FreeBSD : FreeBSD -- Resource exhaustion in TCP reassembly (0cb9d5bb-600a-11e6-a6c3-14dae9d210b8)

high Nessus Plugin ID 92891

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

There is a mistake with the introduction of VNET, which converted the global limit on the number of segments that could belong to reassembly queues into a per-VNET limit. Because mbufs are allocated from a global pool, in the presence of a sufficient number of VNETs, the total number of mbufs attached to reassembly queues can grow to the total number of mbufs in the system, at which point all network traffic would cease. Impact : An attacker who can establish concurrent TCP connections across a sufficient number of VNETs and manipulate the inbound packet streams such that the maximum number of mbufs are enqueued on each reassembly queue can cause mbuf cluster exhaustion on the target system, resulting in a Denial of Service condition.

As the default per-VNET limit on the number of segments that can belong to reassembly queues is 1/16 of the total number of mbuf clusters in the system, only systems that have 16 or more VNET instances are vulnerable.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?45bba7aa

Plugin Details

Severity: High

ID: 92891

File Name: freebsd_pkg_0cb9d5bb600a11e6a6c314dae9d210b8.nasl

Version: 2.6

Type: local

Published: 8/12/2016

Updated: 1/4/2021

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:freebsd, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Settings/ParanoidReport, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 8/11/2016

Vulnerability Publication Date: 7/28/2015

Reference Information

CVE: CVE-2015-1417

FreeBSD: SA-15:15.tcp