Openindiana SunOS 5.11 TCP Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Openindiana, kernel SunOS 5.11. The issue arises in the processing of TCP packets with the RST or SYN flags, where the operating system accepts a wide range of sequence numbers. Instead of requiring the sequence number to precisely match the expected value, Openindiana allows numbers to fall within the current receive window, violating RFC 5961. This flaw enables attackers to send multiple random TCP RST or SYN packets that exploit the lenient sequence number acceptance, disrupting normal connections and causing a denial-of-service condition.

Impact

Exploitation of this vulnerability disrupts normal TCP connections, causing a denial-of-service condition on the affected system.

Reproduction

The vulnerability can be reproduced by sending TCP RST or SYN packets with random sequence numbers that fall within the receive window. This can be automated using a Python script, such as 'poc-rst.py' or 'poc-syn.py', which are available on GitHub. The 'poc-rst.py' script sends RST packets that interrupt established connections, while the 'poc-syn.py' script sends SYN packets that also cause a disruption by eliciting a RST+ACK response from the server. The 'socketAdapter.c' file, also available on GitHub, can be compiled and run on the Openindiana system to facilitate the testing process by managing TCP connections and ports.