Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.1263
CERT-FI Advisory on the TCP protcol Denial of service issues
9 September 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: TCP Protocol
Publisher: CERT-FI
Operating System: Windows
Cisco
Network Appliance
Juniper
Red Hat Enterprise Linux
Linux variants
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2008-4609
Reference: ESB-2008.0986
Original Bulletin:
http://cert.fi/haavoittuvuudet/2008/tcp-vulnerabilities.html
Comment: Please note that this attack targets weaknesses in the implementation
of the TCP protocol and vendors not listed in this advisory may also
be affected. AusCERT will issue notifications for other affected
vendors as they come to light.
- --------------------------BEGIN INCLUDED TEXT--------------------
CERT-FI Advisory on the Outpost24 TCP Issues
Target - servers and server applications
- workstations and end user applications
- network devices
- embedded systems
- mobile devices
- other
Access Vector - remote
Impact - denial of service
Remediation - fix provided by vendor
- workaround
Details
The vulnerabilities described in this advisory can potentially affect
systems and applications that run an implementation of TCP protocol
(RFC793 et al.). The issues were found by the Sockstress tool
developed by Outpost24.
Sockstress is an user-land TCP socket stress testing framework that
can open an arbitrary number of sockets. The attacks use different
variations in terms of payloads, window sizes and stalling TCP states.
The attacks take advantage of the exposed resources the target makes
available post TCP handshake, namely kernel and system resources
such as counters, timers, and memory pools. The attacks do not require
significant bandwidth.
The full effects of these attacks are still being studied. The referenced
CPNI article "Security Assessment of the Transmission Control Protocol
(TCP)" contains information on generic TCP attacks, but does not detail
the expected result when used against a specific vendor's TCP stack.
Impact
General impact of the tool and attack scenarios is a denial of service
(DoS). However, the impact varies by stack implementation. The overall
impact on a given setup depends on the target application and the operating
system running on the target. The impact on specific systems falls into
three categories:
1.) Temporary impact on the application
CVSS Vector and score: AV:N/AC:M/Au:N/C:N/I:N/A:P - 4.3
The application fails to accept connections from legitimate users
when the attack is ongoing. This state is temporary and the
application will become usable once the attack stops.
2.) Permanent impact on the application
CVSS Vector and score: AV:N/AC:M/Au:N/C:N/I:N/A:P - 4.3
The application fails to accept connections from legitimate users
once the attack has started and lasted for some period of
time. This state is permanent in the sense that the application
will not become responsive until it has been restarted.
3.) Permanent impact on the system
CVSS Vector and score: AV:N/AC:M/Au:N/C:N/I:N/A:C - 7.1
The system (the OS kernel) stops performing its essential
functions once the attack has been started and has lasted for some
period of time. As a result, the system will be unusable. The
system becomes usable once it has has been rebooted.
Severity
The severity of the attacks range from a CVSS score of 4.3 (medium
severity)1 through 7.1 (high severity) depending on the persistence
and scope of the DoS condition. This varies by vendor. Please see the
'Vendor Information' section below for further information. Alternatively,
contact your vendor for product specific information.
If the attacks are successful in initiating perpetually stalled
connections, the connection table of the server can quickly be filled,
effectively creating a denial of service condition for a specific
service. In many cases the attacks have also been seen to consume
significant amounts of event queues and system memory, which
intensifies the effects of the attacks. In some cases, this has
results in systems that no longer have event timers for TCP
communication. Some systems become effectively frozen once attacked,
while some reboot.
While it is trivial to get a single service to become unavailable in a
matter of seconds, to make an entire system become defunct can take
many minutes, and in some cases hours. As a general rule, the more
services a system has, the faster it will succumb to the system wide
(broken TCP, system lock, reboot, etc) effects of the attacks. As with
most types of denial of service attacks, attack amplification can be
achieved by attacking from a larger number of IP addresses.
Vulnerability Coordination Information and Acknowledgments
CERT-FI has coordinated the release of this vulnerability between the
vulnerability researcher and the affected vendors. CERT-FI would like
to thank Jack C. Louis and Robert E. Lee for making the tool and
information available to the most potentially affected vendors. CERT-FI
would also like to thank the vendors for their co-operation and to
JPCERT/CC for co-ordinating this issue in Japan.
Vendor Information
Microsoft
* Microsoft has published security bulletin MS09-048 to address this issue
* http://www.microsoft.com/technet/security/bulletin/ms09-048.mspx
* http://blogs.technet.com/srd/archive/2009/09/08/assessing-the-risk-of-the-september-critical-security-bulletins.aspx
VMware
* VMware products are not vulnerable.
Cisco
* Cisco has published a Security Advisory dealing with the Outpost24
vulnerabilities
* http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml
CheckPoint
* CheckPoint has released two SecureKnowledge entries
* https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk42723
* https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk42725
Juniper
* Juniper Networks received the Sockstress tool and executed testing
on all our platforms. We have found no unexpected or adverse impact
to our equipment which is different from other types of TCP Denial
of Service (DOS). When the Sockstress DOS attack is removed,
Juniper systems recover normally. Given that Sockstress is not a
new 'class' of TCP attacks, existing Best Common Practices (BCPs)
used to protect Juniper products from TCP based DOS attacks are the
best investment of time.
* Juniper Security Advisory is PSN-2008-10-041 and can be found at
https://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2008-10-041.
Access is via Entitled Disclosure. Please contact Juniper SIRT Team
at sirt@juniper.net for any questions on this or other feasible
vulnerabilities and risk to Juniper Network's products and
services.
Clavister
* We can report that the TCP stack in our Security Gateway products are
not affected by these vulnerabilities.
Red Hat
* Red Hat has published a knowledgebase article about the issue
* http://kbase.redhat.com/faq/docs/DOC-18730
Remediation
Patch the vulnerable software components according to the guidance
published by the vendor. Where available, refer to the 'Vendor
Information' section of this advisory for platform specific
remediation.
Since an attacker must be able to establish TCP sockets to affect the
target, the attacks can not be spoofed. White-listing access to TCP
services on routers and critical systems is the currently most
effective means for mitigation. Limiting the number of incoming
connections from a single source IP will require an attacker to use
more source IP addresses in the attack. The referenced CPNI TCP
document contains mitigation advice on TCP issues.
References
Fernando Gont, "Security Assessment of the Transmission Control
Protocol (TCP)". Sponsored by the UK CPNI (Centre for the Protection
of National Infrastructure)
* http://www.cpni.gov.uk/Products/technicalnotes/Feb-09-security-assessment-TCP.aspx
* CVE-2008-4609 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4609
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFKprDDNVH5XJJInbgRAgPaAJ0cOYIAMAaJxEQ6wchyLKcNs5p9kQCfRGog
FAlk6bjrFBOTqNNIZx6GkPg=
=NG5T
-----END PGP SIGNATURE-----