Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
(Cisco Plans Fix for ONS) Multiple Vendor TCP Stack Implementations Let Remote Users Deny Service
|
|
SecurityTracker Alert ID: 1009894 |
|
SecurityTracker URL: http://securitytracker.com/id/1009894
|
|
CVE Reference:
CVE-2004-0230
(Links to External Site)
|
Updated: Apr 22 2004
|
Original Entry Date: Apr 21 2004
|
Impact:
Denial of service via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): ONS 15327, 15454, 15454SDH, and 15600
|
Description:
A vulnerability was reported in several TCP stack implementations. A remote user may be able to cause denial of service conditions using a TCP reset attack. Cisco's Optical Network Switch series is vulnerable.
The UK National Infrastructure Security Co-Ordination Centre (NISCC) reported that some implementations of the Transmission Control Protocol (TCP) are particularly vulnerable to TCP reset attacks. A remote user can cause TCP sessions to terminate prematurely, causing denial of service conditions.
The specific impact on applications that use TCP depends on the mechanisms built into the application to address premature TCP session termination.
According to the report, NISCC considers the Border Gateway Protocol (BGP) to be one of the most affected applications, as it relies on a persistent TCP session between BGP peer entities. Premature termination of an underlying TCP session may require routing tables to be rebuilt and may cause "route flapping". In the case of BGP, using the TCP MD5 Signature Option and anti-spoofing measures can mitigate the vulnerability.
Other applications, such as Domain Name System (DNS) and (Secure Sockets Layer) SSL based applications may also be affected, but to a lesser degree, the report said.
A remote user can reportedly send a TCP packet with the RST (reset) flag set (or the SYN flag) with the appropriate spoofed source and destination IP addresses and TCP ports to cause the TCP session to be terminated. Ordinarily, the remote user may have the probability of 1 in 2^32 of guessing the correct sequence number, the report said. However, in actuality, a remote user may be able to guess an appropriate sequence number with much greater probability because many implementations will accept any sequence number within a certain window of the expected sequence number. The Associate Press reports that the proper number can be guessed within as few as four attempts, requiring only seconds to achieve.
The report credits Paul A. Watson for discovering a practical method for conducting TCP reset attacks (presented in "Slipping In The Window: TCP Reset Attacks" at the CanSecWest 2004 conference).
Cisco reports that Cisco ONS 15327, 15454, 15454SDH, and 15600 Optical Transport Platform devices are affected. Cisco has assigned Bug ID CSCed73026.
|
Impact:
A remote user can cause denial of service conditions.
|
Solution:
Cisco is developing a fixed version (4.14) for the ONS 15327, 15454, and 15454SDH, to be available on April 27, 2004. Cisco plans to issue additional fixed versions (4.62 and 2.25) for those platforms at an unspecified later date. Cisco also plans to issue a fixed version (5.0) for the ONS 15600 at an unspecified later date.
|
Vendor URL: www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml (Links to External Site)
|
Cause:
State error
|
Underlying OS:
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 20 Apr 2004 19:26:33 -0400
Subject: http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml
|
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml
Cisco issued an advisory reporting that several non-IOS based products are affected by the
recently reported TCP vulnerability.
The following products are confirmed to be affected:
Catalyst 1200, 1900, 28xx, 29xx, 3000, 3900, 4000, 5000, 6000; see Bug ID CSCed32349. No
software availability date has been determined yet.
Catalyst 1900 and 2820; Fixed version 9.00.07 Available on 2004-Apr-27.
Cisco MDS 9000 Family; see Bug ID CSCed45453; A fix is available in version 1.3(3.8),
2.0(0.51)
WS-6624 analog station gateway module for the Catalyst 6500; see Bug ID CSCee22691; No
software availability date has been determined yet.
Cisco Aironet Access Point 340, 350, 1200 Series (only VxWorks-based); see Bug ID
CSCee22526; No software availability date has been determined yet. Customers are
encouraged by Cisco to migrate to IOS.
Cisco PIX Firewall; see Bug ID CSCed91445; A fix will be available in versions 6.3.3.132,
6.2.3.109, and 6.1.5.103, with an availability estimate of: 2004-Apr-21
Cisco ONS 15327, 15454, 15454SDH and 15600 Optical Transport Platform; see Bug ID
CSCed73026; A fix will be available in versions 4.62, 4.14, 2.25, to bevailable on
2004-Apr-27.
Cisco reports that the following products are not vulnerable:
* Cisco VPN 3000 Series Concentrators
* Cisco Firewall Services Module for Cisco Catalyst 6500 Series and Cisco 7600 Series (FWSM)
|
|
Go to the Top of This SecurityTracker Archive Page
|
