Vulnerability Note VU#637934

TCP does not adequately validate segments before updating timestamp value

Original Release date: 18 May 2005 | Last revised: 23 Aug 2005

Overview

Certain TCP implementations may allow a remote attacker to arbitrarily modify host timestamp values, leading to a denial-of-service condition.

Description

The Transmission Control Protocol (TCP) is defined in RFC 793 as a means to provide reliable host-to-host transmission between hosts in a packet-switched computer networks. RFC 1323 introduced techniques to increase the performance of TCP. Two such techniques are TCP timestamps and Protection Against Wrapped Sequence Numbers (PAWS).

In certain implementations of TCP with timestamps enabled, both hosts maintain an internal timer that is used to detect segment loss and regulate traffic flow. PAWS uses timestamps to prevent duplicate or old segments from corrupting an active connection. In PAWS with the timestamps option enabled, hosts use an internal timer to track the value of the timestamp in incoming segments against the last valid timestamp recorded. If the segment's timestamp is larger than the value of the last valid timestamp and the sequence number is less than the last acknowledgement sent, then the host's internal timer is updated with the new timestamp value and the segment is passed on for further processing. Otherwise, the segment is rejected as too old or a duplicate.

If a remote attacker can determine the source and destination ports as well as IP addresses of both hosts engaged in an active connection, that attacker may be able to inject a specially crafted segment into the connection. When the spoofed segment is received the host's internal timer value will be changed to the value in the crafted segment. Please note that, in certain TCP implementations, sequence numbers are not properly validated before the internal timer is updated, soan attacker does not need to know a correct sequence number to change the internal timer. If the internal timer value is set to a large value, then it will likely be larger than the timestamp value in subsequent incoming segments. This will cause new, legitimate TCP segments to be evaluated as too old and discarded. As segments are rejected, the flow of data between hosts stops, resulting in a denial-of-service condition.

For more information about TCP, timestamps, and PAWS please see RFC 793 and RFC 1323.

Impact

An unauthenticated, remote attacker could cause TCP connections to abort/drop segments, leading to a denial-of-service condition.

Solution

Apply a patch
Users who suspect they are vulnerable are encouraged to check with their vendor to determine the appropriate action to take. Please see the list of vendors we have notified below.

Disable PAWS


As a workaround, disable PAWS and TCP timestamps if they are not needed.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
AvayaAffected09 Mar 200530 Jun 2005
Blue Coat SystemsAffected-30 Jun 2005
Cisco Systems Inc.Affected09 Mar 200506 Jun 2005
FreeBSDAffected09 Mar 200525 May 2005
HitachiAffected09 Mar 200520 Jun 2005
Microsoft CorporationAffected09 Mar 200518 May 2005
OpenBSDAffected09 Mar 200518 May 2005
Redback Networks Inc.Affected09 Mar 200519 May 2005
YamahaAffected-26 May 2005
Check PointNot Affected09 Mar 200519 May 2005
ClavisterNot Affected09 Mar 200518 May 2005
Foundry Networks Inc.Not Affected09 Mar 200518 May 2005
FujitsuNot Affected09 Mar 200523 May 2005
NEC CorporationNot Affected09 Mar 200517 May 2005
NetfilterNot Affected09 Mar 200517 Mar 2005
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Noritoshi Demizu for researching and reporting this vulnerability.

This document was written by Jeff Gennari.

Other Information

  • CVE IDs: CAN-2005-0356
  • Date Public: 18 May 2005
  • Date First Published: 18 May 2005
  • Date Last Updated: 23 Aug 2005
  • Severity Metric: 4.72
  • Document Revision: 215

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.