[Dshield] Vulnerability Issues in TCP

Peter Stendahl-Juvonen peter.stendahl-juvonen at welho.com
Wed Apr 21 12:07:55 GMT 2004


list-bounces at lists.dshield.org <mailto:list-bounces at lists.dshield.org> wrote on Wednesday, April
21, 2004 2:30 PM UTC+3 on behalf of Peter Stendahl-Juvonen

Please accept apology for omitting the first link (added below):

| FYI, for those interested or concerned:
| 
| (This vulnerability does not necessarily affect so-called home users' data systems.)
| 
| National Infrastructure Security Co-ordination Centre
| NISCC Vulnerability Advisory 236929
| Vulnerability Issues in TCP
| Release Date 20 April 2004 Last Revision 21 April 2004

http://www.uniras.gov.uk/vuls/2004/236929/tcp.htm

| 
| What is Affected?
| 
| The vulnerability described in this advisory affects implementations of the Transmission Control
| Protocol (TCP) that comply with the Internet Engineering Task Force's (IETF's) Requests For
| Comments (RFCs) for TCP, including RFC 793, the original specification, and RFC 1323, TCP
| Extensions for High Performance.
| 
| TCP is a core network protocol used in the majority of networked computer systems today. Many
| vendors include support for this protocol in their products and may be impacted to varying
| degrees. Furthermore any network service or application that relies on a TCP connection will
| also be impacted, the severity depending primarily on the duration of the TCP session.
| 
| Severity
| 
| The impact of this vulnerability varies by vendor and application, but in some deployment
| scenarios it is rated critical. Please see the vendor section below for further information.
| Alternatively contact your vendor for product specific information.
| 
| If exploited, the vulnerability could allow an attacker to create a Denial of Service condition
| against existing TCP connections, resulting in premature session termination. The resulting
| session termination will affect the application layer, the nature and severity of the effects
| being dependent on the application layer protocol. The primary dependency is on the duration of
| the TCP connection, with a further dependency on knowledge of the network (IP) addresses of the
| end points of the TCP connection.
| 
| The Border Gateway Protocol (BGP) is judged to be potentially most affected by this
| vulnerability. 
| 
| BGP relies on a persistent TCP session between BGP peers. Resetting the connection can result in
| medium term unavailability due to the need to rebuild routing tables and route flapping.  Route
| flapping may result in route dampening (suppression) if the route flaps occur frequently within a
| short time interval.  The overall impact on BGP is likely to be moderate based on the likelihood
| of successful attack. If the TCP MD5 Signature Option and anti-spoofing measures are used then
| the impact will be low as these measures will successfully mitigate the vulnerability.
| 
| There is a potential impact on other application protocols such as DNS (Domain Name System) and
| SSL (Secure Sockets Layer) in the case of zone transfers and ecommerce transactions
| respectively, but the duration of the sessions is relatively short and the sessions can be
| restarted without medium term unavailability problems. In the case of SSL it may be difficult to
| guess the source IP address.
| 
| Data injection may be possible. However, this has not been demonstrated and appears to be
| problematic.
| 
| ***
| 
| The Internet Society, Network Working Group
| Transmission Control Protocol security considerations
| 
| http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt
| 
| ***
| 
| Common Vulnerabilities and Exposures (CVE) CAN-2004-0230 (under review)
| 
| http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0230
| 
| (Essentially empty when last visited)
| 
| ***
| 
| Open Source Vulnerability Database (OSVDB)
| TCP Reset Spoofing
| Description:
| The TCP stack implementation of numerous vendors contains a flaw that may allow a remote denial
| of service. The issue is triggered when spoofed TCP Reset packets are received by the targeted
| TCP stack, and will result in loss of availability for the the attacked TCP services.
| 
| Products:
|     * Cisco IOS All Versions
|     * Microsoft Windows All Versions
|     * Linux Linux All Versions
|     * Nokia IPSO All Versions
|     * Hewlett-Packard HP-UX All Versions
|     * Juniper Router All Versions
|     * Check Point FireWall-1 Prior to R55 HFA-03
|     * Cray Unicos All Versions
| 
| Solution:
| Install vendor upgrades or patches to resolve this issue. Routers using BGP are highly
| recommended to implement RFC-2385 (BGP TCP MD5 Signatures) as a work-around.
| 
| http://www.osvdb.org/displayvuln.php?osvdb_id=4030
| 
| *****
| 
| Please find below links to Cisco advisories-
| 
| 
| Cisco Security Advisory: TCP Vulnerabilities in Multiple IOS-Based Cisco Products
| 
| Summary
| 
| <snip>
| All Cisco products which contain TCP stack are susceptible to this vulnerability.
| <snip>
| 
| 
| Cisco Security Advisory: TCP Vulnerabilities in Multiple Non-IOS Cisco Products
| 
| Summary
| 
| <snip>
| All Cisco products which contain a TCP stack are susceptible to this vulnerability.
| <snip>
| 
| http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml
| 
| 
| 
| Another Cisco vulnerability (For Public Release 2004 April 20 UTC 2100)
| 
| Cisco Security Advisory: Vulnerabilities in SNMP Message Processing
| 
| http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml
| 
| 
| - Pete
| 
| 
|             "Man is the only creature that strives to surpass himself,
|                        and yearns for the impossible."
|            Eric Hoffer (1902 - 1983); US writer and philosopher.
| 
| 
| _______________________________________________
| list mailing list
| list at lists.dshield.org
| To change your subscription options (or unsubscribe), see:
| http://www.dshield.org/mailman/listinfo/list 




More information about the list mailing list