TCP/IP timestamp denial of service

tcp-ip-timestamp-dos (20635)

Low Risk

Description:

Multiple vendors are vulnerable to a denial of service attack, caused by improper validation of TCP/IP packets. If the TCP Timestamp Option Registry setting is enabled, a remote attacker can send a malformed TCP/IP message to an individually targeted TCP connection to cause the TCP connection to reset, resulting in a denial of service. The TCP Timestamp Option Registry setting is enabled by default. The attacker must have knowledge or predict the IP address and port information of both the source and destination of an existing TCP connection to exploit this vulnerability.

Microsoft Windows 2000, Windows XP, Windows Server 2003 are vulnerable. Systems with Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, or systems where the Microsoft Security Bulletin MS05-019 have been applied are not vulnerable.

Cisco products including Cisco SN5400 series storage routers, Cisco 11000 series content service switches, Cisco AP 350 and 1200 series access points, and Cisco MGX 8200, 8800, and 8900 series switches are vulnerable. The following Cisco products running on Microsoft Windows are only vulnerable if Microsoft Security Bulletin MS05-019 has not been applied: CallManager, Conference Connection, Emergency Responder, MeetingPlace, Personal Assistant, Intelligent Contact Management, IP Contract Center, Interactive Voice Response, Remote Monitoring Suite Option, Web Collaboration Option, E-Mail Manager Option, Agent Desktop, Support Tools, and Unity.

Blue Coat Cache OS versions 3.x and 4.x, Blue Coat Security Gateway OS versions 2.x and 3.x, and OpenBSD versions prior to 3.7 are also vulnerable to this denial of service.

Platforms Affected:

• BlueCoat, CacheOS
• BlueCoat, Security Gateway OS
• Cisco, Agent Desktop
• Cisco, Aironet AP1200
• Cisco, Aironet AP350
• Cisco, Conference Connection
• Cisco, Content Services Switch 11000
• Cisco, E-Mail Manager
• Cisco, Emergency Responder
• Cisco, Intelligent Contact Manager
• Cisco, IP Contact Center
• Cisco, IP Interactive Voice Response
• Cisco, MeetingPlace
• Cisco, MGX 8200
• Cisco, MGX 8800
• Cisco, MGX 8900
• Cisco, Personal Assistant
• Cisco, Remote Monitoring Suite Option
• Cisco, SN 5400 Storage Router
• Cisco, Support Tools
• Cisco, Unified CallManager
• Cisco, Unity Server
• Cisco, Web Collaboration Option
• FreeBSD, FreeBSD
• Hitachi, Hitachi GR3000
• Hitachi, Hitachi GR4000
• Hitachi, Hitachi GS4000
• Microsoft, Windows 2000
• Microsoft, Windows 2003 Server
• Microsoft, Windows XP
• OpenBSD, OpenBSD

Remedy:

For Microsoft Windows:

Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.

— OR —

Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.

— OR —

As a workaround:
Disable the TCP Timestamp Option registry setting or the RFC1323 support.

For Windows 2000, Windows XP SP1, and Windows Server 2003:
Microsoft originally provided a patch for this vulnerability in MS05-019, but it was superseded by the patch released with MS06-032.

Consequences:

Denial of Service

References:

• Blue Coat Security Advisory, TCP Vulnerability CAN-2005-0356 at http://www.bluecoat.com/support/knowledge/advisory_tcp_can-2005-0356.html.
• Cisco Systems Inc. Security Advisory, 2005 May 18 1600 UTC (GMT), Vulnerability in a Variant of the TCP Timestamps Option at http://www.cisco.com/warp/public/707/cisco-sn-20050518-tcpts.shtml.
• FreeBSD Security Advisory FreeBSD-SA-05:15.tcp, TCP connection stall denial of service at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:15.tcp.asc.
• Microsoft Security Advisory (899480), Vulnerability in TCP Could Allow Connection Reset at http://www.microsoft.com/technet/security/advisory/899480.mspx.
• Microsoft Security Bulletin MS06-032, Vulnerability in TCP/IP Could Allow Remote Code Execution (917953) at http://www.microsoft.com/technet/security/bulletin/ms06-032.mspx.
• Microsoft Security Bulletin MS08-001, Vulnerabilities in TCP/IP Could Allow Remote Code Execution (941644) at http://www.microsoft.com/technet/security/bulletin/ms08-001.mspx.
• Microsoft Security Bulletin MS08-004, Vulnerability in Windows TCP/IP Could Allow Denial of Service (946456) at http://www.microsoft.com/technet/security/bulletin/ms08-004.mspx.
• OpenBSD 3.6 errata, RELIABILITY FIX: March 30, 2005 at http://openbsd.org/errata36.html#tcp.
• ASA-2006-032: TCP Denial of Service Vulnerability (SCOSA-2005.64)
• BID-13676: Multiple Vendor TCP Timestamp PAWS Remote Denial Of Service Vulnerability
• BID-16295: Cisco CallManager Multiple Remote Denial Of Service Vulnerabilities
• CVE-2005-0356: Multiple TCP implementations with Protection Against Wrapped Sequence Numbers (PAWS) with the timestamps option enabled allow remote attackers to cause a denial of service (connection loss) via a spoofed packet with a large timer value, which causes the host to discard later packets because they appear to be too old.
• SA15393: Cisco Various Products TCP Timestamp Denial of Service
• SA15417: OpenBSD TCP Timestamp Denial of Service
• SA18222: UnixWare TCP Timestamp Denial of Service
• SA18662: Avaya Intuity Audix TCP Timestamp Denial of Service
• US-CERT VU#637934: TCP does not adequately validate segments before updating timestamp value

Reported:

May 18, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page