4030 : TCP/IP Sequence Prediction Blind Reset Spoofing DoS
Printer | http://osvdb.org/4030 | Email This | Edit Vulnerability

Views This Week	Views All Time	Added to OSVDB	Last Modified	Modified (since 2008)	Percent Complete
57	12438	over 7 years ago	over 2 years ago	4 times	90%

Timeline

Discovery Date	Disclosure Date
2003-07-30	2004-04-20

Keywords

RFC-793

Description

The TCP stack implementation of numerous vendors contains a flaw that may allow a remote denial of service. The issue is triggered when spoofed TCP Reset packets are received by the targeted TCP stack, and will result in loss of availability for the attacked TCP services.

Classification

Location: Local Access Required, Remote / Network Access
Attack Type: Denial of Service, Infrastructure
Impact: Loss of Availability
Exploit: Exploit Public
Disclosure: OSVDB Verified

Technical

RFC-793 utilizes sequence checking to ensure proper ordering of received packets. RFC-793 requires that sequence numbers are checked against the window size before accepting data or control flags as valid. RFC-793 also specifies that RST control flags should be processed immediately, without waiting for out of sequence packets to arrive. Furthermore, RFC-793 allows a TCP implementation to verify both sequence and acknowledgement numbers prior to accepting a RST control flag as valid. No TCP stack implemention tested currently implements checking of both sequence and acknowledgement. All tested TCP stacks currently verify only the sequence number. This allows connections to be reset with dramatically less effort than previously believed.

This risk is compounded by the easy prediction of source port selection used in TCP connections.

Solution

Install vendor upgrades or patches to resolve this issue. Routers using BGP are highly recommended to implement RFC-2385 (BGP TCP MD5 Signatures) as a work-around.

Products

Check Point Software Technologies, Inc.

FireWall-1

Prior to R55 HFA-03

Cisco Systems, Inc.

IOS

All Versions

Cray, Inc.

Unicos

All Versions

Hewlett-Packard Development Company, L.P.

HP-UX

All Versions

Internet Security Systems

Proventia M Series

1.5

Juniper Networks, Inc.

Router

All Versions

Linux

All Versions

Microsoft Corporation

Windows

All Versions

Nokia

IPSO

All Versions

References

Secunia Advisory ID: 11443 11444 11445 11447 11448 11458 11462 11679 11682 12682 14946 22341
ISS X-Force ID: 15886
CVE ID: 2004-0230 (see also: NVD)
SCIP VulDB ID: 2599 2600
Milw0rm: 276 291
Exploit Database: 276 291
Related OSVDB ID: 29429 6094
CERT VU: 415294
Microsoft Knowledge Base Article: 922819
CERT: CA-2001-09
Vendor Specific Advisory URL: ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2004-006.txt.asc http://securityresponse.symantec.com/avcenter/security/Content/2005.05.02.html
http://support.avaya.com/elmodocs2/security/ASA-2005-097_SCASA-2005-14.pdf
http://www.bluecoat.com/support/knowledge/advisory_tcp_can-2004-0230.html
http://www.checkpoint.com/techsupport/alerts/tcp_dos.html
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml
http://www.juniper.net/support/alert.html
http://www.juniper.net/support/security/alerts/niscc-236929.txt
http://www.vmware.com/support/kb/enduser/std_adp.php?p_sid=FsNALBWh&p_lva=&p_faqid=1535
http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTU01077
Other Advisory URL: ftp://patches.sgi.com/support/free/security/advisories/20040905-01-P.asc http://www.jpcert.or.jp/at/2004/at040003.txt
http://www.seil.jp/en/ann/announce_en_20040421_01.txt
http://www.uniras.gov.uk/vuls/2004/236929/index.htm
http://xforce.iss.net/xforce/alerts/id/170
Other Solution URL: http://isc.sans.org/diary.php?date=2004-04-20
Generic Informational URL: http://nytimes.com/aponline/technology/AP-Internet -Threat.html
http://slashdot.org/articles/04/04/20/1738217.shtml?tid=126&tid=128&tid=172&tid=95
http://www.cnn.com/2004/TECH/internet/04/20/internet.threat/index.html
http://www.eweek.com/article2/0,1759,1571185,00.asp
http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt
http://www.ietf.org/rfc/rfc0793.txt
http://www.msnbc.msn.com/id/4788445/
http://www.osvdb.org/ref/04/04030-SlippingInTheWindow_v1.0.doc
http://www.osvdb.org/ref/04/04030-SlippingInTheWindow_v1.0.ppt
Generic Exploit URL: http://www.osvdb.org/ref/04/04030-exploit.zip
http://www.packetstormsecurity.org/0404-exploits/bgp-dosv2.pl
http://www.packetstormsecurity.org/0404-exploits/disconn.py
http://www.packetstormsecurity.org/0404-exploits/Kreset.pl
http://www.packetstormsecurity.org/0404-exploits/reset-tcp.c
http://www.packetstormsecurity.org/0404-exploits/reset-tcp_rfc31337-compliant.c
http://www.packetstormsecurity.org/0404-exploits/reset.zip
http://www.packetstormsecurity.org/0404-exploits/tcp_reset.c
http://www.packetstormsecurity.org/0405-exploits/autoRST.c
http://www.packetstormsecurity.org/cisco/ttt-1.3r.tar.gz
Microsoft Security Bulletin: MS05-019 MS06-064
Keyword: Reset RFC-793 RST TCP
US-CERT Cyber Security Alert: TA04-111A

Tools & Filters

	12213 18028 22537
Snort	2523

Credit

Paul (Tony) Watson - pawpaw.org - OSVDB

CVSSv2 Score

CVSSv2 Base Score = 5.0
Source: nvd.nist.gov | Generated: 2003-12-31 | Disagree?

Blogs

This product uses the Daylife API but is not endorsed or certified by Daylife.

This section lists the latest news and blogs found via the daylife API (and for older items, the technorati API), which mention or otherwise discuss this vulnerability.

None found at this time

Comments

Add Comment Hide Add Comment

No Comments.

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.