TCP spoofed reset denial of service

tcp-rst-dos (15886)

Medium Risk

Description:

TCP (Transmission Control Protocol) is the transport layer of the Internet, responsible for accurately sending messages between points in a network. Multiple products implementing TCP as specified in RFC793 are vulnerable to a denial of service attack that resets and stops an ongoing TCP session. An attacker can forge a set of Reset (RST) or Synchronize (SYN) TCP packets and attempt to guess a TCP sequence number within a narrow range (or TCP window) of values. While the range of TCP sequence numbers is quite large, the ability to use the TCP window size to create a successful exploitation greatly decreases the number of guesses needed by the attacker.

Successful exploitation of this issue results in a termination of the TCP session. Depending on the targeted software or hardware, the outcome may result in a simple denial of service, or it may leave the system in an unpredictable state, possibly leading to data loss or additional vulnerabilities. There is evidence that this issue could lead to further exploitation on some applications, such as data injection. At this time, the ability to exploit arbitrary code execution has not been demonstrated.

Consequences:

Denial of Service

Remedy:

For Virtual Patch:

Enable the following checks in the Dynamic ISS Protection platform:
TCP_Within_Window_DoS

For Manual Protection:

Because the list of affected vendors will potentially be quite large and rapidly changing, you should refer to the References section for documents that list affected vendors. Work with your vendor to determine the most appropriate solution for the product in question.

The following approaches may assist in mitigating the impact of this issue:

• Implement IPSec (IP Security) to encrypt traffic and obscure TCP information available to the attacker.
• Reduce TCP window size to decrease probability of effect attack. Approach this option with care, since it could lead to decreased network performance and increased traffic loss.
• For critical applications, such as BGP, implement ingress and egress filtering to expected addresses.
• Implement TCP MD5 signature option to verify and checksum TCP packet carrying BGP data.
• Use ACLs for selective filtering on routers to prevent unauthorized packets or requests.

For SGI IRIX:
Apply the appropriate patch for your system, as listed in SGI Security Advisory 20040905-01-P. See References.

For SCO UnixWare 7.1.3:
Upgrade to the appropriate fixed binaries, as listed in SCO Security Advisory SCOSA-2005.14. See References.

For SCO UnixWare 7.1.1:
Upgrade to the appropriate fixed binaries, as listed in SCO Security Advisory SCOSA-2005.14. See References.

For Microsoft:

Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.

— OR —

Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

• BugTraq Mailing List, Wed Apr 21 2004 - 10:13:58 CDT: Vulnerabilities in long-lived TCP connections on SGI systems.
• CanSecWest 2004 Conference: Slipping in the Window: TCP Reset Attacks.
• Check Point Alert April 20, 2004: TCP RFC Alert.
• CIAC Information Bulletin O-124: Cisco TCP Vulnerabilities in Multiple Cisco Products.
• CIAC INFORMATION BULLETIN P-177: Vulnerabilities in TCP-IP (893066).
• Cisco Documentation Web site: Border Gateway Protocol.
• Cisco Systems Inc. Security Advisory, 2004 April 20 21:00 UTC (GMT): TCP Vulnerabilities in Multiple Non-IOS Cisco Products.
• Cisco Systems Inc. Security Advisory, 2004 April 20 21:00 UTC (GMT): CP Vulnerabilities in Multiple IOS-Based Cisco Products.
• Internet Security Systems Security Alert, April 20, 2004: Multiple Vendor TCP Denial of Service Vulnerability.
• Microsoft Security Bulletin MS05-019: Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service (893066).
• Microsoft Security Bulletin MS06-032: Vulnerability in TCP/IP Could Allow Remote Code Execution (917953).
• Microsoft Security Bulletin MS06-064: Vulnerabilities in TCP/IP IPv6 Could Allow Denial of Service (922819).
• Microsoft Security Bulletin MS08-001: Vulnerabilities in TCP/IP Could Allow Remote Code Execution (941644).
• Microsoft Security Bulletin MS08-004: Vulnerability in Windows TCP/IP Could Allow Denial of Service (946456).
• NetBSD Security Advisory 2004-006: TCP protocol and implementation vulnerability.
• NISCC Vulnerability Advisory 236929: Vulnerability Issues in TCP.
• Request for Comment document RFC 2285: Protection of BGP Sessions via the TCP MD5 Signature Option.
• Request for Comment document RFC 793: Transmission Control Protocol DARPA Internet Program Protocol Specification.
• SCO Security Advisory SCOSA-2005.14: Vulnerabilities in long-lived TCP connections / Rose attack.
• US-CERT Technical Cyber Security Alert TA04-111A: Vulnerabilities in TCP.
• ASA-2006-217: Windows Security Updates for October 2006 - (MS06-056 - MS06-065)
• BID-10183: Multiple Vendor TCP Sequence Number Approximation Vulnerability
• CVE-2004-0230: TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.
• OSVDB ID: 4030: TCP/IP Sequence Prediction Blind Reset Spoofing DoS
• SA11440: Cisco IOS TCP Connection Reset Denial of Service Vulnerability
• SA11458: Juniper Networks Products TCP Connection Reset Denial of Service
• SA22341: Microsoft Windows Multiple IPv6 Denial of Service Vulnerabilities
• US-CERT VU#415294: The Border Gateway Protocol relies on persistent TCP sessions without specifying authentication requirements
• VUPEN/ADV-2006-3983: Microsoft Windows TCP/IP IPv6 Remote Denial of Service Vulnerabilities (MS06-064)

Platforms Affected:

• IETF TCP
• Microsoft Windows 2000
• Microsoft Windows 2003 Server R2 Enterprise
• Microsoft Windows 2003 Server
• Microsoft Windows 7
• Microsoft Windows 8
• Microsoft Windows Server 2008 R2
• Microsoft Windows Server 2008
• Microsoft Windows Server 2012
• Microsoft Windows Vista
• Microsoft Windows XP
• Microsoft Windows XP x64

Reported:

Apr 20, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page