Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
(APC Issues Advisory) Multiple Vendor TCP Stack Implementations Let Remote Users Deny Service
|
|
SecurityTracker Alert ID: 1010252 |
|
SecurityTracker URL: http://securitytracker.com/id/1010252
|
|
CVE Reference:
CVE-2004-0230
(Links to External Site)
|
Date: May 21 2004
|
Impact:
Denial of service via network
|
Vendor Confirmed: Yes
|
|
Description:
A vulnerability was reported in several TCP stack implementations. A remote user may be able to cause denial of service conditions using a TCP reset attack. APC devices are affected.
The UK National Infrastructure Security Co-Ordination Centre (NISCC) reported that some implementations of the Transmission Control Protocol (TCP) are particularly vulnerable to TCP reset attacks. A remote user can cause TCP sessions to terminate prematurely, causing denial of service conditions.
The specific impact on applications that use TCP depends on the mechanisms built into the application to address premature TCP session termination.
According to the report, NISCC considers the Border Gateway Protocol (BGP) to be one of the most affected applications, as it relies on a persistent TCP session between BGP peer entities. Premature termination of an underlying TCP session may require routing tables to be rebuilt and may cause "route flapping". In the case of BGP, using the TCP MD5 Signature Option and anti-spoofing measures can mitigate the vulnerability.
Other applications, such as Domain Name System (DNS) and (Secure Sockets Layer) SSL based applications may also be affected, but to a lesser degree, the report said.
A remote user can reportedly send a TCP packet with the RST (reset) flag set (or the SYN flag) with the appropriate spoofed source and destination IP addresses and TCP ports to cause the TCP session to be terminated. Ordinarily, the remote user may have the probability of 1 in 2^32 of guessing the correct sequence number, the report said. However, in actuality, a remote user may be able to guess an appropriate sequence number with much greater probability because many implementations will accept any sequence number within a certain window of the expected sequence number. The Associate Press reports that the proper number can be guessed within as few as four attempts, requiring only seconds to achieve.
The report credits Paul A. Watson for discovering a practical method for conducting TCP reset attacks (presented in "Slipping In The Window: TCP Reset Attacks" at the CanSecWest 2004 conference).
The report indicates that the following vendors are affected [this is not an inclusive list]:
- Cray Inc. is vulnerable on their UNICOS, UNICOS/mk and UNICOS/mp systems
- Check Point is affected, but has issued a protection mechanism in the latest release for VPN-1/FireWall-1 (R55 HFA-03) that can protect both the firewall device and hosts located behind the firewall.
- Internet Initiative Japan, Inc (IIJ) is affected.
- InterNiche NicheStack and NicheLite are affected.
- Juniper Networks products are affected.
- Cisco products are affected, including IOS and non-IOS based devices.
Other vendors are assessing the impact of this flaw.
The NISCC Vulnerability Advisory 236929 is available at:
http://www.uniras.gov.uk/vuls/2004/236929/index.htm
|
Impact:
A remote user can cause denial of service on the target TCP session. The specific impact depends on the specific vendor implementation.
|
Solution:
No fix was available at the time of this entry. The vendor recommends that APC products be protected by a firewall that can detect and respond to that class of attacks described in the advisory.
|
Vendor URL: nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_alp.php?APCSiteCode=us (Links to External Site)
|
Cause:
State error
|
Underlying OS:
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Wed, 19 May 2004 22:23:39 -0400
Subject: APC Security Advisory - Vulnerabilities in TCP
|
APC Security Advisory - Vulnerabilities in TCP
Problem Summary
Fundamental weaknesses in TCP/IP can allow an attacker to corrupt data, hijack sessions,
or cause a denial-of-service condition. This advisory is in response to Technical Cyber
Security Alert TA04-111A.
System administrators who use the APC TCP/IP-based network products should read this advisory.
Severity Level
Important
Affected Products
All APC products that connect to a TCP/IP network.
Mitigating Factors
Unlike the Border Gateway Protocol (BGP) used by routers TCP connections used with APC
products are typically transient. This means that an attack would have to be performed
while the product was being actively accessed by a user.
ISX Manager can only affected by denial-of-service attacks.
Recommendations and workarounds
If available deploy and use cryptographically secure protocols like SSL/TLS, HTTPS and
SSH. These protocols prevent attackers from corrupting data and hijacking sessions.
However they do not prevent denial-of-service since authentication is performed above the
transport layer (TCP).
To reduce the possibility of a denial-of-service condition it is recommended that APC
products be protected by a firewall that can detect and respond to that class of attacks.
Status of this notice: INTERIM
THIS IS AN INTERIM ADVISORY. ALTHOUGH APC CANNOT GUARANTEE THE ACCURACY OF ALL STATEMENTS
IN THIS NOTICE, ALL OF THE FACTS HAVE BEEN CHECKED TO THE BEST OF OUR ABILITY. APC DOES
NOT ANTICIPATE ISSUING UPDATED VERSIONS OF THIS ADVISORY UNLESS THERE IS SOME MATERIAL
CHANGE IN THE FACTS. SHOULD THERE BE A SIGNIFICANT CHANGE IN THE FACTS, APC MAY UPDATE
THIS ADVISORY. A STAND-ALONE COPY OR PARAPHRASE OF THE TEXT OF THIS SECURITY ADVISORY THAT
OMITS THE DISTRIBUTION URL IN THE FOLLOWING SECTION IS AN UNCONTROLLED COPY, AND MAY LACK
IMPORTANT INFORMATION OR CONTAIN FACTUAL ERRORS.
IN NO EVENT SHALL EITHER APC, ITS OFFICERS, DIRECTORS, AFFILIATES OR EMPLOYEES, BE LIABLE
FOR ANY SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND INCLUDING, BUT
NO LIMITED TO, LOSS OF PROFITS ARISING OUT OF THE USE OR IMPLEMENTATION OF THE INFORMATION
CONTAINED HEREIN HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN AN ACTION FOR
CONTRACT, STRICT LIABILITY OR TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, WHETHER OR NOT APC
HAS BEEN ADVISED OR THE POSSIBILITY OF SUCH DAMAGE AND NOTWITHSTANDING THE FAILURE OF
ESSENTIAL PURPOSE OF ANY REMEDY.
Distribution
This advisory will be posted on APC's worldwide website at
http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_alp.php?APCSiteCode=us
Future updates of this advisory, if any, will be place on APC's worldwide website, but may
or may not be actively announced on mailing lists or newsgroups. Users concerned about
this problem are encouraged to check the above URL for any updates.
Revisions
Revision 1.0
2004-April-26
Initial Public Release
References
http://www.us-cert.gov/cas/techalerts/TA04-111A.html
Copyright
This notice is Copyright 2004 by APC. This notice may be redistributed freely after the
release date given at the top of the text, provided that redistributed copies are complete
and unmodified, and include all date and version information.
|
|
Go to the Top of This SecurityTracker Archive Page
|
