The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of TCP protocol

vulnerability alert 13271

TCP: Blind Spoofing facilitated by SYN Cookies

Synthesis of the vulnerability

When SYN Cookies are enabled, an attacker can optimize a brute force spoofed TCP session, which is 32 times faster.
Impacted products: TCP protocol.
Severity: 1/4.
Consequences: data flow.
Provenance: internet client.
Creation date: 13/08/2013.
Identifiers: VIGILANCE-VUL-13271.

Description of the vulnerability

A blind TCP attack guesses the initial sequence number (ISN) of a TCP server, in order to establish a session. There are 2^32 possible values.

The SYN Cookie feature protects the system against Synflood. In order to do so, the TCP server does not memorize client's data, but encodes them in the ISN it sends. The client then returns this (incremented) ISN, and the server validates it.

The server accept 4 values for the counter (incremented once a minute) and 8 values for the MSS (Maximum Segment Size). There are therefore 32 (4*8) valid ISN that the server is ready to accept. A blind attack thus requires 2^27 trials instead of 2^32 trials.

When SYN Cookies are enabled, an attacker can therefore optimize a brute force spoofed TCP session, which is 32 times faster.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert 11656

TCP: packets injection via a firewall and a malware

Synthesis of the vulnerability

When an attacker installed an unprivileged malware on a client computer, and when a firewall is located between this client and a TCP server, an attacker who is located on the internet can guess valid sequence numbers, in order to inject data in this TCP session.
Impacted products: CheckPoint Power-1 Appliance, CheckPoint Security Gateway, CheckPoint Smart-1, CheckPoint UTM-1 Appliance, VPN-1, CheckPoint VSX-1, TCP protocol.
Severity: 1/4.
Consequences: data reading, data creation/edition.
Provenance: internet client.
Creation date: 28/05/2012.
Identifiers: FGA-2012-19, sk74640, VIGILANCE-VUL-11656.

Description of the vulnerability

When a privileged malware is installed on victim's computer, it can inject data in his TCP sessions. However, if the malware is not privileged, it cannot do it.

TCP sequence and acknowledgment numbers are used to sort data. An attacker has to guess these numbers (and also IP addresses and ports, but the malware knows them via netstat), in order to inject malicious packets in an active TCP session.

Firewalls usually block TCP packets with a sequence number outside the expected window. However, when this feature is enabled, a remote attacker can send a series of packets:
 - if one of these packets went through the firewall, the malware (which for example reads packets counters, which are not always precise) indicates it to the remote attacker
 - if none of these packets went through, the malware indicates the attacker to send another series
So, after several iterations, the remote attacker guesses which sequence numbers are currently valid.

When an attacker installed an unprivileged malware on a client computer, and when a firewall is located between this client and a TCP server, an attacker who is located on the internet can guess valid sequence numbers, in order to inject data in this TCP session. This vulnerability also works be reversing the client and the server.
Full Vigil@nce bulletin... (Free trial)

vulnerability 10590

TCP, Firewalls: TCP Split Handshake

Synthesis of the vulnerability

An attacker owing a malicious server can use a special TCP initialization sequence, in order to force the firewall to open a TCP session to the client.
Impacted products: ASA, IOS by Cisco, Cisco Router, FortiGate, FortiOS, NetScreen Firewall, ScreenOS, TCP protocol.
Severity: 1/4.
Consequences: data flow.
Provenance: internet client.
Creation date: 21/04/2011.
Identifiers: CSCth67416, CSCtn29288, CSCtn29349, KB20877, PSN-2011-04-229, VIGILANCE-VUL-10590.

Description of the vulnerability

A TCP session initialization sequence starts with:
 - the client sends a packet with the SYN flag
 - the server answers a SYN-ACK
 - the client answers an ACK

The RFC 793 describes it in four steps (page 27, "simultaneous-open handshake"):
 - the client sends a packet with the SYN flag
 - the server answers an ACK
 - the server sends a SYN
 - the client answers an ACK

Linux, Windows and MacOS incorrectly implement the "simultaneous-open handshake":
 - the Linux/Windows/MacOS client sends a packet with the SYN flag
 - the server answers an ACK (can be ignored by the client)
 - the server sends a SYN
 - the Linux/Windows/MacOS client answers a SYN-ACK (instead of an ACK alone)
When the server answers a ACK, a firewall on the path just saw : a SYN, then a SYN-ACK and then an ACK. Some firewalls interpret these three exchanges as a connection from the server to the client.

An attacker owing a malicious server can therefore use a special TCP initialization sequence, in order to force the firewall to open a TCP session to the client. It can be noted that the firewall has an invalid internal state, but this session was initiated by the client.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2008-4609

TCP: denial of service Sockstress

Synthesis of the vulnerability

An attacker can use a small TCP Window, in order to overload a TCP server.
Impacted products: ProxyAV, ProxyRA, ProxySG par Blue Coat, SGOS by Blue Coat, VPN-1, ASA, Cisco Catalyst, IOS by Cisco, Cisco Router, BIG-IP Hardware, TMOS, Linux, Windows 2000, Windows 2003, Windows 2008 R0, Windows (platform) ~ not comprehensive, Windows Vista, Windows XP, NLD, OES, OpenSolaris, openSUSE, Solaris, Trusted Solaris, TCP protocol, StoneGate Firewall, StoneGate IPS, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: denial of service on server.
Provenance: internet client.
Creation date: 01/10/2008.
Revisions dates: 20/10/2008, 09/09/2009.
Identifiers: 109444, 110132, 267088, 6759500, 967723, BID-31545, c01923093, CERTA-2009-ALE-017-003, cisco-sa-20090908-tcp24, cisco-sr-20081017-tcp, cpujul2012, CVE-2008-4609, FICORA #193744, HPSBMI02473, MS09-048, SA34, SA35, SA36, SA37, SA38, SA40, SA41, sk42723, sk42725, SOL10509, SOL7301, SOL9293, SSRT080138, SUSE-SA:2009:047, VIGILANCE-VUL-8139, VU#723308.

Description of the vulnerability

The "window" field of a TCP packet indicates the size of the accepted window (and thus the range) for sequence numbers of incoming packets.

According to the TCP protocol, when the system cannot receive more packets (for example if its buffers are full), it lowers the value of the "window" field. The remote host then has to send data slowly.

An attacker can therefore connect to a listening TCP service, and artificially extend the session duration, in order to overload the remote host.

The attacker can also use a "reverse syn cookies" and the TCP Timestamp option to not have to keep a state on his computer.

An attacker can therefore only use few resources on his computer, and force the usage of a lot of resources on the target. The impact of this temporary denial of service depends on the target system, and is similar to an attacker opening several real TCP sessions (excepted that his computer only uses a few resources). The attacker cannot spoof his IP address to exploit this attack.

There are several attack variants, related to the window size or to a temporary increase of window size. The VIGILANCE-VUL-8844 vulnerability can be seen as a variant.

When the attacker stops sending packets, the denial of service stops. However, some additional implementations errors (such as the Microsoft CVE-2009-1926 vulnerability of VIGILANCE-VUL-9008, or the Cisco Nexus 5000 vulnerabilities described in the solution for Cisco) cause a permanent denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 8844

TCP: denial of service Nkiller2

Synthesis of the vulnerability

An attacker can use TCP Windows with a zero size in order to overload a TCP server.
Impacted products: ProxyAV, ProxyRA, ProxySG par Blue Coat, SGOS by Blue Coat, VPN-1, ASA, Cisco Catalyst, IOS by Cisco, Cisco Router, BIG-IP Hardware, TMOS, Linux, Windows 2000, Windows 2003, Windows 2008 R0, Windows Vista, Windows XP, NLD, OES, OpenSolaris, openSUSE, Solaris, Trusted Solaris, TCP protocol, SLES.
Severity: 2/4.
Consequences: denial of service on server.
Provenance: internet client.
Creation date: 07/07/2009.
Revision date: 09/09/2009.
Identifiers: 109444, 110132, 267088, 6759500, 967723, CERTA-2009-ALE-017-003, cisco-sa-20090908-tcp24, cisco-sr-20081017-tcp, FICORA #193744, MS09-048, SA34, SA35, SA36, SA37, SA38, SA40, SA41, sk42723, sk42725, SOL10509, SOL7301, SOL9293, SUSE-SA:2009:047, VIGILANCE-VUL-8844.

Description of the vulnerability

The "window" field of a TCP packet indicates the size of the accepted window (and thus the range) for sequence numbers of incoming packets.

According to the TCP protocol, when the system cannot receive more packets (for example if its buffers are full), it uses a value of zero for the "window" field. The remote host then has to wait before sending new data. After a timeout, it tries to reemit. If it does not receive an answer, it closes the session. However, if he receives a late answer, it waits once again.

An attacker can therefore connect to a listening TCP service, and artificially extend the session duration, in order to overload the remote host.

The attacker can also use a "reverse syn cookies" and the TCP Timestamp option to not have to keep a state on his computer.

An attacker can therefore only use few resources on his computer, and force the usage of a lot of resources on the target. The impact of this temporary denial of service depends on the target system, and is similar to an attacker opening several real TCP sessions (excepted that his computer only uses a few resources). The attacker cannot spoof his IP address to exploit this attack.

This attack is efficient against a web server, where the attacker requests a big file and then shorten the window. The web server thus keeps this file in progress.

When the attacker stops sending packets, the denial of service stops.

This vulnerability is similar to VIGILANCE-VUL-8139.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2006-3920

TCP: denial of service ACK Storm

Synthesis of the vulnerability

An attacker can inject a TCP packet in order to generate a ACK Storm.
Impacted products: Solaris, Trusted Solaris, TCP protocol.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: LAN.
Creation date: 27/07/2006.
Identifiers: 102206, 4511681, CERTA-2006-AVI-326, CVE-2006-3920, VIGILANCE-VUL-6042.

Description of the vulnerability

Header of TCP packets contains a sequence number and an acknowledgement number.

When session is established, if a computer receives a TCP packet whose acknowledgement number is too big, it sends a new packet indicating the sequence number it thinks to be correct (RFC 793, page 72). If a computer receives a TCP packet whose sequence number is too low, it sends a new packet indicating the acknowledgement number it thinks to be correct (RFC 793, page 69)

Thus, when two computers have desynchronized sequence numbers, an infinite loop occurs. This error can occur after a malfunction, or an attack using packet injection.

This vulnerability is old. Solaris currently proposes a patch to limit the number of iterations in the loop.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2006-1242

Linux, IOS: using computer for an idle scan

Synthesis of the vulnerability

An attacker can use the computer to do an idle scan on another computer.
Impacted products: IOS by Cisco, Cisco Router, Debian, Linux, Mandriva Linux, Mandriva NF, openSUSE, IP protocol, TCP protocol, RHEL.
Severity: 1/4.
Consequences: data flow.
Provenance: intranet client.
Creation date: 15/03/2006.
Revision date: 28/03/2006.
Identifiers: BID-17109, CERTA-2002-AVI-035, CVE-2006-1242, DSA-1097-1, DSA-1103-1, MDKSA-2006:086, MDKSA-2006:116, RHSA-2006:043, RHSA-2006:0437-01, RHSA-2006:057, RHSA-2006:0575-01, SUSE-SA:2006:028, VIGILANCE-VUL-5686.

Description of the vulnerability

The id field of IP header is used to reassemble fragmented packets.

An idle scan uses an intermediary computer (N) to do a port scan of another computer (T). Only intermediary computers whose id field is incremented for each sent packet can be used to conduct this attack:
 - the attacker A sends a TCP SYN-ACK packet to N
 - N returns a RST packet to attacker, who notes the value of the IP header id field (for example 1234)
 - A sends a SYN packet with a N spoofed value to T
 - T returns:
    + a SYN-ACK packet to N if the port is open (N then sends a RST packet to T, whose id field is 1235)
    + a RST packet if the port is closed (N does not reply, so the id counter is not incremented)
 - A do the first and the second operation again, and notes the new value of the id field
So, the id field is:
 - 1236 if the port is open
 - 1235 if the port is closed

This vulnerability was corrected in Linux 2.4.8, to ensure Linux is not used as an intermediary computer. However, a regression error re-introduced this vulnerability again.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note 5359

TCP: denial of service with optimistic acknowledgement

Synthesis of the vulnerability

An attacker can prematurely send acknowledgement packets to force remote TCP stack to increase its sending rate.
Impacted products: Juniper E-Series, Juniper J-Series, JUNOSe, Junos OS, NetScreen Firewall, ScreenOS, TCP protocol.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: internet client.
Creation date: 14/11/2005.
Identifiers: BID-15468, PSN-2005-12-004, VIGILANCE-VUL-5359, VU#102014.

Description of the vulnerability

A TCP stack acknowledges received data by returning an acknowledgement number corresponding to the position of end of data. The remote TCP stack uses these numbers to compute bandwith and thus optimize its sending throughput.

An attacker can acknowledge data not yet received. The remote stack algorithm concludes that throughput rate can be increased.

An attacker can therefore force a remote computer to send numerous data, until eventually the saturation of its internet connection. There exists several attack variants.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2004-0790 CVE-2004-0791 CVE-2004-1060

TCP : déni de service à l'aide de paquets ICMP

Synthesis of the vulnerability

Un attaquant peut envoyer de nombreux paquets ICMP dans le but d'interrompre une session TCP.
Impacted products: ASA, Cisco Catalyst, Cisco CSS, IOS by Cisco, Cisco Router, Cisco VPN Concentrator, WebNS, BIG-IP Hardware, TMOS, Fedora, Tru64 UNIX, HP-UX, AIX, Juniper J-Series, Junos OS, Windows 2000, Windows 2003, Windows 95, Windows 98, Windows ME, Windows XP, OpenBSD, Solaris, Trusted Solaris, TCP protocol, Raptor Firewall, RHEL, RedHat Linux, SEF, SGS.
Severity: 2/4.
Consequences: denial of service on client.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 9.
Creation date: 16/08/2004.
Revisions dates: 26/08/2004, 19/01/2005, 12/04/2005, 13/04/2005, 21/04/2005, 25/04/2005, 26/05/2005, 02/06/2005, 20/06/2005, 28/06/2005, 08/07/2005, 11/07/2005, 19/07/2005, 02/08/2005.
Identifiers: 101658, 2005.05.02, 5084452, 899480, 922819, BID-13124, BID-13215, BID-13367, c00571568, c00576017, CERTA-2005-AVI-023, CERTA-2005-AVI-135, CERTA-2005-AVI-155, CERTA-2006-AVI-444, CISCO20050412a, CVE-2004-0790, CVE-2004-0791, CVE-2004-1060, CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, CVE-2005-0068, CVE-2005-1184, CVE-2005-1192, FLSA:157459-2, FLSA-2006:157459-1, FLSA-2006:157459-2, HP01137, HP01164, HP01210, HPSBTU01210, HPSBUX01137, HPSBUX01164, IY55949, IY55950, IY62006, IY63363, IY63364, IY63365, IY70026, IY70027, IY70028, K23440942, MS05-019, MS06-064, OpenBSD 34-027, OpenBSD 35-015, PSN-2004-09-009, RHSA-2005:043, SOL15792, SOL4583, SSRT4743, SSRT4884, SSRT5954, Sun Alert 57746, V6-TCPICMPERROR, VIGILANCE-VUL-4336, VU#222750.

Description of the vulnerability

Le protocole ICMPv4 gère les erreurs et informations relatives aux flux IPv4.

Lorsqu'une erreur est détectée par une machine du réseau, celle-ci envoie un paquet ICMPv4 d'erreur (destination unreachable, source quench (saturation), redirect, time exceeded (ttl), parameter problem, etc.). Les données de ce paquet contiennent le début du paquet ayant provoqué l'erreur, plus précisément :
 - l'entête IP du paquet
 - au moins les 64 premiers bits (8 octets) suivant l'entête IP

Les 64 premiers bits permettent de retrouver à quel flux appartient ce paquet. Par exemple, si le paquet erroné est de type TCP, ces 64 bits contiennent :
 - le port source (2 octets)
 - le port destination (2 octets)
 - le numéro de séquence (4 octets)

Lors de la réception d'un paquet ICMP correspondant à une session TCP en cours, la pile IP interrompt la connexion et retourne une erreur à l'application de l'utilisateur.

Cependant, certaines implémentations ne vérifient pas le numéro de séquence. Ainsi, un attaquant, connaissant les adresses IP et le numéro du port du service (22, 25, etc.), doit uniquement deviner le numéro du port du client. L'attaquant a donc une chance sur 65536 (ou moins si les caractéristiques d'assignation de numéro de port sont connues) de générer un paquet ICMP qui sera accepté, et qui interrompra la session.

Les implémentations vérifiant le numéro de séquence sont vulnérables à une attaque similaire à VIGILANCE-VUL-4128. La réussite de cette attaque est alors moins probable.

Cette vulnérabilité permet donc à un attaquant d'envoyer une série de paquets ICMP dans le but de mener un déni de service. Selon le type de l'erreur ICMP (injoignable ou saturation), deux conséquences sont possibles : arrêt de la session ou ralentissement du transfert.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2004-0230

TCP : déni de service à l'aide de paquet Reset

Synthesis of the vulnerability

En envoyant des paquets contenant le drapeau Reset et en prédisant certaines informations, un attaquant peut interrompre des sessions TCP actives.
Impacted products: FabricOS, Brocade Network Advisor, Brocade vTM, FW-1, VPN-1, ASA, Cisco Cache Engine, Cisco Catalyst, Cisco CSS, IOS by Cisco, Cisco Router, Cisco VPN Concentrator, WebNS, FreeBSD, Tru64 UNIX, AIX, Juniper E-Series, Juniper J-Series, JUNOSe, Junos OS, NSMXpress, Windows 2000, Windows 2003, Windows 95, Windows 98, Windows ME, Windows XP, NetBSD, NetScreen Firewall, ScreenOS, OpenBSD, TCP protocol, Raptor Firewall, SUSE Linux Enterprise Desktop, SLES, SEF, SGS.
Severity: 3/4.
Consequences: denial of service on client.
Provenance: internet client.
Creation date: 21/04/2004.
Revisions dates: 22/04/2004, 23/04/2004, 26/04/2004, 27/04/2004, 28/04/2004, 03/05/2004, 07/05/2004, 11/05/2004, 15/07/2004, 06/12/2004, 24/12/2004, 18/02/2005, 13/04/2005, 03/05/2005, 12/05/2005, 19/07/2005.
Identifiers: 20040403-01-A, 2005.05.02, 236929, 50960, 50961, 58784, 899480, 922819, BID-10183, BSA-2016-005, CERTA-2004-AVI-138, CERTA-2004-AVI-140, CERTA-2004-AVI-143, CERTFR-2014-AVI-308, CERTFR-2017-AVI-034, CERTFR-2017-AVI-044, CERTFR-2017-AVI-054, CERTFR-2017-AVI-131, CISCO20040420a, CISCO20040420b, cisco-sa-20040420-tcp-ios, cisco-sa-20040420-tcp-nonios, CSCed27956, CSCed32349, CVE-2004-0230, FreeBSD-SA-14:19.tcp, HP01077, IY55949, IY55950, IY62006, IY63363, IY63364, IY63365, IY70026, IY70027, IY70028, JSA10638, MS05-019, MS06-064, NetBSD 2004-006, NetBSD-SA2004-006, Netscreen 58784, OpenBSD 34-019, OpenBSD 35-005, PSN-2012-08-686, PSN-2012-08-687, PSN-2012-08-688, PSN-2012-08-689, PSN-2012-08-690, SGI 20040403, SUSE-SU-2017:0333-1, SUSE-SU-2017:0437-1, SUSE-SU-2017:0494-1, SUSE-SU-2017:1102-1, V6-TCPRSTWINDOWDOS, VIGILANCE-VUL-4128, VU#415294.

Description of the vulnerability

L'entête TCP contient un champ window/fenêtre qui correspond à la taille du buffer de réception de la machine ayant émis le paquet. Ainsi si certains paquets arrivent dans le désordre la machine peut les stocker en attente de réception des paquets précédents.

Lorsqu'une connexion TCP est établie, elle peut se terminer de deux manières :
 - les entités s'échangent des paquets contenant le drapeau Fin actif. Dans ce cas, les numéros de séquence (et d'acquittement car le Ack est nécessaire) doivent correspondre exactement.
 - l'une des entités envoie un paquet contenant le drapeau Reset actif. Dans ce cas (drapeau Ack non actif), seul le numéro de séquence doit correspondre approximativement. En effet, il doit se situer dans la fenêtre de réception.

Ainsi, au lieu de deviner un numéro de séquence parmi 2^32 nombres, l'attaquant doit simplement envoyer 2^32/fenêtre paquets Reset. Par exemple si la taille de la fenêtre est 32k, l'attaquant doit envoyer 2^32/32k = 131072 paquets.

Il faut noter que pour mener ce déni de service utilisant un paquet TCP Reset, l'attaquant doit connaître :
 - les adresses IP source et destination
 - les ports source et destination
Certains protocoles comme BGP deviennent alors sensibles car ces informations peuvent être obtenues.

Un attaquant peut ainsi envoyer un paquet TCP contenant le drapeau Reset pour interrompre une session TCP active.

On peut noter que des paquets SYN peuvent aussi être utilisés, mais cette variante est moins efficace à cause des limitations généralement mises en place pour protéger contre les attaques synflood.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about TCP protocol: