SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#637934

TCP does not adequately validate segments before updating timestamp value

Overview

Certain TCP implementations may allow a remote attacker to arbitrarily modify host timestamp values, leading to a denial-of-service condition.

I. Description

The Transmission Control Protocol (TCP) is defined in RFC 793 as a means to provide reliable host-to-host transmission between hosts in a packet-switched computer networks. RFC 1323 introduced techniques to increase the performance of TCP. Two such techniques are TCP timestamps and Protection Against Wrapped Sequence Numbers (PAWS).

In certain implementations of TCP with timestamps enabled, both hosts maintain an internal timer that is used to detect segment loss and regulate traffic flow. PAWS uses timestamps to prevent duplicate or old segments from corrupting an active connection. In PAWS with the timestamps option enabled, hosts use an internal timer to track the value of the timestamp in incoming segments against the last valid timestamp recorded. If the segment's timestamp is larger than the value of the last valid timestamp and the sequence number is less than the last acknowledgement sent, then the host's internal timer is updated with the new timestamp value and the segment is passed on for further processing. Otherwise, the segment is rejected as too old or a duplicate.

If a remote attacker can determine the source and destination ports as well as IP addresses of both hosts engaged in an active connection, that attacker may be able to inject a specially crafted segment into the connection. When the spoofed segment is received the host's internal timer value will be changed to the value in the crafted segment. Please note that, in certain TCP implementations, sequence numbers are not properly validated before the internal timer is updated, soan attacker does not need to know a correct sequence number to change the internal timer. If the internal timer value is set to a large value, then it will likely be larger than the timestamp value in subsequent incoming segments. This will cause new, legitimate TCP segments to be evaluated as too old and discarded. As segments are rejected, the flow of data between hosts stops, resulting in a denial-of-service condition.

For more information about TCP, timestamps, and PAWS please see RFC 793 and RFC 1323.

II. Impact

An unauthenticated, remote attacker could cause TCP connections to abort/drop segments, leading to a denial-of-service condition.

III. Solution

Apply a patch

Users who suspect they are vulnerable are encouraged to check with their vendor to determine the appropriate action to take. Please see the list of vendors we have notified below.

Disable PAWS

As a workaround, disable PAWS and TCP timestamps if they are not needed.

Systems Affected

VendorStatusDate NotifiedDate Updated
3ComUnknown9-Mar-2005
AlcatelUnknown9-Mar-2005
Apple Computer Inc.Unknown9-Mar-2005
AT&TUnknown9-Mar-2005
AvayaVulnerable30-Jun-2005
Avici Systems Inc.Unknown9-Mar-2005
Blue Coat SystemsVulnerable30-Jun-2005
BorderwareUnknown9-Mar-2005
Check PointNot Vulnerable19-May-2005
Chiaro NetworksUnknown18-May-2005
Cisco Systems Inc.Vulnerable6-Jun-2005
ClavisterNot Vulnerable18-May-2005
Computer AssociatesUnknown9-Mar-2005
ConectivaUnknown9-Mar-2005
Cray Inc.Unknown9-Mar-2005
CwntUnknown9-Mar-2005
Data ConnectionUnknown9-Mar-2005
DebianUnknown9-Mar-2005
EMC CorporationUnknown9-Mar-2005
EngardeUnknown9-Mar-2005
eSoftUnknown9-Mar-2005
Extreme NetworksUnknown9-Mar-2005
F5 NetworksUnknown9-Mar-2005
FortinetUnknown9-Mar-2005
Foundry Networks Inc.Not Vulnerable18-May-2005
FreeBSDVulnerable25-May-2005
FujitsuNot Vulnerable23-May-2005
GTAUnknown9-Mar-2005
Hewlett-Packard CompanyUnknown17-May-2005
HitachiVulnerable20-Jun-2005
HyperchipUnknown9-Mar-2005
IBMUnknown9-Mar-2005
IBM eServerUnknown9-Mar-2005
IBM zSeriesUnknown9-Mar-2005
ImmunixUnknown9-Mar-2005
Ingrian NetworksUnknown9-Mar-2005
InotoUnknown9-Mar-2005
IntelUnknown9-Mar-2005
Internet Security Systems Inc.Unknown9-Mar-2005
IP FilterUnknown9-Mar-2005
Juniper NetworksUnknown9-Mar-2005
LachmanUnknown9-Mar-2005
LinksysUnknown9-Mar-2005
Lucent TechnologiesUnknown9-Mar-2005
LuminousUnknown9-Mar-2005
MandrakeSoftUnknown9-Mar-2005
Microsoft CorporationVulnerable18-May-2005
MontaVista SoftwareUnknown9-Mar-2005
Multi-Tech Systems Inc.Unknown9-Mar-2005
MultinetUnknown9-Mar-2005
NEC CorporationNot Vulnerable17-May-2005
NetBSDUnknown9-Mar-2005
NetfilterNot Vulnerable17-Mar-2005
NetscreenUnknown9-Mar-2005
Network ApplianceUnknown9-Mar-2005
NextHopNot Vulnerable16-Mar-2005
NokiaUnknown9-Mar-2005
Nortel NetworksUnknown24-May-2005
NovellUnknown9-Mar-2005
OpenBSDVulnerable18-May-2005
Openwall GNU/*/LinuxUnknown9-Mar-2005
Red Hat Inc.Not Vulnerable23-Aug-2005
Redback Networks Inc.Vulnerable19-May-2005
Riverstone NetworksUnknown9-Mar-2005
SCO LinuxUnknown9-Mar-2005
SCO UnixUnknown9-Mar-2005
Secure Computing CorporationNot Vulnerable11-Apr-2005
SecureWorxUnknown9-Mar-2005
SequentUnknown9-Mar-2005
SGIUnknown9-Mar-2005
Sony CorporationUnknown9-Mar-2005
StonesoftUnknown9-Mar-2005
Sun Microsystems Inc.Not Vulnerable11-Apr-2005
SuSE Inc.Unknown9-Mar-2005
Symantec CorporationUnknown9-Mar-2005
TurboLinuxUnknown9-Mar-2005
UnisysUnknown9-Mar-2005
WatchGuardNot Vulnerable15-Apr-2005
Wind River Systems Inc.Unknown18-May-2005
YamahaVulnerable26-May-2005
ZyXELUnknown9-Mar-2005

References


http://www.ietf.org/rfc/rfc1323.txt
http://www.ietf.org/rfc/rfc793.txt
http://www.securityfocus.com/bid/13676

Credit

Thanks to Noritoshi Demizu for researching and reporting this vulnerability.

This document was written by Jeff Gennari.

Other Information

Date Public:2005-05-18
Date First Published:2005-05-18
Date Last Updated:2005-08-23
CERT Advisory: 
CVE-ID(s):CAN-2005-0356
NVD-ID(s):CAN-2005-0356
US-CERT Technical Alerts: 
Metric:4.72
Document Revision:215

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2005 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader