[Dshield] Vulnerability Issues in TCP

Peter Stendahl-Juvonen peter.stendahl-juvonen at welho.com
Wed Apr 21 11:30:00 GMT 2004


FYI, for those interested or concerned:

(This vulnerability does not necessarily affect so-called home users' data systems.)

National Infrastructure Security Co-ordination Centre
NISCC Vulnerability Advisory 236929
Vulnerability Issues in TCP
Release Date 20 April 2004 Last Revision 21 April 2004

What is Affected?

The vulnerability described in this advisory affects implementations of the Transmission Control
Protocol (TCP) that comply with the Internet Engineering Task Force's (IETF's) Requests For
Comments (RFCs) for TCP, including RFC 793, the original specification, and RFC 1323, TCP
Extensions for High Performance.

TCP is a core network protocol used in the majority of networked computer systems today. Many
vendors include support for this protocol in their products and may be impacted to varying degrees.
Furthermore any network service or application that relies on a TCP connection will also be
impacted, the severity depending primarily on the duration of the TCP session.

Severity

The impact of this vulnerability varies by vendor and application, but in some deployment scenarios
it is rated critical. Please see the vendor section below for further information. Alternatively
contact your vendor for product specific information.

If exploited, the vulnerability could allow an attacker to create a Denial of Service condition
against existing TCP connections, resulting in premature session termination. The resulting session
termination will affect the application layer, the nature and severity of the effects being
dependent on the application layer protocol. The primary dependency is on the duration of the TCP
connection, with a further dependency on knowledge of the network (IP) addresses of the end points
of the TCP connection.

The Border Gateway Protocol (BGP) is judged to be potentially most affected by this vulnerability.

BGP relies on a persistent TCP session between BGP peers. Resetting the connection can result in
medium term unavailability due to the need to rebuild routing tables and route flapping.  Route
flapping may result in route dampening (suppression) if the route flaps occur frequently within a
short time interval.  The overall impact on BGP is likely to be moderate based on the likelihood of
successful attack. If the TCP MD5 Signature Option and anti-spoofing measures are used then the
impact will be low as these measures will successfully mitigate the vulnerability.

There is a potential impact on other application protocols such as DNS (Domain Name System) and SSL
(Secure Sockets Layer) in the case of zone transfers and ecommerce transactions respectively, but
the duration of the sessions is relatively short and the sessions can be restarted without medium
term unavailability problems. In the case of SSL it may be difficult to guess the source IP
address.

Data injection may be possible. However, this has not been demonstrated and appears to be
problematic.

***

The Internet Society, Network Working Group
Transmission Control Protocol security considerations

http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt

***

Common Vulnerabilities and Exposures (CVE) CAN-2004-0230 (under review)

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0230

(Essentially empty when last visited)

***

Open Source Vulnerability Database (OSVDB)
TCP Reset Spoofing
Description:
The TCP stack implementation of numerous vendors contains a flaw that may allow a remote denial of
service. The issue is triggered when spoofed TCP Reset packets are received by the targeted TCP
stack, and will result in loss of availability for the the attacked TCP services.

Products:
    * Cisco IOS All Versions
    * Microsoft Windows All Versions
    * Linux Linux All Versions
    * Nokia IPSO All Versions
    * Hewlett-Packard HP-UX All Versions
    * Juniper Router All Versions
    * Check Point FireWall-1 Prior to R55 HFA-03
    * Cray Unicos All Versions

Solution:
Install vendor upgrades or patches to resolve this issue. Routers using BGP are highly recommended
to implement RFC-2385 (BGP TCP MD5 Signatures) as a work-around.

http://www.osvdb.org/displayvuln.php?osvdb_id=4030

*****

Please find below links to Cisco advisories-


Cisco Security Advisory: TCP Vulnerabilities in Multiple IOS-Based Cisco Products

Summary

<snip>
All Cisco products which contain TCP stack are susceptible to this vulnerability.
<snip>


Cisco Security Advisory: TCP Vulnerabilities in Multiple Non-IOS Cisco Products

Summary

<snip>
All Cisco products which contain a TCP stack are susceptible to this vulnerability.
<snip>

http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml



Another Cisco vulnerability (For Public Release 2004 April 20 UTC 2100)

Cisco Security Advisory: Vulnerabilities in SNMP Message Processing

http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml


- Pete


            "Man is the only creature that strives to surpass himself, 
                       and yearns for the impossible." 
           Eric Hoffer (1902 - 1983); US writer and philosopher.





More information about the list mailing list