mirror of https://github.com/acidanthera/audk.git
1904a64bcc
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4541 REF: https://www.rfc-editor.org/rfc/rfc1948.txt REF: https://www.rfc-editor.org/rfc/rfc6528.txt REF: https://www.rfc-editor.org/rfc/rfc9293.txt Bug Overview: PixieFail Bug #8 CVE-2023-45236 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Updates TCP ISN generation to use a cryptographic hash of the connection's identifying parameters and a secret key. This prevents an attacker from guessing the ISN used for some other connection. This is follows the guidance in RFC 1948, RFC 6528, and RFC 9293. RFC: 9293 Section 3.4.1. Initial Sequence Number Selection A TCP implementation MUST use the above type of "clock" for clock- driven selection of initial sequence numbers (MUST-8), and SHOULD generate its initial sequence numbers with the expression: ISN = M + F(localip, localport, remoteip, remoteport, secretkey) where M is the 4 microsecond timer, and F() is a pseudorandom function (PRF) of the connection's identifying parameters ("localip, localport, remoteip, remoteport") and a secret key ("secretkey") (SHLD-1). F() MUST NOT be computable from the outside (MUST-9), or an attacker could still guess at sequence numbers from the ISN used for some other connection. The PRF could be implemented as a cryptographic hash of the concatenation of the TCP connection parameters and some secret data. For discussion of the selection of a specific hash algorithm and management of the secret key data, please see Section 3 of [42]. For each connection there is a send sequence number and a receive sequence number. The initial send sequence number (ISS) is chosen by the data sending TCP peer, and the initial receive sequence number (IRS) is learned during the connection-establishing procedure. For a connection to be established or initialized, the two TCP peers must synchronize on each other's initial sequence numbers. This is done in an exchange of connection-establishing segments carrying a control bit called "SYN" (for synchronize) and the initial sequence numbers. As a shorthand, segments carrying the SYN bit are also called "SYNs". Hence, the solution requires a suitable mechanism for picking an initial sequence number and a slightly involved handshake to exchange the ISNs. Cc: Saloni Kasbekar <saloni.kasbekar@intel.com> Cc: Zachary Clark-williams <zachary.clark-williams@intel.com> Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com> Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com> |
||
|---|---|---|
| .. | ||
| Application/VConfig | ||
| ArpDxe | ||
| Dhcp4Dxe | ||
| Dhcp6Dxe | ||
| DnsDxe | ||
| DpcDxe | ||
| HttpBootDxe | ||
| HttpDxe | ||
| HttpUtilitiesDxe | ||
| IScsiDxe | ||
| Include | ||
| Ip4Dxe | ||
| Ip6Dxe | ||
| Library | ||
| MnpDxe | ||
| Mtftp4Dxe | ||
| Mtftp6Dxe | ||
| SnpDxe | ||
| TcpDxe | ||
| Test | ||
| TlsAuthConfigDxe | ||
| TlsDxe | ||
| Udp4Dxe | ||
| Udp6Dxe | ||
| UefiPxeBcDxe | ||
| VlanConfigDxe | ||
| WifiConnectionManagerDxe | ||
| Network.dsc.inc | ||
| Network.fdf.inc | ||
| NetworkBuildOptions.dsc.inc | ||
| NetworkComponents.dsc.inc | ||
| NetworkDefines.dsc.inc | ||
| NetworkLibs.dsc.inc | ||
| NetworkPcds.dsc.inc | ||
| NetworkPkg.ci.yaml | ||
| NetworkPkg.dec | ||
| NetworkPkg.dsc | ||
| NetworkPkg.uni | ||
| NetworkPkgExtra.uni | ||
| SecurityFixes.yaml | ||