Wednesday, September 9, 2009

Cisco and Other Vendors Vulnerable to TCP DoS Flaws

Cisco and Other Vendors Vulnerable to TCP DoS Flaws

Summary:

§ These vulnerabilities affect: Many of Cisco's products, including those that run IOS and CatOS. Also affects CheckPoint devices and Red Hat Linux

§ How an attacker exploits them: By flooding a device with excessive, specially crafted TCP connections

§ Impact: An attacker could prevent your device from opening any new TCP connections, essentially blocking most network traffic

§ What to do: Download and install the appropriate vendor updates as soon as possible

Exposure:

Over a year ago, two researchers with Outpost24 claimed they had discovered a flaw in the TCP protocol, which attackers could leverage to either crash or lockup network devices. At the time, they did not release any technical details about this vulnerability, both because they wanted to give vendors time to patch, and because they were working with the Finnish Computer Emergency Response Team (CERT-FI) to release a coordinated alert on the issue. Sadly, one of the researchers who found the vulnerability passed away due to smoke inhalation during a fire in his home, which probably contributed to the delay with this coordinated release. Nonetheless, today CERT-FI finally released an alert about this TCP Denial of Service (DoS) vulnerability.

According to CERT-FI's alert, the two researchers discovered these flaws while using a special TCP socket stressing framework called Sockstress. Sockstress is a tool that allows attackers to open an arbitrary number of TCP connections with specially crafted payloads, windows sizes, and TCP states. By flooding a devices with many specially crafted TCP connections, the researchers learned they could cause DoS states on some network devices. The DoS affects ranged from temporarily blocking TCP traffic on a device, to completely locking it up, requiring you to reboot.

CERT-FI's alert lists a number of vendors that have reported vulnerability to Sockstress attacks in some way. Below is a list of the affected vendors and links to their alerts:

§ Cisco

§ Microsoft (WatchGuard published a LiveSecurity Alert on this Microsoft issue yesterday)

§ CheckPoint [ Alert 1 / Alert 2 ]

§ Red Hat

If you use any of these vendors products, you should check that vendor's individual alert for the recommended solution to this issue. WatchGuard believes this TCP DoS vulnerability poses the greatest risk to administrators with Cisco devices. Most of our customers use Cisco routers or switches in their network. Cisco's alert warns that many of their devices, including those running IOS or CatOS, suffer from various forms of this TCP DoS vulnerability. The Denial of Service (DoS) vulnerability may only pose a marginal risk to client machines. However, they pose a very high risk to gateway devices, such as a Cisco router. If an attacker can exploit this vulnerability against your gateway router, he could knock you off the Internet for the extent of his attack. We highly recommend Cisco administrators apply the upgrade or workarounds suggested in Cisco's alert.

Solution Path:

Cisco, and other vendors, have released patches to fix these TCP vulnerabilities. If you use one of the vulnerable devices, you should immediately consult the corresponding vendors alert for a patch or remedy. We listed the vendor alerts again below, for your convenience:

§ Cisco's TCP State Manipulation Vulnerability Alert

§ Microsoft Security Bulleting MS09-048 <-- (WatchGuard published a LiveSecurity Alert on this Microsoft issue yesterday)

§ CheckPoint [ Sockstress Alert / TCP Timer Alert ]

Red Hat Sockstress KB article
Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)