The CERT for France Industry, Services and Tertiary sector

Members area [version française]

HOME PRESENTATION PUBLICATIONS SUBSCRIPTION CONTACTS FAQ SEARCH

Security Advisory

Public Advisories/Alerts Articles by Cert-IST Useful links In the Press - Events Printable version		Accueil | Resources | Public Advisories/Alerts | Security Advisories DoS vulnerabilities in various TCP implementations Reference: CERT-IST/AV-2009.409 Version: 1.6 Version date: 08 February 2010 Vulnerability Classification Risk: medium Impact: Denial of Service Confidence: Vendor-acknowledged Attack expertise: Expert Attack requirements: Remote (no account) over a standard service System Information Affected Platform(s): Cisco products (see CERT-IST/AV-2009.400) Microsoft operating systems (CERT-IST/AV-2009.396) Linux/Unix systems (Linux, Solaris BSD) F5 BIG-IP LTM, GTM, ASM, Link Controller, WebAccelerator, PSM, WAN Optimization F5 FirePass 5.5.x, 6.0.x F5 Enterprise Manager, WANJet, WebAccelerator, ARX Check Point VPN-1 Power/UTM, Connectra, IPSO, VPN-1 Power VSX, Integrity, UTM-1 Edge, IPS-1, Security Management, SmartCenter Affected Software(s): TCP protocol handler Description Publication context: These flaws (CVE-2008-4609) have the FA-2008.0184 reference in the Cert-IST list of flaws under investigation. In addition, they are presented and monitored through a Cert-IST crisis hub entitled "TCP DoS" opened since October 2008. These issues were initially announced at the T2 security conference in Helsinky by the researchers Jack C. Louis and Robert E. Lee. These issues in the TCP implementations have been discussed separately for the following vendors: Microsoft: CERT-IST/AV-2009.396 Cisco: CERT-IST/AV-2009.400 Problem description: Several flaws have been discovered in the handling of the TCP/IP protocol on various hardware and operating systems. They allow a malicious person to remotely cause a denial of service. Note: The attacks that exploit this vulnerabilities are often refered as "Sockstress", which is the name of the tool that have revealed these weakness. Technical information: These flaws are caused by the way the TCP/IP stacks on various systems handle and maintain information regarding active TCP/IP connections. By manipulating the state of these connections through specially crafted TCP sequences, a remote attacker can force a vulnerable system to keep such information in memory for a long time, which will finally prevent this targeted system from responding to legitimate requests.  Note:  A full TCP three-way handshake is required to exploit these vulnerabilities. A system reboot may be required to restore full system functionality after a successful attack. In most cases, network devices are not directly impacted by TCP state manipulation DoS attacks transiting a device; however, network devices that maintain the state of TCP connections may be impacted. Solution Linux Red Hat has announced that their versions of Linux were affected but that they won't release some fixes. See the Red Hat knowledge base article ("Additional Resources" section) to get more information and workarounds. 01 - Apply F5 updates regarding the TCP vulnerabilities Update BIG-IP to version 10.1 and SCCP to version 12.0.8. F5 Networks Product Development is tracking this issue a CR110551 for SAM, WANJet, Enterprise Manager, and FirePass devices, and 32680 (ARX ID) ARX devices. See the F5 security advisory ("Additional Resources" section) to get the details regarding patches availability. F5 downloads and updates https://downloads.f5.com/esd/index.jsp 02 - Apply the Check Point patches regarding the TCP vulnerabilities English translation not available yet Check Point patches regarding the TCP issues http://supportcontent.checkpoint.com/solutions?id=42723 http://supportcontent.checkpoint.com/solutions?id=42725 03 - Apply the Sun patches regarding the TCP vulnerabilities Sparc Intel OpenSolaris snv_131 snv_131 A final resolution is pending completion for Solaris 8, 9 and 10. Sun patches http://sunsolve.sun.com/securitypatch Standard vulnerability IDs CVE: CVE-2008-4609 CVE: CVE-2009-1926 CERT/CC: VU#723308 Additional Resources CERT-FI security advisory dated September 8, 2009 http://cert.fi/haavoittuvuudet/2008/tcp-vulnerabilities.html Cert-IST crisis hub regarding the TCP implementation flaws https://wws.cert-ist.com/fra/hub/tcpdos/ F5 security advisory SOL10509 dated September 8, 2009 https://support.f5.com/kb/en-us/solutions/public/10000/500/sol10509.html Sun security advisory 267088 dated September 8, 2009 http://sunsolve.sun.com/search/document.do?assetkey=1-66-267088-1 Article in Red Hat knowledge base http://kbase.redhat.com/faq/docs/DOC-18730 Linux SuSE security advisory SUSE-SA:2009:047 dated October 2, 2009 http://www.novell.com/linux/security/advisories/2009_47_tcpip.html Blue Coat Systems security advisories SA34, SA35, SA36, SA37, SA38 dated October 16, 2009 https://kb.bluecoat.com/index?page=content&id=SA34 https://kb.bluecoat.com/index?page=content&id=SA35 https://kb.bluecoat.com/index?page=content&id=SA35 https://kb.bluecoat.com/index?page=content&id=SA35 https://kb.bluecoat.com/index?page=content&id=SA35 History Version Comment Date 1.6 BIG-IP version 10.1 et SCCP version 12.0.8 08 February 2010 1.5 Patches for OpenSolaris 14 December 2009 1.4 US-CERT VU#723308 24 November 2009 1.2 Blue Coat Systems security advisories SA34, SA35, SA36, SA37, SA38 20 October 2009 1.1 Linux SuSE security advisory (SUSE-SA:2009:047) 05 October 2009 1.0 Advisory creation 10 September 2009

Copyright © 1999-2012 Cert-IST | Legal Notice | Sitemap