net: tcp: add option to disable TCP simultaneous connect

This is modified from Brad Spengler/PaX Team's code in the last public patch of grsecurity/PaX based on my understanding of the code. Changes or omissions from the original code are mine and don't reflect the original grsecurity/PaX code. TCP simultaneous connect adds a weakness in Linux's implementation of TCP that allows two clients to connect to each other without either entering a listening state. The weakness allows an attacker to easily prevent a client from connecting to a known server provided the source port for the connection is guessed correctly. As the weakness could be used to prevent an antivirus or IPS from fetching updates, or prevent an SSL gateway from fetching a CRL, it should be eliminated. This creates a net.ipv4.tcp_simult_connect sysctl that when disabled, disables TCP simultaneous connect. Reviewed-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> Reviewed-by: Levente Polyak <levente@leventepolyak.net> Signed-off-by: Levente Polyak <levente@leventepolyak.net>
anthraxx · Mar 6, 2024 · 1e95a2c · 1e95a2c
1 parent 5a84494
commit 1e95a2c
Show file tree

Hide file tree

Showing 5 changed files with 53 additions and 1 deletion.
diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst
@@ -666,6 +666,24 @@ tcp_comp_sack_nr - INTEGER
 
 	Default : 44
 
+tcp_simult_connect - BOOLEAN
+	Enable TCP simultaneous connect that adds a weakness in Linux's strict
+	implementation of TCP that allows two clients to connect to each other
+	without either entering a listening state. The weakness allows an attacker
+	to easily prevent a client from connecting to a known server provided the
+	source port for the connection is guessed correctly.
+
+	As the weakness could be used to prevent an antivirus or IPS from fetching
+	updates, or prevent an SSL gateway from fetching a CRL, it should be
+	eliminated by disabling this option. Though Linux is one of few operating
+	systems supporting simultaneous connect, it has no legitimate use in
+	practice and is rarely supported by firewalls.
+
+	Disabling this may break TCP STUNT which is used by some applications for
+	NAT traversal.
+
+	Default: Value of CONFIG_TCP_SIMULT_CONNECT_DEFAULT_ON
+
 tcp_slow_start_after_idle - BOOLEAN
 	If set, provide RFC2861 behavior and time out the congestion
 	window after an idle period.  An idle period is defined at

diff --git a/include/net/tcp.h b/include/net/tcp.h
@@ -250,6 +250,7 @@ void tcp_time_wait(struct sock *sk, int state, int timeo);
 /* sysctl variables for tcp */
 extern int sysctl_tcp_max_orphans;
 extern long sysctl_tcp_mem[3];
+extern int sysctl_tcp_simult_connect;
 
 #define TCP_RACK_LOSS_DETECTION  0x1 /* Use RACK to detect losses */
 #define TCP_RACK_STATIC_REO_WND  0x2 /* Use static RACK reo wnd */

diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
@@ -753,3 +753,26 @@ config TCP_MD5SIG
 	  on the Internet.
 
 	  If unsure, say N.
+
+config TCP_SIMULT_CONNECT_DEFAULT_ON
+	bool "Enable TCP simultaneous connect"
+	help
+	  Enable TCP simultaneous connect that adds a weakness in Linux's strict
+	  implementation of TCP that allows two clients to connect to each other
+	  without either entering a listening state. The weakness allows an
+	  attacker to easily prevent a client from connecting to a known server
+	  provided the source port for the connection is guessed correctly.
+
+	  As the weakness could be used to prevent an antivirus or IPS from
+	  fetching updates, or prevent an SSL gateway from fetching a CRL, it
+	  should be eliminated by disabling this option. Though Linux is one of
+	  few operating systems supporting simultaneous connect, it has no
+	  legitimate use in practice and is rarely supported by firewalls.
+
+	  Disabling this may break TCP STUNT which is used by some applications
+	  for NAT traversal.
+
+	  This setting can be overridden at runtime via the
+	  net.ipv4.tcp_simult_connect sysctl.
+
+	  If unsure, say N.
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
@@ -533,6 +533,15 @@ static struct ctl_table ipv4_table[] = {
 		.mode		= 0644,
 		.proc_handler	= proc_do_static_key,
 	},
+	{
+		.procname	= "tcp_simult_connect",
+		.data		= &sysctl_tcp_simult_connect,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= proc_dointvec_minmax,
+		.extra1		= SYSCTL_ZERO,
+		.extra2		= SYSCTL_ONE,
+	},
 	{ }
 };
 

diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
@@ -82,6 +82,7 @@
 #include <net/mptcp.h>
 
 int sysctl_tcp_max_orphans __read_mostly = NR_FILE;
+int sysctl_tcp_simult_connect __read_mostly = IS_ENABLED(CONFIG_TCP_SIMULT_CONNECT_DEFAULT_ON);
 
 #define FLAG_DATA		0x01 /* Incoming frame contained data.		*/
 #define FLAG_WIN_UPDATE		0x02 /* Incoming ACK was a window update.	*/
@@ -6285,7 +6286,7 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb,
 	    tcp_paws_reject(&tp->rx_opt, 0))
 		goto discard_and_undo;
 
-	if (th->syn) {
+	if (th->syn && sysctl_tcp_simult_connect) {
 		/* We see SYN without ACK. It is attempt of
 		 * simultaneous connect with crossed SYNs.
 		 * Particularly, it can be connect to self.