FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- Resource exhaustion in TCP reassembly

Affected packages
10.1 <= FreeBSD-kernel < 10.1_16
9.3 <= FreeBSD-kernel < 9.3_21
8.4 <= FreeBSD-kernel < 8.4_35

Details

VuXML ID 0cb9d5bb-600a-11e6-a6c3-14dae9d210b8
Discovery 2015-07-28
Entry 2016-08-11

Problem Description:

There is a mistake with the introduction of VNET, which converted the global limit on the number of segments that could belong to reassembly queues into a per-VNET limit. Because mbufs are allocated from a global pool, in the presence of a sufficient number of VNETs, the total number of mbufs attached to reassembly queues can grow to the total number of mbufs in the system, at which point all network traffic would cease.

Impact:

An attacker who can establish concurrent TCP connections across a sufficient number of VNETs and manipulate the inbound packet streams such that the maximum number of mbufs are enqueued on each reassembly queue can cause mbuf cluster exhaustion on the target system, resulting in a Denial of Service condition.

As the default per-VNET limit on the number of segments that can belong to reassembly queues is 1/16 of the total number of mbuf clusters in the system, only systems that have 16 or more VNET instances are vulnerable.

References

CVE Name CVE-2015-1417
FreeBSD Advisory SA-15:15.tcp