BSD sysctl utilities may not properly disable the packet source route option

bsd-sourceroute (736) The risk level is classified as HighHigh Risk

Description:

The sysctl system configuration control for "do source route" does not prevent source routed packets from being accepted. sysctl defines whether a system accepts source routed packets by using the variable net.inet.ip.dosourceroute. The variable is set to 0 by default, meaning "do not perform IP source routing." A vulnerability in the implementation makes it possible to send source routed packets to these systems even when the variable is set to zero (0).

This vulnerability allows remote attackers to trivially spoof TCP connections against BSD hosts on networks that do not filter source routed packets using router packet filters.

Platforms Affected:

  • FreeBSD, FreeBSD 2.2
  • FreeBSD, FreeBSD 2.2.1
  • FreeBSD, FreeBSD 2.2.2
  • FreeBSD, FreeBSD 2.2.3
  • FreeBSD, FreeBSD 2.2.4
  • FreeBSD, FreeBSD 2.2.5
  • FreeBSD, FreeBSD 2.2.6
  • FreeBSD, FreeBSD 2.2.7
  • FreeBSD, FreeBSD 2.2.8
  • OpenBSD, OpenBSD 2.0
  • OpenBSD, OpenBSD 2.1
  • OpenBSD, OpenBSD 2.2
  • WindRiver, BSDOS

Remedy:

For OpenBSD 2.2 and earlier:
Apply the OpenBSD-current patch, as listed in OpenBSD Security Advisory, February 15, 1998. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Bypass Security

References:

  • OpenBSD Security Advisory, February 15, 1998, IP Source Routing Problem at http://www.openbsd.org/advisories/sourceroute.txt.
  • OpenBSD Security Advisory, February 19, 1998, OpenBSD 2.2 release errata & patch list (search for sourceroute) at http://www.openbsd.org/errata22.html#sourceroute.
  • CVE-1999-0305: The system configuration control (sysctl) facility in BSD based operating systems OpenBSD 2.2 and earlier, and FreeBSD 2.2.5 and earlier, does not properly restrict source routed packets even when the (1) dosourceroute or (2) forwarding variables are set, which allows remote attackers to spoof TCP connections.
  • OSVDB ID: 11502: Multiple BSD sysctl Control Failure Source Routing Attack

Reported:

Feb 15, 1998

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page