FreeBSD : FreeBSD -- Resource exhaustion in non-default RACK TCP stack (c294c2e6-b309-11e9-a87f-a4badb2f4699) (ERC)

High Nessus Plugin ID 127551

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

While processing acknowledgements, the RACK code uses several linked lists to maintain state entries. A malicious attacker can cause the lists to grow unbounded. This can cause an expensive list traversal on every packet being processed, leading to resource exhaustion and a denial of service. Impact : An attacker with the ability to send specially crafted TCP traffic to a victim system can degrade network performance and/or consume excessive CPU by exploiting the inefficiency of traversing the potentially very large RACK linked lists with relatively small bandwidth cost.

Solution

Update the affected package.

See Also

http://www.nessus.org/u?11e1ff4f

Plugin Details

Severity: High

ID: 127551

File Name: freebsd_pkg_c294c2e6b30911e9a87fa4badb2f4699.nasl

Version: 1.1

Type: local

Published: 2019/08/12

Updated: 2019/08/12

Dependencies: 12634

Configuration: Enable paranoid mode

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS v3.0

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:FreeBSD, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info, Settings/ParanoidReport

Patch Publication Date: 2019/07/30

Vulnerability Publication Date: 2019/06/19

Reference Information

CVE: CVE-2019-5599

FreeBSD: SA-19:08.rack