The TCP stack implementation of numerous vendors contains a flaw that may allow a remote denial of service. The issue is triggered when spoofed TCP Reset packets are received by the targeted TCP stack, and will result in loss of availability for the attacked TCP services.

Install vendor upgrades or patches to resolve this issue. Routers using BGP are highly recommended to implement RFC-2385 (BGP TCP MD5 Signatures) as a work-around.

• Secunia Advisory ID: 11443 11444 11445 11447 11448 11458 11462 11679 11682 12682 14946 22341
• ISS X-Force ID: 15886
• CVE ID: 2004-0230 (see also: NVD)
• SCIP VulDB ID: 2599 2600
• Milw0rm: 276 291
• Exploit Database: 276 291
• Related OSVDB ID: 29429 6094
• CERT VU: 415294
• Microsoft Knowledge Base Article: 922819
• CERT: CA-2001-09
• Vendor Specific Advisory URL: ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2004-006.txt.asc http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01037324
  http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01179938
  http://securityresponse.symantec.com/avcenter/security/Content/2005.05.02.html
  http://support.avaya.com/elmodocs2/security/ASA-2005-097_SCASA-2005-14.pdf
  http://www.bluecoat.com/support/knowledge/advisory_tcp_can-2004-0230.html
  http://www.checkpoint.com/techsupport/alerts/tcp_dos.html
  http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml
  http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml
  http://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2004-04-008&viewMode=view [ Auth Req'd ]
  http://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2012-08-686&viewMode=view [ Auth Req'd ]
  http://www.juniper.net/support/alert.html
  http://www.juniper.net/support/security/alerts/niscc-236929.txt
  http://www.vmware.com/support/kb/enduser/std_adp.php?p_sid=FsNALBWh&p_lva=&p_faqid=1535
  http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTU01077
• Other Advisory URL: ftp://patches.sgi.com/support/free/security/advisories/20040905-01-P.asc http://www.jpcert.or.jp/at/2004/at040003.txt
  http://www.seil.jp/en/ann/announce_en_20040421_01.txt
  http://www.uniras.gov.uk/vuls/2004/236929/index.htm
  http://xforce.iss.net/xforce/alerts/id/170
• Other Solution URL: http://isc.sans.org/diary.php?date=2004-04-20
• Generic Informational URL: http://nytimes.com/aponline/technology/AP-Internet -Threat.html
  http://slashdot.org/articles/04/04/20/1738217.shtml?tid=126&tid=128&tid=172&tid=95
  http://www.cnn.com/2004/TECH/internet/04/20/internet.threat/index.html
  http://www.eweek.com/article2/0,1759,1571185,00.asp
  http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt
  http://www.ietf.org/rfc/rfc0793.txt
  http://www.msnbc.msn.com/id/4788445/
  http://www.osvdb.org/ref/04/04030-SlippingInTheWindow_v1.0.doc
  http://www.osvdb.org/ref/04/04030-SlippingInTheWindow_v1.0.ppt
• Generic Exploit URL: http://www.osvdb.org/ref/04/04030-exploit.zip
  http://www.packetstormsecurity.org/0404-exploits/bgp-dosv2.pl
  http://www.packetstormsecurity.org/0404-exploits/disconn.py
  http://www.packetstormsecurity.org/0404-exploits/Kreset.pl
  http://www.packetstormsecurity.org/0404-exploits/reset-tcp.c
  http://www.packetstormsecurity.org/0404-exploits/reset-tcp_rfc31337-compliant.c
  http://www.packetstormsecurity.org/0404-exploits/reset.zip
  http://www.packetstormsecurity.org/0404-exploits/tcp_reset.c
  http://www.packetstormsecurity.org/0405-exploits/autoRST.c
  http://www.packetstormsecurity.org/cisco/ttt-1.3r.tar.gz
• Microsoft Security Bulletin: MS05-019 MS06-064
• Keyword: Reset RFC-793 RST TCP
• US-CERT Cyber Security Alert: TA04-111A

• Paul (Tony) Watson - pawpaw.org - OSVDB