Multiple Vendor TCP Timestamp Vulnerability
John Dalbec
jpdalbec at ysu.edu
Fri May 27 20:15:29 UTC 2005
Does this affect us? The CERT Advisory has "unknown" for all the Linux vendors.
(2) MODERATE: Multiple Vendor TCP Timestamp Vulnerability
Affected:
A number of vendors including Cisco and Microsoft. For a list of all the
vendors, please refer to the CERT Advisory.
Description: This vulnerability in certain TCP implementations can be
exploited to cause a denial of service by forcing either ends involved
in a TCP connection to drop TCP segments. That will eventually reset the
connection. The problem arises due to the way some TCP stacks implement
the TCP timestamp option. In order to preserve the TCP performance over
high bandwidth, the PAWS and the Timestamp Option were introduced via
RFC 1323. PAWS uses the TCP timestamp option to track new TCP segments.
The vulnerability arises because some TCP stacks use the TCP timestamp
to process further TCP segments without validating the TCP sequence
numbers. Hence, an attacker who can guess the IP addresses and port
numbers of the ends involved in a TCP connection, can inject TCP packets
into the connection with crafted timestamp values. This can lead to
resetting the connection or corrupting the data transfer between the two
ends. The higher-level protocols that use long-lasting TCP sessions such
as the Border Gateway Protocol (BGP) are most affected by this
vulnerability. Exploit code has been publicly posted.
Status: Cisco has released an advisory and posted updates. Microsoft
patch MS05-019 also fixes this vulnerability. For a detailed status on
other vendors, please refer to the CERT advisory below.
Council Site Actions: All council sites have either deployed patches or
plan to deploy them once they are available from the vendor. One site
is still verifying that PAWS and Timestamps are not in use on any of
their servers that are vulnerable to this attack. If any are found, the
Timestamp/PAWS feature will be disabled. Another site is actively
engaging with vendors that have not released patches but are known to
use vulnerable platforms. A final site does plan to install the patches
but is treating this as a low urgency event since very few of their
machines maintain long-duration TCP sessions and thus very few are
likely victims of an attack.
References:
CERT Advisory
http://www.kb.cert.org/vuls/id/637934
Cisco Advisory
http://www.cisco.com/warp/public/707/cisco-sn-20050518-tcpts.shtml
Microsoft Announcement
http://www.microsoft.com/technet/security/advisory/899480.mspx
Exploit Code
http://www.frsirt.com/exploits/20050521.tcptimestamps.c.php
RFC 1323 (PAWS and TCP Timestamp Option)
http://www.ietf.org/rfc/rfc1323.txt
SecurityFocus BID
http://www.securityfocus.com/bid/13676
More information about the fedora-legacy-list
mailing list