TCP spoofed reset denial of service

tcp-rst-dos (15886) The risk level is classified as MediumMedium Risk

Description:

TCP (Transmission Control Protocol) is the transport layer of the Internet, responsible for accurately sending messages between points in a network. Multiple products implementing TCP as specified in RFC793 are vulnerable to a denial of service attack that resets and stops an ongoing TCP session. An attacker can forge a set of Reset (RST) or Synchronize (SYN) TCP packets and attempt to guess a TCP sequence number within a narrow range (or TCP window) of values. While the range of TCP sequence numbers is quite large, the ability to use the TCP window size to create a successful exploitation greatly decreases the number of guesses needed by the attacker.

Successful exploitation of this issue results in a termination of the TCP session. Depending on the targeted software or hardware, the outcome may result in a simple denial of service, or it may leave the system in an unpredictable state, possibly leading to data loss or additional vulnerabilities. There is evidence that this issue could lead to further exploitation on some applications, such as data injection. At this time, the ability to exploit arbitrary code execution has not been demonstrated.


Consequences:

Denial of Service

Remedy:

For Virtual Patch:

Enable the following checks in the Dynamic ISS Protection platform:
TCP_Within_Window_DoS

For Manual Protection:

Because the list of affected vendors will potentially be quite large and rapidly changing, you should refer to the References section for documents that list affected vendors. Work with your vendor to determine the most appropriate solution for the product in question.

The following approaches may assist in mitigating the impact of this issue:

  • Implement IPSec (IP Security) to encrypt traffic and obscure TCP information available to the attacker.
  • Reduce TCP window size to decrease probability of effect attack. Approach this option with care, since it could lead to decreased network performance and increased traffic loss.
  • For critical applications, such as BGP, implement ingress and egress filtering to expected addresses.
  • Implement TCP MD5 signature option to verify and checksum TCP packet carrying BGP data.
  • Use ACLs for selective filtering on routers to prevent unauthorized packets or requests.

For SGI IRIX:
Apply the appropriate patch for your system, as listed in SGI Security Advisory 20040905-01-P. See References.

For SCO UnixWare 7.1.3:
Upgrade to the appropriate fixed binaries, as listed in SCO Security Advisory SCOSA-2005.14. See References.

For SCO UnixWare 7.1.1:
Upgrade to the appropriate fixed binaries, as listed in SCO Security Advisory SCOSA-2005.14. See References.

For Microsoft:

Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.

— OR —

Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

Platforms Affected:

  • IETF TCP
  • McAfee Data Loss Prevention 8.6
  • McAfee Data Loss Prevention 9.2.1
  • Microsoft Windows 2000
  • Microsoft Windows 2003 Server
  • Microsoft Windows Vista
  • Microsoft Windows XP

Reported:

Apr 20, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page