CVE-2023-52881: tcp: do not accept ACK of bytes we never sent
First published: Wed Jan 17 2024(Updated: )
Dear Linux Developers, We're reaching out to you as part of the disclosure process of our research. In our research, which we will present at IEEE Security & Privacy in May 2024, we found that attackers can not only create TCP-spoofed connections (which was already known), but can also reliably transmit IP-spoofed data over such connections. This has security implications for applications that rely on TCP endpoint IP addresses, such as firewalling or host-based authentication (e.g., SMTP/SPF, of DBs). We basically discovered two TCP spoofing primitives. First, attackers can bruteforce the server-chosen send window by acknowledging data that was never sent (what we call "ghost ACKs"; see Figure 3 in the paper). Second, we show that there are side channels that allow the attacker to leak the otherwise-secret server-chosen initial sequence number (ISN). One of these side channels leverages TCP SYN cookies. We believe that the TCP/IP stack can take countermeasures to prevent such attacks, or at least make them harder. For example, we think that TCP endpoints should ignore ghost ACKs, and have some ideas to randomize the TCP backlog queue to prevent the SYN cookie side channel. At the same time, we have disclosed our findings to the IETF folks and hope that they have helpful feedback for us.
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| F5 BIG-IP | >=17.1.0<=17.1.1 | |
| F5 BIG-IP | >=16.1.0<=16.1.5 | |
| F5 BIG-IP | >=15.1.0<=15.1.10 | |
| F5 BIG-IQ Centralized Management | >=8.2.0<=8.3.0 | |
| F5 F5OS-A | >=1.7.0<=1.8.0>=1.5.1<=1.5.2 | |
| F5 F5OS-C | >=1.6.0<=1.6.2 | |
| F5 Traffix SDC | =5.2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/008b807fe487e0b15a3a6c39add4eb477f73e440
- https://git.kernel.org/stable/c/0d4e0afdd6658cd21dd5be61880411a2553fd1fc
- https://git.kernel.org/stable/c/2087d53a66e97a5eb5d1bf558d5bef9e5f891757
- https://git.kernel.org/stable/c/3d501dd326fb1c73f1b8206d4c6e1d7b15c07e27
- https://git.kernel.org/stable/c/458f07ffeccd17f99942311e09ef574ddf4a414a
- https://git.kernel.org/stable/c/69eae75ca5255e876628ac5cee9eaab31f644b57
- https://git.kernel.org/stable/c/7ffff0cc929fdfc62a74b384c4903d6496c910f0
- https://git.kernel.org/stable/c/b17a886ed29f3b70b78ccf632dad03e0c69e3c1a
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2262763
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2279717
- https://access.redhat.com/security/cve/CVE-2023-52881
- https://access.redhat.com/errata/RHSA-2024:4211
- https://access.redhat.com/errata/RHSA-2024:4352
- https://access.redhat.com/errata/RHSA-2024:5281
- https://access.redhat.com/errata/RHSA-2024:6206
- https://bugzilla.redhat.com/show_bug.cgi?id=2258875
- https://my.f5.com/manage/s/article/K000148479
- agent/title
- agent/type
- agent/author
- collector/nvd-api
- source/NVD
- agent/severity
- agent/softwarecombine
- agent/description
- agent/first-publish-date
- agent/event
- agent/references
- agent/tags
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-52881
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/f5-advisory
- source/F5
- agent/software-canonical-lookup
- vendor/f5
- canonical/f5 big-ip
- version/f5 big-ip/17.1.0
- version/f5 big-ip/17.1.1
- version/f5 big-ip/16.1.0
- version/f5 big-ip/16.1.5
- version/f5 big-ip/15.1.0
- version/f5 big-ip/15.1.10
- canonical/f5 big-iq centralized management
- version/f5 big-iq centralized management/8.2.0
- version/f5 big-iq centralized management/8.3.0
- canonical/f5 f5os-a
- version/f5 f5os-a/1.7.0
- version/f5 f5os-a/1.8.0
- version/f5 f5os-a/1.5.1
- version/f5 f5os-a/1.5.2
- canonical/f5 f5os-c
- version/f5 f5os-c/1.6.0
- version/f5 f5os-c/1.6.2
- canonical/f5 traffix sdc
- version/f5 traffix sdc/5.2.0