Re: SA-14:19 (Denial of Service in TCP packet processing) and jails issue ?

Mon, 04 May 2015 19:50:21 -0700 

On 5/5/15 5:28 AM, Mike Tancsa wrote:

On 4/29/2015 6:07 PM, Mike Tancsa wrote:


The IP being scanned is in a jail.  If I run the scan to an IP not
associated with the jail, the scan does not complain. Its only on the
jailed IP that the scan flags as problematic for this vulnerability.

If this is a false positive, how can I be sure thats the case ? I have
pcaps of the scan both against the jailed IP (with the scan saying its
vulnerable) and against an IP not associated with the jail, saying its
not an issue.





Anyone have any have any ideas what can be done to mitigate this 
risk if its real, or if its a false positive ?

Firstly I assume you are not talking about a vimage jail?


It seems unlikely that jailing affects that processing. Does the test 
actually try cause the problem to occur? a tcpdump would be really nice.





 To further clarify/describe my test environment, this is a RELENG_9 
box I am testing against. I have a number of IPs aliased to lo0 
associated with jails.  If I run the Qualsys scan against an IP on 
this box that is not associated with a jail, it passes the test for 
SA-14:19.  If I run the test against an IP associated with the jail, 
it fails the test.



e.g. IP 192.168.1.1 is aliased to lo0 and associated with 
jail1.sentex.ca.



If I run the free qualsys scan against jail1.sentex.ca, the test 
fails.  If I stop the jail, and run the qualsys scan against the 
same IP, which is now just an aliased IP on the host machine, it 
passes the test.  I have the pcaps, but I am not sure exactly what I 
am looking for in the data. The test just says it confirmed the 
vulnerability with the following 2 tests,


Tested on port 22 with an injected SYN/RST offset by 16 bytes.
Tested on port 25 with an injected SYN/RST offset by 16 bytes.


What is it about the jail that might be causing either this issue to 
resurface, or give a false positive that its an issue ?



    ---Mike





_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"






















					Reply via email to