Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
(Cisco Issues Fix for IOS and IOS Firewall) Multiple Vendor TCP Stack Implementations Let Remote Users Deny Service
|
|
SecurityTracker Alert ID: 1009890 |
|
SecurityTracker URL: http://securitytracker.com/id/1009890
|
|
CVE Reference:
CVE-2004-0230
(Links to External Site)
|
Date: Apr 20 2004
|
Impact:
Denial of service via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
|
Description:
A vulnerability was reported in several TCP stack implementations. A remote user may be able to cause denial of service conditions using a TCP reset attack. Cisco IOS is affected.
The UK National Infrastructure Security Co-Ordination Centre (NISCC) reported that some implementations of the Transmission Control Protocol (TCP) are particularly vulnerable to TCP reset attacks. A remote user can cause TCP sessions to terminate prematurely, causing denial of service conditions.
The specific impact on applications that use TCP depends on the mechanisms built into the application to address premature TCP session termination.
According to the report, NISCC considers the Border Gateway Protocol (BGP) to be one of the most affected applications, as it relies on a persistent TCP session between BGP peer entities. Premature termination of an underlying TCP session may require routing tables to be rebuilt and may cause "route flapping". In the case of BGP, using the TCP MD5 Signature Option and anti-spoofing measures can mitigate the vulnerability.
Other applications, such as Domain Name System (DNS) and (Secure Sockets Layer) SSL based applications may also be affected, but to a lesser degree, the report said.
A remote user can reportedly send a TCP packet with the RST (reset) flag set (or the SYN flag) with the appropriate spoofed source and destination IP addresses and TCP ports to cause the TCP session to be terminated. Ordinarily, the remote user may have the probability of 1 in 2^32 of guessing the correct sequence number, the report said. However, in actuality, a remote user may be able to guess an appropriate sequence number with much greater probability because many implementations will accept any sequence number within a certain window of the expected sequence number. The Associate Press reports that the proper number can be guessed within as few as four attempts, requiring only seconds to achieve.
The report credits Paul A. Watson for discovering a practical method for conducting TCP reset attacks (presented in "Slipping In The Window: TCP Reset Attacks" at the CanSecWest 2004 conference).
Cisco reported that all Cisco products which contain a TCP stack are susceptible to this vulnerability, including Cisco IOS.
Cisco reports that in general, all TCP-based protocols where a TCP connection stays established for longer than one minute should be considered at risk.
For Cisco IOS, Cisco has assigned Bug ID CSCed27956 and CSCed38527 to this vulnerability. For Cisco IOS, only TCP sessions terminated on a device are affected.
For Cisco IOS Firewall (IOS FW), all TCP sessions passing through the Cisco IOS FW are vulnerable, even if the originating and receiving devices themselves are not vulnerable. Cisco has assigned Bug ID CSCed93836 to this vulnerability.
The Cisco PSIRT has identified the Border Gateway Protocol (BGP) as the protocol which has the greatest potential for impact. This includes both external and internal (eBGP and iBGP) sessions, the report said. If a BGP session between two routers is interrupted, then all routes that had been advertised between these two peers will be immediately withdrawn.
If a BGP peering session is interrupted a few times within a short time interval, then BGP route dampening may be invoked (if enabled), the report said. Affected routes will be removed from the routing table for a default period of 45 minutes.
|
Impact:
A remote user can cause denial of service on the target TCP session. For Cisco IOS, only sessions that terminate or are generated at the device are affected. For Cisco IOS Firewall, all TCP sessions that pass through the device are also affected.
|
Solution:
Cisco has issued fixes. Refer to the Cisco advisory for a table showing the appropriate fixes for each release, available at:
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml
|
Vendor URL: www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml (Links to External Site)
|
Cause:
State error
|
Underlying OS:
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 20 Apr 2004 17:58:21 -0400
Subject: http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml
|
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml
Cisco Security Advisory: TCP Vulnerabilities in Multiple IOS-Based Cisco Products
Document ID: 50960
Cisco reported that all Cisco products which contain a TCP stack are susceptible to this
vulnerability, including Cisco IOS.
Cisco reports that in general, all TCP-based protocols where a TCP connection stays
established for longer than one minute should be considered at risk.
For Cisco IOS, Cisco has assigned Bug ID CSCed27956 and CSCed38527 to this vulnerability.
For Cisco IOS, only TCP sessions terminated on a device are affected.
For Cisco IOS Firewall (IOS FW), all TCP sessions passing through the Cisco IOS FW are
vulnerable, even if the originating and receiving devices themselves are not vulnerable.
Cisco has assigned Bug ID CSCed93836 to this vulnerability.
The Cisco PSIRT has identified the Border Gateway Protocol (BGP) as the protocol which has
the greatest potential for impact. This includes both external and internal (eBGP and
iBGP) sessions, the report said. If a BGP session between two routers is interrupted,
then all routes that had been advertised between these two peers will be immediately
withdrawn.
If a BGP peering session is interrupted a few times within a short time interval, then BGP
route dampening may be invoked (if enabled), the report said. Affected routes will be
removed from the routing table for a default period of 45 minutes.
Cisco has issued fixes. Refer to the Cisco advisory for a table showing the appropriate
fixes for each release.
|
|
Go to the Top of This SecurityTracker Archive Page
|
