> DragonFlyBSD (the 3 latter O/S however only use this PRNG when
> the kernel flag net.inet.ip.random_id is set to 1; it is 0 by
> default, resulting in a sequential counter to be used instead...).
> OpenBSD, NetBSD and FreeBSD also use this PRNG for IP
> fragmentation ID normalization feature (e.g. "scrub out random-
> id") in the packet filter module.
>
> Somewhat more distant flavors are used for various IPv6 fields
> across many BSD operating systems, which may be affected, and
> some other O/S not mentioned here, including possibly non-BSD O/S
> may be affected, since this code seems to have been extensively
DragonFlyBSD (the 3 latter O/S however only use this PRNG when
the kernel flag net.inet.ip.random_id is set to 1; it is 0 by
default, resulting in a sequential counter to be used instead...).
OpenBSD, NetBSD and FreeBSD also use this PRNG for IP
fragmentation ID normalization feature (e.g. "scrub out random-
id") in the packet filter module.
Somewhat more distant flavors are used for various IPv6 fields
across many BSD operating systems, which may be affected, and
some other O/S not mentioned here, including possibly non-BSD O/S
may be affected, since this code seems to have been extensively
smooth upgrade.
1. Make sure that your network configuration is compatible with source
port randomization. If you guard your resolver with a stateless packet
filter, you may need to make sure that no non-DNS services listen on on
the 1024--65535 UDP port range and open it at the packet filter. For
instance, packet filters based on etch's Linux 2.6.18 kernel only
support stateless filtering of IPv6 packets, and are therefore pose this
additional difficulty. (If you use IPv4 with iptables and ESTABLISHED
rules, networking changes are likely not required.)
--------------------------------------------------------------------------------
Author : Rembrandt
Date : 2009-04-30
Found : 2009-04-09
Affected Software: PF (OpenBSD Packet Filter)
Affected OS : OpenBSD 4.2 up to 4.5 and HEAD branch up to 2009-04-11
NetBSD 5.x up to RC3 and HEAD branch up to 2009-04-13
MirOS #10 and earlier
MidnightBSD 0.3-current
Not affected OS : FreeBSD
purpose of Delayed Compression in OpenSSH (see CAN-2005-2096 for an example of
why you always want delayed compression). Additionally, the encapsulation means
any attacks that require link-local access can simply be wrapped in ipcomp and
are then routable (that is not good).
Affected servers and devices can use packet filtering to prevent the vulnerable
code from being exercised. On systems with ipfw, a rule based on the following
ipfw/ipfw6 template can be used, adjust to whitelist expected peers as
appropriate.
# ipfw add deny proto ipcomp
Version affected:
ALL Version 7 systems.
This is easily reproducible. Just setup a BT client behind the astaro
and do not setup a packetfilter and NAT rule for the BT traffic. This
way all the incoming return traffic is blocked. Go download something
like the Centos DVD torrent. Some machine(like mine) are easy to bring
down. Others take a time longer. The pfilter-repoter.pl file will peg
the cpu for an exorbitant amount of time. Before 7.006 it would take
the machine offline. 7.006 partially mitigates in my testing but not fully.
