Vulnerability Note VU#464113
TCP/IP implementations handle unusual flag combinations inconsistently
Various vendors' TCP/IP implementations handle packets containing unusual flag combinations in different ways, which may lead to a violation of implicit or explicit security policies.
Background on TCP/IP Connection Semantics
To establish a TCP connection, a client and server must participate in a three-way handshake (as outlined in RFC793 - "Transmission Control Protocol"):
The impact of this vulnerability is that an attacker may be able to establish connections with hosts behind firewalls in violation of implied security policies. As a result, an attacker can send data to hosts and services that he ordinarily cannot reach. An intruder could also leverage this flaw to exploit a vulnerability in passive software listening promiscuously on the inside of the firewall (e.g., vulnerability in tcpdump or some similar vulnerability). Note that the specific kinds of packets that may bypass a firewall are highly dependent on the implementation of the firewall.
Apply a vendor patch. If a vendor patch is not available for your TCP implementation (and even if one is), you may wish to:
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|The SCO Group (SCO Linux)||Affected||23 Oct 2002||01 May 2003|
|Apple Computer, Inc.||Not Affected||23 Oct 2002||28 Oct 2002|
|Check Point||Not Affected||23 Oct 2002||25 Oct 2002|
|Clavister||Not Affected||-||01 Apr 2003|
|Cray Inc.||Not Affected||23 Oct 2002||30 Oct 2002|
|Finjan Software||Not Affected||-||25 Oct 2002|
|Foundry Networks Inc.||Not Affected||-||01 Apr 2003|
|Fujitsu||Not Affected||23 Oct 2002||03 Dec 2002|
|Funk Software||Not Affected||-||25 Oct 2002|
|Hewlett-Packard Company||Not Affected||23 Oct 2002||10 May 2005|
|IBM Corporation||Not Affected||23 Oct 2002||01 Apr 2003|
|Ingrian Networks, Inc.||Not Affected||-||18 Mar 2003|
|Lotus Software||Not Affected||23 Oct 2002||14 Mar 2003|
|Microsoft Corporation||Not Affected||23 Oct 2002||29 Oct 2002|
|NetScreen||Not Affected||-||14 Mar 2003|
CVSS Metrics (Learn More)
This issue was initially described by Paul Starzetz in a mail message sent to the Bugtraq mailing list. We also thank Florian Weimer, Avi Freedman, Alan Cox, and David Waitzman for their invaluable feedback on this subject.
This document was written by Ian A Finlay.
- CVE IDs: CVE-2002-2438
- Date Public: 18 Oct 2002
- Date First Published: 20 Mar 2003
- Date Last Updated: 03 Feb 2012
- Severity Metric: 32.25
- Document Revision: 91
If you have feedback, comments, or additional information about this vulnerability, please send us email.