|
Fabian Koch wrote:
according to a nessus
scan, LwIP is vulnerable to CVE-2004-0230, which means that it
accepts a spoofed Packet with RST flag if the packets sequence
number fits somewhere in the current window.
[..]
The easiest way to handle this attack would
be only accept an incoming RST if the ackno matches the
expected sequence. In the other case currently implemented in
tcp_process() where the number only matched into the current
window, only an ACK is sent back, expecting a re-send of the
RST with a correct pair of sequence and ackno.
(also the way FreeBSD
fixed it)
Do you think that would
be feasible for LwIP or are you more in the Linux Boat,
saying “meh.”?
Sorry for replying so late, this question might have been better off
on the lwip-devel list...
As an lwIP user, after reading the CVE description, I think we're
good with leaving it the way it is. I think so because I can't say
to fully understand the implications of the suggested change.
Things might look differently depending on the kind of application
used, though, so we might want to fix this anyway...
Would you care for a patch implementing the suggested change?
Thanks,
Simon
|