Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

       CERT-FI Advisory on the TCP protcol Denial of service issues
                             9 September 2009


        AusCERT Security Bulletin Summary

Product:           TCP Protocol
Publisher:         CERT-FI
Operating System:  Windows
                   Network Appliance
                   Red Hat Enterprise Linux
                   Linux variants
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2008-4609  

Reference:         ESB-2008.0986

Original Bulletin: 

Comment: Please note that this attack targets weaknesses in the implementation
         of the TCP protocol and vendors not listed in this advisory may also
         be affected. AusCERT will issue notifications for other affected
         vendors as they come to light.

- --------------------------BEGIN INCLUDED TEXT--------------------

CERT-FI Advisory on the Outpost24 TCP Issues

Target          - servers and server applications
                - workstations and end user applications
                - network devices
                - embedded systems
                - mobile devices
                - other
Access Vector   - remote
Impact          - denial of service
Remediation     - fix provided by vendor
                - workaround


The vulnerabilities described in this advisory can potentially affect
systems and applications that run an implementation of TCP protocol
(RFC793 et al.). The issues were found by the Sockstress tool
developed by Outpost24.

Sockstress is an user-land TCP socket stress testing framework that
can open an arbitrary number of sockets. The attacks use different
variations in terms of payloads, window sizes and stalling TCP states.
The attacks take advantage of the exposed resources the target makes
available post TCP handshake, namely kernel and system resources
such as counters, timers, and memory pools. The attacks do not require
significant bandwidth.

The full effects of these attacks are still being studied. The referenced
CPNI article "Security Assessment of the Transmission Control Protocol
(TCP)" contains information on generic TCP attacks, but does not detail
the expected result when used against a specific vendor's TCP stack.


General impact of the tool and attack scenarios is a denial of service
(DoS). However, the impact varies by stack implementation. The overall
impact on a given setup depends on the target application and the operating
system running on the target. The impact on specific systems falls into
three categories:

1.) Temporary impact on the application
    CVSS Vector and score: AV:N/AC:M/Au:N/C:N/I:N/A:P - 4.3

    The application fails to accept connections from legitimate users
    when the attack is ongoing. This state is temporary and the
    application will become usable once the attack stops.

2.) Permanent impact on the application
    CVSS Vector and score: AV:N/AC:M/Au:N/C:N/I:N/A:P - 4.3

    The application fails to accept connections from legitimate users
    once the attack has started and lasted for some period of
    time. This state is permanent in the sense that the application
    will not become responsive until it has been restarted.

3.) Permanent impact on the system
    CVSS Vector and score: AV:N/AC:M/Au:N/C:N/I:N/A:C - 7.1

    The system (the OS kernel) stops performing its essential
    functions once the attack has been started and has lasted for some
    period of time. As a result, the system will be unusable. The
    system becomes usable once it has has been rebooted.


The severity of the attacks range from a CVSS score of 4.3 (medium
severity)1 through 7.1 (high severity) depending on the persistence
and scope of the DoS condition. This varies by vendor. Please see the
'Vendor Information' section below for further information. Alternatively,
contact your vendor for product specific information.

If the attacks are successful in initiating perpetually stalled
connections, the connection table of the server can quickly be filled,
effectively creating a denial of service condition for a specific
service. In many cases the attacks have also been seen to consume
significant amounts of event queues and system memory, which
intensifies the effects of the attacks. In some cases, this has
results in systems that no longer have event timers for TCP
communication. Some systems become effectively frozen once attacked,
while some reboot.

While it is trivial to get a single service to become unavailable in a
matter of seconds, to make an entire system become defunct can take
many minutes, and in some cases hours. As a general rule, the more
services a system has, the faster it will succumb to the system wide
(broken TCP, system lock, reboot, etc) effects of the attacks. As with
most types of denial of service attacks, attack amplification can be
achieved by attacking from a larger number of IP addresses.

Vulnerability Coordination Information and Acknowledgments

CERT-FI has coordinated the release of this vulnerability between the
vulnerability researcher and the affected vendors. CERT-FI would like
to thank Jack C. Louis and Robert E. Lee for making the tool and
information available to the most potentially affected vendors. CERT-FI
would also like to thank the vendors for their co-operation and to
JPCERT/CC for co-ordinating this issue in Japan.

Vendor Information

 * Microsoft has published security bulletin MS09-048 to address this issue
 * http://www.microsoft.com/technet/security/bulletin/ms09-048.mspx
 * http://blogs.technet.com/srd/archive/2009/09/08/assessing-the-risk-of-the-september-critical-security-bulletins.aspx

 * VMware products are not vulnerable.

 * Cisco has published a Security Advisory dealing with the Outpost24
 * http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml

 * CheckPoint has released two SecureKnowledge entries
 * https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk42723
 * https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk42725

 * Juniper Networks received the Sockstress tool and executed testing
   on all our platforms. We have found no unexpected or adverse impact
   to our equipment which is different from other types of TCP Denial
   of Service (DOS). When the Sockstress DOS attack is removed,
   Juniper systems recover normally. Given that Sockstress is not a
   new 'class' of TCP attacks, existing Best Common Practices (BCPs)
   used to protect Juniper products from TCP based DOS attacks are the
   best investment of time.
 * Juniper Security Advisory is PSN-2008-10-041 and can be found at


   Access is via Entitled Disclosure. Please contact Juniper SIRT Team
   at sirt@juniper.net for any questions on this or other feasible 
   vulnerabilities and risk to Juniper Network's products and

 * We can report that the TCP stack in our Security Gateway products are
   not affected by these vulnerabilities.

Red Hat
 * Red Hat has published a knowledgebase article about the issue
 * http://kbase.redhat.com/faq/docs/DOC-18730


Patch the vulnerable software components according to the guidance
published by the vendor. Where available, refer to the 'Vendor
Information' section of this advisory for platform specific

Since an attacker must be able to establish TCP sockets to affect the
target, the attacks can not be spoofed. White-listing access to TCP
services on routers and critical systems is the currently most
effective means for mitigation. Limiting the number of incoming
connections from a single source IP will require an attacker to use
more source IP addresses in the attack. The referenced CPNI TCP
document contains mitigation advice on TCP issues.


Fernando Gont, "Security Assessment of the Transmission Control
Protocol (TCP)". Sponsored by the UK CPNI (Centre for the Protection
of National Infrastructure)

    * http://www.cpni.gov.uk/Products/technicalnotes/Feb-09-security-assessment-TCP.aspx
    * CVE-2008-4609 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4609

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Version: GnuPG v1.4.6 (FreeBSD)
Comment: http://www.auscert.org.au/render.html?it=1967