bypass (VU#464113)
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Kernel Manager
: Security
Depends On:
  Show dependency treegraph
Reported: 2007-10-01 14:25 EDT by Mark J. Cox
Modified: 2007-10-04 09:29 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-10-04 09:29:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox 2007-10-01 14:25:41 EDT
It was reported that the Linux kernel is being flagged by Nessus as vulnerable
to: http://www.kb.cert.org/vuls/id/464113

In response to that VU# a fix was applied to the upstream kernel from 2.4.20+
which added a (th->rst) check but not a (th->fin) check.

However I believe OpenLinux implemented a fin check too, because they issued an
advisory mentioning they corrected this issue and it led to this plugin being
written: http://www.nessus.org/plugins/index.php?view=viewsrc&id=11618
Comment 4 Mark J. Cox 2007-10-04 09:29:00 EDT
The original report of this issue contains some minor, but basic errors:

SYN|data|FIN is a legal frame in T/TCP and arguably in basic TCP as well
(although not used for that).

Thus you need to write rules that correctly handle SYN|data|FIN packets.

The code to handle this in Linux is, as far as our kernel experts can tell,
entirely correct.  The kernel was changed after the publication of the report to
be suspicious of SYN|RST as that isn't a legal packet, but not SYN|FIN as that
is a legal packet.

We therefore believe that Linux (and hence Red Hat Enterprise Linux) does the
correct thing in handling these packets, and that the Nessus test is giving a
false positive as this is not a vulnerability.

Note You need to log in before you can comment on or make changes to this bug.