Orange Business Services
Vigil@nce Vigil@nce Vigil@nce
we track for your security since 1999
  home presentation vulnerabilities documentation contact  
subscriber area subscriber area
free access free access
The Vigil@nce team watches vulnerabilities impacting your computers, and then offers solutions, a database and tools to correct them.
recent vulnerabilities recent vulnerabilities
tracked products tracked products
RSS feed RSS feed
vulnerability

vulnerability 10590

TCP, Firewalls: TCP Split Handshake

Synthesis of the vulnerability

An attacker owing a malicious server can use a special TCP initialization sequence, in order to force the firewall to open a TCP session to the client.
Impacted products: ASA, IOS, Cisco Router xx00 Series, FortiGate, NetScreen Firewall, ScreenOS, TCP.
Severity: 1/4.
Creation date: 21/04/2011.
Identifiers: CSCth67416, CSCtn29288, CSCtn29349, KB20877, PSN-2011-04-229, VIGILANCE-VUL-10590.

Description of the vulnerability

A TCP session initialization sequence starts with:
 - the client sends a packet with the SYN flag
 - the server answers a SYN-ACK
 - the client answers an ACK

The RFC 793 describes it in four steps (page 27, "simultaneous-open handshake"):
 - the client sends a packet with the SYN flag
 - the server answers an ACK
 - the server sends a SYN
 - the client answers an ACK

Linux, Windows and MacOS incorrectly implement the "simultaneous-open handshake":
 - the Linux/Windows/MacOS client sends a packet with the SYN flag
 - the server answers an ACK (can be ignored by the client)
 - the server sends a SYN
 - the Linux/Windows/MacOS client answers a SYN-ACK (instead of an ACK alone)
When the server answers a ACK, a firewall on the path just saw : a SYN, then a SYN-ACK and then an ACK. Some firewalls interpret these three exchanges as a connection from the server to the client.

An attacker owing a malicious server can therefore use a special TCP initialization sequence, in order to force the firewall to open a TCP session to the client. It can be noted that the firewall has an invalid internal state, but this session was initiated by the client.
Complete Vigil@nce bulletin.... (free access)

Share this bulletin

Delicious Digg Facebook Google bookmarks LinkedIn Mail Reddit StumbleUpon Technorati Twitter 

Computer vulnerabilities tracking service

Vigil@nce provides a computers vulnerabilities workaround. Each administrator can customize the list of products for which he wants to receive vulnerability alerts. The Vigil@nce vulnerability database contains several thousand vulnerabilities. The technology watch team tracks security threats targeting the computer system.



















Copyright 1999-2013 Vigil@nce. Vigil@nce is a service from Orange Business Services. Site map. Legal notice. Version française