[NEWS] TCP Does Not Adequately Validate Segments Before Updating Timestamp Value
From: SecuriTeam (support_at_securiteam.com)
Date: 05/22/05
- Previous message: SecuriTeam: "[UNIX] Linux Binfmt Elf Core Dump Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 22 May 2005 18:08:24 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
TCP Does Not Adequately Validate Segments Before Updating Timestamp Value
------------------------------------------------------------------------
SUMMARY
Certain TCP implementations may allow a remote attacker to arbitrarily
modify host timestamp values, leading to a denial-of-service condition.
DETAILS
Systems Affected:
Vendor - Status - Date Updated
3Com - Unknown - 9-Mar-2005
Alcatel - Unknown - 9-Mar-2005
Apple Computer Inc. - Unknown - 9-Mar-2005
AT&T - Unknown - 9-Mar-2005
Avaya - Unknown - 9-Mar-2005
Avici Systems Inc. - Unknown - 9-Mar-2005
Borderware - Unknown - 9-Mar-2005
Check Point - Not Vulnerable - 19-May-2005
Chiaro Networks - Unknown - 18-May-2005
Cisco Systems Inc. - Vulnerable - 18-May-2005
Clavister - Not Vulnerable - 18-May-2005
Computer Associates - Unknown - 9-Mar-2005
Conectiva - Unknown - 9-Mar-2005
Cray Inc. - Unknown - 9-Mar-2005
Cwnt - Unknown - 9-Mar-2005
Data Connection - Unknown - 9-Mar-2005
Debian - Unknown - 9-Mar-2005
EMC Corporation - Unknown - 9-Mar-2005
Engarde - Unknown - 9-Mar-2005
eSoft - Unknown - 9-Mar-2005
Extreme Networks - Unknown - 9-Mar-2005
F5 Networks - Unknown - 9-Mar-2005
Fortinet - Unknown - 9-Mar-2005
Foundry Networks Inc. - Not Vulnerable - 18-May-2005
FreeBSD - Vulnerable - 16-Mar-2005
Fujitsu - Unknown - 9-Mar-2005
GTA - Unknown - 9-Mar-2005
Hewlett-Packard Company - Unknown - 17-May-2005
Hitachi - Vulnerable - 19-May-2005
Hyperchip - Unknown - 9-Mar-2005
IBM - Unknown - 9-Mar-2005
IBM eServer - Unknown - 9-Mar-2005
IBM zSeries - Unknown - 9-Mar-2005
Immunix - Unknown - 9-Mar-2005
Ingrian Networks - Unknown - 9-Mar-2005
Inoto - Unknown - 9-Mar-2005
Intel - Unknown - 9-Mar-2005
Internet Security Systems Inc. - Unknown - 9-Mar-2005
IP Filter - Unknown - 9-Mar-2005
Juniper Networks - Unknown - 9-Mar-2005
Lachman - Unknown - 9-Mar-2005
Linksys - Unknown - 9-Mar-2005
Lucent Technologies - Unknown - 9-Mar-2005
Luminous - Unknown - 9-Mar-2005
MandrakeSoft - Unknown - 9-Mar-2005
Microsoft Corporation - Vulnerable - 18-May-2005
MontaVista Software - Unknown - 9-Mar-2005
Multi-Tech Systems Inc. - Unknown - 9-Mar-2005
Multinet - Unknown - 9-Mar-2005
NEC Corporation - Not Vulnerable - 17-May-2005
NetBSD - Unknown - 9-Mar-2005
Netfilter - Not Vulnerable - 17-Mar-2005
Netscreen - Unknown - 9-Mar-2005
Network Appliance - Unknown - 9-Mar-2005
NextHop - Not Vulnerable - 16-Mar-2005
Nokia - Unknown - 9-Mar-2005
Nortel Networks - Unknown - 9-Mar-2005
Novell - Unknown - 9-Mar-2005
OpenBSD - Vulnerable - 18-May-2005
Openwall GNU/*/Linux - Unknown - 9-Mar-2005
Red Hat Inc. - Unknown - 9-Mar-2005
Redback Networks Inc. - Vulnerable - 19-May-2005
Riverstone Networks - Unknown - 9-Mar-2005
SCO Linux - Unknown - 9-Mar-2005
SCO Unix - Unknown - 9-Mar-2005
Secure Computing Corporation - Not Vulnerable - 11-Apr-2005
SecureWorx - Unknown - 9-Mar-2005
Sequent - Unknown - 9-Mar-2005
SGI - Unknown - 9-Mar-2005
Sony Corporation - Unknown - 9-Mar-2005
Stonesoft - Unknown - 9-Mar-2005
Sun Microsystems Inc. - Not Vulnerable - 11-Apr-2005
SuSE Inc. - Unknown - 9-Mar-2005
Symantec Corporation - Unknown - 9-Mar-2005
TurboLinux - Unknown - 9-Mar-2005
Unisys - Unknown - 9-Mar-2005
WatchGuard - Not Vulnerable - 15-Apr-2005
Wind River Systems Inc. - Unknown - 18-May-2005
ZyXEL - Unknown - 9-Mar-2005
The Transmission Control Protocol (TCP) is defined in RFC 793 as a means
to provides reliable host-to-host transmission between hosts in a
packet-switched computer networks. RFC 1323 introduced techniques to
increase the performance of TCP. Two such techniques are TCP timestamps
and Protection Against Wrapped Sequence Numbers (PAWS).
In certain implementations of TCP with timestamps enabled, both hosts
maintain an internal timer that is used to detect segment loss and
regulate traffic flow. PAWS uses timestamps to prevent duplicate or old
segments from corrupting an active connection. In PAWS with the timestamps
option enabled, hosts use an internal timer to track the value of the
timestamp in incoming segments against the last valid timestamp recorded.
If the segment's timestamp is larger than the value of the last valid
timestamp and the sequence number is less than the last acknowledgment
sent, then the host's internal timer is updated with the new timestamp
value and the segment is passed on for further processing. Otherwise, the
segment is rejected as too old or a duplicate.
If a remote attacker can determine the source and destination ports and IP
addresses of both hosts engaged in an active connection, that attacker may
be able to inject a specially crafted segment into the connection. When
the spoofed segment is received the host's internal timer value will be
changed to the value in the crafted segment. Please note that, in certain
TCP implementations, sequence numbers are not properly validated before
the internal timer is updated, thus an attacker does not need to know a
correct sequence number to change the internal timer. If the internal
timer value is set to a large value, then it will likely be larger than
the timestamp value in subsequent incoming segments. This will cause new,
legitimate TCP segments to be evaluated as too old and discarded. As
segments are rejected, the flow of data between hosts stops, resulting in
a denial-of-service condition.
For more information about TCP, timestamps, and PAWS please see RFC 793
and RFC 1323.
Impact:
An unauthenticated, remote attacker could cause TCP connections to
abort/drop segments, leading to a denial-of-service condition.
Solution:
Apply Patch
Users who suspect they are vulnerable are encouraged to check with their
vendor to determine the appropriate action to take. Please see the list of
vendors we have notified below.
Disable PAWS
As a workaround, disable PAWS and TCP timestamps if they are not needed.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0356>
CAN-2005-0356
ADDITIONAL INFORMATION
The information has been provided by Noritoshi Demizu.
The original article can be found at:
<http://www.kb.cert.org/vuls/id/637934>
http://www.kb.cert.org/vuls/id/637934
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] Linux Binfmt Elf Core Dump Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
