Executive Summary
| Summary | |
|---|---|
| Title | TCP may keep its offered receive window closed indefinitely (RFC 1122) |
| Informations | |||
|---|---|---|---|
| Name | VU#723308 | First vendor Publication | 2009-11-23 |
| Vendor | VU-CERT | Last vendor Modification | 2009-11-25 |
| Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:C) | |||
|---|---|---|---|
| Cvss Base Score | 7.8 | Attack Range | Network |
| Cvss Impact Score | 6.9 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
Vulnerability Note VU#723308TCP may keep its offered receive window closed indefinitely (RFC 1122)OverviewPart of the Transmission Control Protocol (TCP) specification (RFC 1122) allows a receiver to advertise a zero byte window, instructing the sender to maintain the connection but not send additional TCP payload data. The sender should then probe the receiver to check if the receiver is ready to accept data. Narrow interpretation of this part of the specification can create a denial-of-service vulnerability. By advertising a zero receive window and acknowledging probes, a malicious receiver can cause a sender to consume resources (TCP state, buffers, and application memory), preventing the targeted service or system from handling legitimate connections.I. DescriptionTCP implementations from multiple vendors are vulnerable to malicious or misbehaving connections that indefinitely advertize a zero receive window. RFC 1122 section 4.2.2.17 states that "A TCP MAY keep its offered receive window closed indefinitely. As long as the receiving TCP continues to send acknowledgments in response to the probe segments, the sending TCP MUST allow the connection to stay open." The TCP connection is open however no data is being transmitted. This "stalled" state is generally referred to as the TCP persist condition.The intent of RFC 1122 section 4.2.2.17 is that TCP must not terminate connections in the persist condition under normal operating conditions. It is possible to interpret the language narrowly to mean that TCP must not terminate connections in the persist condition under any circumstances, and this interpretation is likely to cause denial-of-services vulnerabilities. An attacker can asymmetrically consume server resources by making TCP connections, optionally requesting data, then setting the receive window to zero and repeatedly acknowledging window probes from the server. Consider the analysis and advice provided in the CPNI assessment.
Referenceshttp://tools.ietf.org/html/rfc1122#page-92 http://tools.ietf.org/html/draft-ananth-tcpm-persist-01 http://tools.ietf.org/html/draft-mahesh-persist-timeout-02 http://www.cpni.gov.uk/Docs/tn-03-09-security-assessment-TCP.pdf https://www.cert.fi/haavoittuvuudet/2008/tcp-vulnerabilities.html http://shlang.com/netkill/ http://www.phrack.org/issues.html?issue=66&id=9#article http://isc.sans.org/diary.html?storyid=5104 http://www.t2.fi/2008/08/27/jack-c-louis-and-robert-e-lee-to-talk-about-new-dos-attack-vectors/ http://www.darkreading.com/blog.asp?blog_sectionid=403&doc_id=164939&WT.svl=tease2_2 http://www.ietf.org/mail-archive/web/tcpm/current/msg04040.html http://www.ietf.org/mail-archive/web/tcpm/current/msg03826.html http://www.ietf.org/mail-archive/web/tcpm/current/msg03503.html http://www.ietf.org/mail-archive/web/tcpm/current/msg02870.html http://www.ietf.org/mail-archive/web/tcpm/current/msg02557.html http://www.ietf.org/mail-archive/web/tcpm/current/msg02189.html http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.31.y.git;a=blob;f=net/ipv4/tcp_timer.c;h=b144a26359bcf34a4b0606e171f97dc709afdfbb;hb=120f68c426e746771e8c09736c0f753822ff3f52#l233 http://sla.ckers.org/forum/read.php?14,27324 http://www.checkpoint.com/defense/advisories/public/announcement/090809-tcpip-dos-sockstress.html http://www.securityfocus.com/archive/1/archive/1/506331/100/0/ CreditThanks to Mahesh Jethanandani and CERT-FI for their efforts researching and coordinating vendor responses to this vulnerability. Thanks also to Barry Greene, Lars Eggert, Wesley Eddy, and David Borman for their review and comments. This document was written by David Warren and Art Manion.
|
Original Source
| Url : http://www.kb.cert.org/vuls/id/723308 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-16 | Configuration |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:18890 | |||
| Oval ID: | oval:org.mitre.oval:def:18890 | ||
| Title: | CRITICAL PATCH UPDATE JULY 2012 | ||
| Description: | The TCP implementation in (1) Linux, (2) platforms based on BSD Unix, (3) Microsoft Windows, (4) Cisco products, and probably other operating systems allows remote attackers to cause a denial of service (connection queue exhaustion) via multiple vectors that manipulate information in the TCP state table, as demonstrated by sockstress. | ||
| Family: | unix | Class: | vulnerability |
| Reference(s): | CVE-2008-4609 | Version: | 3 |
| Platform(s): | Sun Solaris 10 | Product(s): | |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2009-09-10 | Name : Microsoft Windows TCP/IP Remote Code Execution Vulnerability (967723) File : nvt/secpod_ms09-048.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 62144 | F5 Multiple Products TCP/IP Implementation Queue Connection Saturation TCP St... |
| 61133 | Citrix Multiple Products TCP/IP Implementation Queue Connection Saturation TC... |
| 59482 | Blue Coat Multiple Products TCP/IP Implementation Queue Connection Saturation... |
| 58614 | McAfee Email and Web Security Appliance TCP/IP Implementation Queue Connectio... |
| 58321 | Check Point Multiple Products TCP/IP Implementation Queue Connection Saturati... |
| 58189 | Yamaha RT Series Routers TCP/IP Implementation Queue Connection Saturation TC... |
| 57993 | Solaris TCP/IP Implementation Queue Connection Saturation TCP State Table Rem... |
| 57797 | Microsoft Windows TCP/IP Orphaned Connection Handling Remote DoS Microsoft Windows contains a flaw that may allow a remote denial of service. The issue is triggered when an attacker sends a series of TCP sessions with pending data, and will result in loss of availability for the platform. |
| 57795 | Microsoft Windows TCP/IP Implementation Queue Connection Saturation TCP State... |
| 57794 | Multiple BSD TCP/IP Implementation Queue Connection Saturation TCP State Tabl... |
| 57793 | Multiple Linux TCP/IP Implementation Queue Connection Saturation TCP State Ta... |
| 50286 | Cisco TCP/IP Implementation Queue Connection Saturation TCP State Table Remot... |
Information Assurance Vulnerability Management (IAVM)
| Date | Description |
|---|---|
| 2009-09-10 | IAVM : 2009-A-0077 - Multiple Microsoft TCP/IP Remote Code Execution Vulnerabilities Severity : Category I - VMSKEY : V0019917 |
Snort® IPS/IDS
| Date | Description |
|---|---|
| 2014-01-10 | Microsoft Windows TCP stack zero window size exploit attempt RuleID : 16294 - Revision : 15 - Type : OS-WINDOWS |
| 2014-01-10 | TCP window closed before receiving data RuleID : 15912 - Revision : 10 - Type : OS-WINDOWS |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2014-10-10 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL10509.nasl - Type : ACT_GATHER_INFO |
| 2010-09-01 | Name : The remote device is missing a vendor-supplied security patch. File : cisco-sa-20090908-tcp24http.nasl - Type : ACT_GATHER_INFO |
| 2009-09-08 | Name : Multiple vulnerabilities in the Windows TCP/IP implementation could lead to d... File : smb_nt_ms09-048.nasl - Type : ACT_GATHER_INFO |
