| VID |
13018 |
| Severity |
20 |
| Port |
|
| Protocol |
TCP |
| Class |
Protocol |
| Detailed Description |
The target host seems to be vulnerable to a TCP sequence number approximation vulnerability, which may allow a remote attacker to send spoofed TCP RST packets to the affected host and close established TCP sessions.
TCP (Transmission Control Protocol) is the transport layer protocol designed to provide connection-oriented reliable delivery of a data stream. To accomplish this, TCP uses a mixture of flags to indicate state and sequence numbers to identify the order in which the packets are to be reassembled. TCP also provides a number, called an acknowledgement number, that is used to indicate the sequence number of the next packet expected. The packets are reassembled by the receiving TCP implementation only if their sequence numbers fall within a range of the acknowledgement number (called a "window"). The acknowledgement number is not used in a packet with the reset (RST) flag set because a reset does not expect a packet in return.
The cause of the vulnerability is that affected implementations will accept TCP sequence numbers within a certain range of the expected sequence number for a packet in the session. This will permit a remote attacker to inject a SYN or RST packet into the session, causing it to be reset and effectively allowing for denial of service attacks. An attacker would exploit this issue by sending a packet to a receiving implementation with an approximated sequence number and a forged source IP and TCP port.
Any services which rely on long term TCP connections (BGP, a VPN over TCP, etc...) and for which the source and destination IP addresses and TCP ports are known or can be easily guessed will be vulnerable to at least denial of service attacks.
* References:
http://www.osvdb.org/displayvuln.php?osvdb_id=4030
http://xforce.iss.net/xforce/alerts/id/170
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml
http://www.us-cert.gov/cas/techalerts/TA04-111A.html
http://www.checkpoint.com/techsupport/alerts/tcp_dos.html
http://www.linuxsecurity.com/advisories/netbsd_advisory-4268.html
http://archives.neohapsis.com/archives/bugtraq/2004-04/0274.html
http://packetstormsecurity.nl/0405-exploits/autoRST.c
* Platforms Affected:
Applications that rely on persistent TCP connections
Any Operating System Any version |
| Recommendation |
For Microsoft Windows platforms:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-019 at http://www.microsoft.com/technet/security/bulletin/ms05-019.mspx
For other distributions:
Please see NISCC Vulnerability Advisory 236929 "Vulnerability Issues in TCP" ( http://www.uniras.gov.uk/niscc/docs/al-20040420-00199.html?lang=en ) or CERT Vulnerability Note VU#415294 ( http://www.kb.cert.org/vuls/id/415294#systems ). If a particular vendor is not listed in either the NISCC advisory, or the CERT vulnerability note, we recommend that you contact them for their comments.
For BGP implementations, we highly recommend that implement RFC-2385 (BGP TCP MD5 Signatures).
Secure BGP configuration instructions were also provided for Cisco and Juniper:
http://www.cymru.com/Documents/secure-bgp-template.html
http://www.qorbit.net/documents/junos-bgp-template.pdf%20http:/www.cymru.com/Documents/secure-bgp-template.html
http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_configuration_guide_chapter09186a00800ca571.html
NISCC has provided the following best practices guide for BGP:
http://www.niscc.gov.uk/BGP%20Filtering%20Guide.pdf
As a workaround, to assist in mitigating the impact of this issue, you can use ACLs for selective filtering on routers to prevent unauthorized packets or requests. |
| Related URL |
CVE-2004-0230 (CVE) |
| Related URL |
10183 (SecurityFocus) |
| Related URL |
15886 (ISS) |
|
