ID CVE-2015-1417
Summary The inet module in FreeBSD 10.2x before 10.2-PRERELEASE, 10.2-BETA2-p2, 10.2-RC1-p1, 10.1x before 10.1-RELEASE-p16, 9.x before 9.3-STABLE, 9.3-RELEASE-p21, and 8.x before 8.4-STABLE, 8.4-RELEASE-p35 on systems with VNET enabled and at least 16 VNET instances allows remote attackers to cause a denial of service (mbuf consumption) via multiple concurrent TCP connections.
References
Vulnerable Configurations
  • FreeBSD 8.4
    cpe:2.3:o:freebsd:freebsd:8.4
  • FreeBSD 8.4 Beta 1
    cpe:2.3:o:freebsd:freebsd:8.4:beta1
  • FreeBSD 8.4 Patch 11
    cpe:2.3:o:freebsd:freebsd:8.4:p11
  • FreeBSD 8.4 Patch 12
    cpe:2.3:o:freebsd:freebsd:8.4:p12
  • FreeBSD 8.4 Patch 13
    cpe:2.3:o:freebsd:freebsd:8.4:p13
  • FreeBSD 8.4 Patch 14
    cpe:2.3:o:freebsd:freebsd:8.4:p14
  • FreeBSD 8.4 Patch 15
    cpe:2.3:o:freebsd:freebsd:8.4:p15
  • FreeBSD 8.4 Patch 16
    cpe:2.3:o:freebsd:freebsd:8.4:p16
  • FreeBSD 8.4 Patch 17
    cpe:2.3:o:freebsd:freebsd:8.4:p17
  • FreeBSD 8.4 Patch 19
    cpe:2.3:o:freebsd:freebsd:8.4:p19
  • FreeBSD 8.4 Patch 2
    cpe:2.3:o:freebsd:freebsd:8.4:p2
  • FreeBSD 8.4 Patch 20
    cpe:2.3:o:freebsd:freebsd:8.4:p20
  • FreeBSD 8.4 Patch 21
    cpe:2.3:o:freebsd:freebsd:8.4:p21
  • FreeBSD 8.4 Patch 22
    cpe:2.3:o:freebsd:freebsd:8.4:p22
  • FreeBSD 8.4 Patch 23
    cpe:2.3:o:freebsd:freebsd:8.4:p23
  • FreeBSD 8.4 Patch 24
    cpe:2.3:o:freebsd:freebsd:8.4:p24
  • FreeBSD 8.4 Patch 26
    cpe:2.3:o:freebsd:freebsd:8.4:p26
  • FreeBSD 8.4 Patch 27
    cpe:2.3:o:freebsd:freebsd:8.4:p27
  • FreeBSD 8.4 Patch 3
    cpe:2.3:o:freebsd:freebsd:8.4:p3
  • FreeBSD 8.4 Patch 30
    cpe:2.3:o:freebsd:freebsd:8.4:p30
  • FreeBSD 8.4 Patch 33
    cpe:2.3:o:freebsd:freebsd:8.4:p33
  • FreeBSD 8.4 Patch 34
    cpe:2.3:o:freebsd:freebsd:8.4:p34
  • FreeBSD 8.4 Patch 4
    cpe:2.3:o:freebsd:freebsd:8.4:p4
  • FreeBSD 8.4 Patch 7
    cpe:2.3:o:freebsd:freebsd:8.4:p7
  • FreeBSD 8.4 Patch 8
    cpe:2.3:o:freebsd:freebsd:8.4:p8
  • FreeBSD 8.4 Patch 9
    cpe:2.3:o:freebsd:freebsd:8.4:p9
  • FreeBSD 9.3 -
    cpe:2.3:o:freebsd:freebsd:9.3
  • FreeBSD 9.3 Patch 1
    cpe:2.3:o:freebsd:freebsd:9.3:p1
  • FreeBSD 9.3 Patch 10
    cpe:2.3:o:freebsd:freebsd:9.3:p10
  • FreeBSD 9.3 Patch 12
    cpe:2.3:o:freebsd:freebsd:9.3:p12
  • FreeBSD 9.3 Patch 13
    cpe:2.3:o:freebsd:freebsd:9.3:p13
  • FreeBSD 9.3 Patch 16
    cpe:2.3:o:freebsd:freebsd:9.3:p16
  • FreeBSD 9.3 Patch 19
    cpe:2.3:o:freebsd:freebsd:9.3:p19
  • FreeBSD 9.3 Patch 2
    cpe:2.3:o:freebsd:freebsd:9.3:p2
  • FreeBSD 9.3 Patch 20
    cpe:2.3:o:freebsd:freebsd:9.3:p20
  • FreeBSD 9.3 Patch 3
    cpe:2.3:o:freebsd:freebsd:9.3:p3
  • FreeBSD 9.3 Patch 5
    cpe:2.3:o:freebsd:freebsd:9.3:p5
  • FreeBSD 9.3 Patch 6
    cpe:2.3:o:freebsd:freebsd:9.3:p6
  • FreeBSD 9.3 Patch 7
    cpe:2.3:o:freebsd:freebsd:9.3:p7
  • FreeBSD 9.3 Patch 8
    cpe:2.3:o:freebsd:freebsd:9.3:p8
  • FreeBSD 9.3 Patch 9
    cpe:2.3:o:freebsd:freebsd:9.3:p9
  • FreeBSD 10.1 -
    cpe:2.3:o:freebsd:freebsd:10.1
  • FreeBSD 10.1 Patch 1
    cpe:2.3:o:freebsd:freebsd:10.1:p1
  • FreeBSD 10.1 Patch 10
    cpe:2.3:o:freebsd:freebsd:10.1:p10
  • FreeBSD 10.1 Patch 12
    cpe:2.3:o:freebsd:freebsd:10.1:p12
  • FreeBSD 10.1 Patch 15
    cpe:2.3:o:freebsd:freebsd:10.1:p15
  • FreeBSD 10.1 Patch 16
    cpe:2.3:o:freebsd:freebsd:10.1:p16
  • FreeBSD 10.1 Patch 2
    cpe:2.3:o:freebsd:freebsd:10.1:p2
  • FreeBSD 10.1 Patch 3
    cpe:2.3:o:freebsd:freebsd:10.1:p3
  • FreeBSD 10.1 Patch 4
    cpe:2.3:o:freebsd:freebsd:10.1:p4
  • FreeBSD 10.1 Patch 5
    cpe:2.3:o:freebsd:freebsd:10.1:p5
  • FreeBSD 10.1 Patch 6
    cpe:2.3:o:freebsd:freebsd:10.1:p6
  • FreeBSD 10.1 Patch 7
    cpe:2.3:o:freebsd:freebsd:10.1:p7
  • FreeBSD 10.1 Patch 8
    cpe:2.3:o:freebsd:freebsd:10.1:p8
  • FreeBSD 10.1 Patch 9
    cpe:2.3:o:freebsd:freebsd:10.1:p9
  • FreeBSD 10.2
    cpe:2.3:o:freebsd:freebsd:10.2
CVSS
Base: 5.0
Impact:
Exploitability:
CWE CWE-400
CAPEC
  • XML Ping of the Death
    An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
  • XML Entity Expansion
    An attacker submits an XML document to a target application where the XML document uses nested entity expansion to produce an excessively large output XML. XML allows the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.
  • Inducing Account Lockout
    An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user. Many systems, for instance, implement a password throttling mechanism that locks an account after a certain number of incorrect log in attempts. An attacker can leverage this throttling mechanism to lock a legitimate user out of their own account. The weakness that is being leveraged by an attacker is the very security feature that has been put in place to counteract attacks.
  • Violating Implicit Assumptions Regarding XML Content (aka XML Denial of Service (XDoS))
    XML Denial of Service (XDoS) can be applied to any technology that utilizes XML data. This is, of course, most distributed systems technology including Java, .Net, databases, and so on. XDoS is most closely associated with web services, SOAP, and Rest, because remote service requesters can post malicious XML payloads to the service provider designed to exhaust the service provider's memory, CPU, and/or disk space. The main weakness in XDoS is that the service provider generally must inspect, parse, and validate the XML messages to determine routing, workflow, security considerations, and so on. It is exactly these inspection, parsing, and validation routines that XDoS targets. There are three primary attack vectors that XDoS can navigate Target CPU through recursion: attacker creates a recursive payload and sends to service provider Target memory through jumbo payloads: service provider uses DOM to parse XML. DOM creates in memory representation of XML document, but when document is very large (for example, north of 1 Gb) service provider host may exhaust memory trying to build memory objects. XML Ping of death: attack service provider with numerous small files that clog the system. All of the above attacks exploit the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends.
nessus via4
NASL family FreeBSD Local Security Checks
NASL id FREEBSD_PKG_0CB9D5BB600A11E6A6C314DAE9D210B8.NASL
description There is a mistake with the introduction of VNET, which converted the global limit on the number of segments that could belong to reassembly queues into a per-VNET limit. Because mbufs are allocated from a global pool, in the presence of a sufficient number of VNETs, the total number of mbufs attached to reassembly queues can grow to the total number of mbufs in the system, at which point all network traffic would cease. Impact : An attacker who can establish concurrent TCP connections across a sufficient number of VNETs and manipulate the inbound packet streams such that the maximum number of mbufs are enqueued on each reassembly queue can cause mbuf cluster exhaustion on the target system, resulting in a Denial of Service condition. As the default per-VNET limit on the number of segments that can belong to reassembly queues is 1/16 of the total number of mbuf clusters in the system, only systems that have 16 or more VNET instances are vulnerable.
last seen 2019-02-21
modified 2018-12-07
plugin id 92891
published 2016-08-12
reporter Tenable
source https://www.tenable.com/plugins/index.php?view=single&id=92891
title FreeBSD : FreeBSD -- Resource exhaustion in TCP reassembly (0cb9d5bb-600a-11e6-a6c3-14dae9d210b8)
refmap via4
bid 76112
freebsd FreeBSD-SA-15:15
sectrack 1033111
Last major update 25-07-2017 - 14:29
Published 25-07-2017 - 14:29
Last modified 20-03-2019 - 09:14
Back to Top