09 September 2009
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.1263 CERT-FI Advisory on the TCP protcol Denial of service issues 9 September 2009 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: TCP Protocol Publisher: CERT-FI Operating System: Windows Cisco Network Appliance Juniper Red Hat Enterprise Linux Linux variants Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2008-4609 Reference: ESB-2008.0986 Original Bulletin: http://cert.fi/haavoittuvuudet/2008/tcp-vulnerabilities.html Comment: Please note that this attack targets weaknesses in the implementation of the TCP protocol and vendors not listed in this advisory may also be affected. AusCERT will issue notifications for other affected vendors as they come to light. - --------------------------BEGIN INCLUDED TEXT-------------------- CERT-FI Advisory on the Outpost24 TCP Issues Target - servers and server applications - workstations and end user applications - network devices - embedded systems - mobile devices - other Access Vector - remote Impact - denial of service Remediation - fix provided by vendor - workaround Details The vulnerabilities described in this advisory can potentially affect systems and applications that run an implementation of TCP protocol (RFC793 et al.). The issues were found by the Sockstress tool developed by Outpost24. Sockstress is an user-land TCP socket stress testing framework that can open an arbitrary number of sockets. The attacks use different variations in terms of payloads, window sizes and stalling TCP states. The attacks take advantage of the exposed resources the target makes available post TCP handshake, namely kernel and system resources such as counters, timers, and memory pools. The attacks do not require significant bandwidth. The full effects of these attacks are still being studied. The referenced CPNI article "Security Assessment of the Transmission Control Protocol (TCP)" contains information on generic TCP attacks, but does not detail the expected result when used against a specific vendor's TCP stack. Impact General impact of the tool and attack scenarios is a denial of service (DoS). However, the impact varies by stack implementation. The overall impact on a given setup depends on the target application and the operating system running on the target. The impact on specific systems falls into three categories: 1.) Temporary impact on the application CVSS Vector and score: AV:N/AC:M/Au:N/C:N/I:N/A:P - 4.3 The application fails to accept connections from legitimate users when the attack is ongoing. This state is temporary and the application will become usable once the attack stops. 2.) Permanent impact on the application CVSS Vector and score: AV:N/AC:M/Au:N/C:N/I:N/A:P - 4.3 The application fails to accept connections from legitimate users once the attack has started and lasted for some period of time. This state is permanent in the sense that the application will not become responsive until it has been restarted. 3.) Permanent impact on the system CVSS Vector and score: AV:N/AC:M/Au:N/C:N/I:N/A:C - 7.1 The system (the OS kernel) stops performing its essential functions once the attack has been started and has lasted for some period of time. As a result, the system will be unusable. The system becomes usable once it has has been rebooted. Severity The severity of the attacks range from a CVSS score of 4.3 (medium severity)1 through 7.1 (high severity) depending on the persistence and scope of the DoS condition. This varies by vendor. Please see the 'Vendor Information' section below for further information. Alternatively, contact your vendor for product specific information. If the attacks are successful in initiating perpetually stalled connections, the connection table of the server can quickly be filled, effectively creating a denial of service condition for a specific service. In many cases the attacks have also been seen to consume significant amounts of event queues and system memory, which intensifies the effects of the attacks. In some cases, this has results in systems that no longer have event timers for TCP communication. Some systems become effectively frozen once attacked, while some reboot. While it is trivial to get a single service to become unavailable in a matter of seconds, to make an entire system become defunct can take many minutes, and in some cases hours. As a general rule, the more services a system has, the faster it will succumb to the system wide (broken TCP, system lock, reboot, etc) effects of the attacks. As with most types of denial of service attacks, attack amplification can be achieved by attacking from a larger number of IP addresses. Vulnerability Coordination Information and Acknowledgments CERT-FI has coordinated the release of this vulnerability between the vulnerability researcher and the affected vendors. CERT-FI would like to thank Jack C. Louis and Robert E. Lee for making the tool and information available to the most potentially affected vendors. CERT-FI would also like to thank the vendors for their co-operation and to JPCERT/CC for co-ordinating this issue in Japan. Vendor Information Microsoft * Microsoft has published security bulletin MS09-048 to address this issue * http://www.microsoft.com/technet/security/bulletin/ms09-048.mspx * http://blogs.technet.com/srd/archive/2009/09/08/assessing-the-risk-of-the-september-critical-security-bulletins.aspx VMware * VMware products are not vulnerable. Cisco * Cisco has published a Security Advisory dealing with the Outpost24 vulnerabilities * http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml CheckPoint * CheckPoint has released two SecureKnowledge entries * https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk42723 * https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk42725 Juniper * Juniper Networks received the Sockstress tool and executed testing on all our platforms. We have found no unexpected or adverse impact to our equipment which is different from other types of TCP Denial of Service (DOS). When the Sockstress DOS attack is removed, Juniper systems recover normally. Given that Sockstress is not a new 'class' of TCP attacks, existing Best Common Practices (BCPs) used to protect Juniper products from TCP based DOS attacks are the best investment of time. * Juniper Security Advisory is PSN-2008-10-041 and can be found at https://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2008-10-041. Access is via Entitled Disclosure. Please contact Juniper SIRT Team at email@example.com for any questions on this or other feasible vulnerabilities and risk to Juniper Network's products and services. Clavister * We can report that the TCP stack in our Security Gateway products are not affected by these vulnerabilities. Red Hat * Red Hat has published a knowledgebase article about the issue * http://kbase.redhat.com/faq/docs/DOC-18730 Remediation Patch the vulnerable software components according to the guidance published by the vendor. Where available, refer to the 'Vendor Information' section of this advisory for platform specific remediation. Since an attacker must be able to establish TCP sockets to affect the target, the attacks can not be spoofed. White-listing access to TCP services on routers and critical systems is the currently most effective means for mitigation. Limiting the number of incoming connections from a single source IP will require an attacker to use more source IP addresses in the attack. The referenced CPNI TCP document contains mitigation advice on TCP issues. References Fernando Gont, "Security Assessment of the Transmission Control Protocol (TCP)". Sponsored by the UK CPNI (Centre for the Protection of National Infrastructure) * http://www.cpni.gov.uk/Products/technicalnotes/Feb-09-security-assessment-TCP.aspx * CVE-2008-4609 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4609 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to firstname.lastname@example.org and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: email@example.com Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFKprDDNVH5XJJInbgRAgPaAJ0cOYIAMAaJxEQ6wchyLKcNs5p9kQCfRGog FAlk6bjrFBOTqNNIZx6GkPg= =NG5T -----END PGP SIGNATURE-----