copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
Search this site

On this site

 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login


ESB-2015.2668 - [NetBSD] tcp: Denial of service - Remote/unauthenticated

Date: 22 October 2015
References: ESB-2015.1804  ESB-2015.1911  

Click here for printable version
Click here for PGP verifiable version
Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                   TCP LAST_ACK state memory exhaustion
                              22 October 2015


        AusCERT Security Bulletin Summary

Product:           tcp
Publisher:         NetBSD
Operating System:  NetBSD
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-5358  

Reference:         ESB-2015.1911

Original Bulletin:

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA256

		 NetBSD Security Advisory 2015-009

Topic:		TCP LAST_ACK state memory exhaustion

Version:	NetBSD-current:		source prior to Mon, Jul 24th 2015
		NetBSD 7.0: 		not affected
		NetBSD 6.1 - 6.1.5:	affected
		NetBSD 6.0 - 6.0.6: 	affected
		NetBSD 5.2 - 5.2.3: 	affected
		NetBSD 5.1 - 5.1.5: 	affected

Severity:	Potential remote denial of service

Fixed:		NetBSD-current:		Jul 24th, 2015 
		NetBSD-7 branch:	Jul 24th, 2015
		NetBSD-6 branch:	Jul 24th, 2015
		NetBSD-6-1 branch:	Jul 24th, 2015
		NetBSD-6-0 branch:	Jul 24th, 2015
		NetBSD-5 branch:	Jul 24th, 2015
		NetBSD-5-2 branch:	Jul 24th, 2015
		NetBSD-5-1 branch	Jul 24th, 2015

Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.


TCP sockets that remain in the LAST_ACK state may hold resources
for an unspecified amount of time, which may lead to denial of
service due to memory exhaustion. This vulnerability has been
assigned CVE-2015-5358.

Technical Details

When closing a connection the TCP socket is entering the LAST_ACK
state in which kernel waits for acknowledgement that FIN was
delivered to the peer or failure of all packet retransmission. In
certain circumstances a socket in this state may hold a significant
amount of memory (mbufs) which can be held for indefinite time,
because the "persist" timer responsible for cleaning up that memory
was previously deactivated. If an attacker is able to make the
attacked systems sockets enter that state, then remote denial of
service is possible due to memory exhaustion.

Solutions and Workarounds

+ Fix from NetBSD autobuild

The fastest way to upgrade to an unaffected kernel, if you are
running or can run a standard kernel built as part of the NetBSD
release process, is to obtain the corresponding kernel from the
daily NetBSD autobuild output and install it on your system.

You can obtain such kernels from
where they are sorted by NetBSD branch, date, and architecture. To
fix a system running e.g. NetBSD 6.0 or the stable NetBSD 6.0
branch, the most appropriate kernel will be the "netbsd-6-0" kernel.

To fix a system running NetBSD-current, the "HEAD" kernel should
be used.  In all cases, a kernel from an autobuild dated newer than
the fix date for the branch you are using must be used to fix the

+ Fix from source

For all NetBSD versions, if you want to upgrade to a safe kernel
from source, you need to obtain fixed kernel sources, rebuild
and install the new kernel, and reboot the system.
The fixed source may be obtained from the NetBSD CVS repository.        
The following instructions briefly summarise how to upgrade your        
kernel.  In these instructions, replace:

  ARCH     with your architecture (from uname -m), and                  
  KERNCONF with the name of your kernel configuration file.    
  NEWVERSION  with the CVS version of the fix

File versions containing the fix:

FILE                         HEAD   netbsd-7  netbsd-6  netbsd-6-1 netbsd-6-0
+--------------------------- -----  --------- --------- ---------- ----------
src/sys/netinet/tcp_input.c  1.179  1.334.2.2 1.321.2.1 1.321.8.1  1.321.6.1
src/sys/netinet/tcp_output.c 1.184

FILE                         netbsd-5   netbsd-5-2     netbsd-5-1
+--------------------------- ---------- -------------- -------------

To update from CVS, re-build, and re-install the kernel:

	# cd src
	# cvs update -d -P -r NEWVERSION src/sys/netinet/tcp_input.c
	# cvs update -d -P -r NEWVERSION src/sys/netinet/tcp_output.c
	# ./ kernel=KERNCONF
	# mv /netbsd /netbsd.old
	# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd 
	# shutdown -r now

For more information on how to do this, see:

Thanks To

Matt Thomas for fixing this issue.
Lawrence Stewart (Netflix, Inc.) and Jonathan Looney (Juniper SIRT) for
reporting this issue.

Revision History

	2015-10-22	Initial release

More Information

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

Information about NetBSD and NetBSD security can be found at and .

Copyright 2015, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$Id: NetBSD-SA2015-009.txt,v 1.2 2015/10/22 00:02:31 tonnerre Exp $

Version: GnuPG v2


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.