ID

VAR-200505-1328

CVE

CAN-2005-0356

TITLE

TCP does not adequately validate segments before updating timestamp value

DESCRIPTION

Certain TCP implementations may allow a remote attacker to arbitrarily modify host timestamp values, leading to a denial-of-service condition. A denial-of-service vulnerability exists for the TCP RFC 1323. The issue resides in the Protection Against Wrapped Sequence Numbers (PAWS) technique that was included to increase overall TCP performance. When TCP 'timestamps' are enabled, both hosts at the endpoints of a TCP connection employ internal clocks to mark TCP headers with a 'timestamp' value. The issue manifests if an attacker transmits a sufficient TCP PAWS packet to a vulnerable computer. The attacker sets a large value as the packet timestamp. When the target computer processes this packet, the internal timer is updated to the large value that the attacker supplied. This causes all other valid packets that are received subsequent to an attack to be dropped, because they are deemed to be too old or invalid. This type of attack will effectively deny service for a target connection. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:15.tcp Security Advisory The FreeBSD Project Topic: TCP connection stall denial of service Category: core Module: inet Announced: 2005-06-29 Credits: Noritoshi Demizu Affects: All FreeBSD releases. Corrected: 2005-06-29 21:38:48 UTC (RELENG_5, 5.4-STABLE) 2005-06-29 21:41:03 UTC (RELENG_5_4, 5.4-RELEASE-p3) 2005-06-29 21:42:33 UTC (RELENG_5_3, 5.3-RELEASE-p17) 2005-06-29 21:43:42 UTC (RELENG_4, 4.11-STABLE) 2005-06-29 21:45:14 UTC (RELENG_4_11, 4.11-RELEASE-p11) 2005-06-29 21:46:15 UTC (RELENG_4_10, 4.10-RELEASE-p16) CVE Name: CAN-2005-0356, CAN-2005-2068 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://www.freebsd.org/security/>. I. Background The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides a connection-oriented, reliable, sequence-preserving data stream service. TCP packets with the SYN flag set are used during setup of new TCP connections. II. Problem Description Two problems have been discovered in the FreeBSD TCP stack. First, when a TCP packets containing a timestamp is received, inadequate checking of sequence numbers is performed, allowing an attacker to artificially increase the internal "recent" timestamp for a connection. Second, a TCP packet with the SYN flag set is accepted for established connections, allowing an attacker to overwrite certain TCP options. III. Impact Using either of the two problems an attacker with knowledge of the local and remote IP and port numbers associated with a connection can cause a denial of service situation by stalling the TCP connection. The stalled TCP connection my be closed after some time by the other host. IV. Workaround In some cases it may be possible to defend against these attacks by blocking the attack packets using a firewall. Packets used to effect either of these attacks would have spoofed source IP addresses. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.10, 4.11, 5.3, and 5.4 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 4.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:15/tcp4.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:15/tcp4.patch.asc [FreeBSD 5.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:15/tcp.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:15/tcp.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/sys/netinet/tcp_input.c 1.107.2.44 RELENG_4_11 src/UPDATING 1.73.2.91.2.12 src/sys/conf/newvers.sh 1.44.2.39.2.15 src/sys/netinet/tcp_input.c 1.107.2.41.4.3 RELENG_4_10 src/UPDATING 1.73.2.90.2.17 src/sys/conf/newvers.sh 1.44.2.34.2.18 src/sys/netinet/tcp_input.c 1.107.2.41.2.1 RELENG_5 src/sys/netinet/tcp_input.c 1.252.2.16 RELENG_5_4 src/UPDATING 1.342.2.24.2.12 src/sys/conf/newvers.sh 1.62.2.18.2.8 src/sys/netinet/tcp_input.c 1.252.2.14.2.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.20 src/sys/conf/newvers.sh 1.62.2.15.2.22 src/sys/netinet/tcp_input.c 1.252.4.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0356 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2068 http://www.kb.cert.org/vuls/id/637934 The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:15.tcp.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCwxe7FdaIBMps37IRAi39AJ9ss6PVEwloS4SlKEWi5S1hpHnzmACeJF7H rKmK2NtleJ98dTLWW4QLMn4= =6fBH -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Cisco Various Products TCP Timestamp Denial of Service SECUNIA ADVISORY ID: SA15393 VERIFY ADVISORY: http://secunia.com/advisories/15393/ CRITICAL: Less critical IMPACT: DoS WHERE: >From remote OPERATING SYSTEM: Cisco SN5400 Series Storage Routers http://secunia.com/product/2188/ Cisco MGX 8900 Series Multiservice Switches http://secunia.com/product/5117/ Cisco MGX 8800 Series Multiservice Switches http://secunia.com/product/5116/ Cisco MGX 8200 Series Edge Concentrators http://secunia.com/product/5115/ Cisco Content Services Switch 11000 Series (WebNS) http://secunia.com/product/1507/ Cisco Aironet 350 Series Access Point http://secunia.com/product/5114/ Cisco Aironet 1200 Series Access Point http://secunia.com/product/1929/ DESCRIPTION: A vulnerability has been reported in some Cisco products, which can be exploited by malicious people to cause a DoS (Denial of Service) on active TCP sessions. The vulnerability is caused due to an error in the implementation of the TCP Timestamp option and can be exploited via specially crafted packets to cause a targeted TCP session to stall until it's reset. Successful exploitation requires knowledge of IP address information of the source and destination of the TCP network connection. The vulnerability affects the following products: * SN5400 series storage routers * CSS11000 series content services switches * AP350 and AP1200 series Access Points running VxWorks * MGX8200, MGX8800, and MGX8900 series WAN switches (only management interfaces) SOLUTION: SN5400 series storage routers: The vulnerability has been addressed by CSCin85370. CSS11000 series content services switches: The vulnerability has been addressed by CSCeh40395. AP350 and AP1200 series Access Points: The vendor recommends upgrading APs running VxWorks to Cisco IOS. MGX series WAN switches: The vulnerability has been documented by CSCeh85125 and CSCeh85130. PROVIDED AND/OR DISCOVERED BY: US-CERT credits Noritoshi Demizu. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sn-20050518-tcpts.shtml OTHER REFERENCES: US-CERT VU#637934: http://www.kb.cert.org/vuls/id/637934 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . For more information: SA14904 SOLUTION: Apply updated packages. For more information: SA15393 The vulnerability affects all versions of CacheOS and SGOS. SOLUTION: The vendor recommends disabling RFC1323 support until a patch is available

AFFECTED PRODUCTS

CVSS

THREAT TYPE

network

TYPE

Design Error

EXTERNAL IDS

REFERENCES

CREDITS

Secunia

SOURCES

LAST UPDATE DATE

2022-05-06T15:25:21.418000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE