Vulnerability Note VU#637934
TCP does not adequately validate segments before updating timestamp value
Certain TCP implementations may allow a remote attacker to arbitrarily modify host timestamp values, leading to a denial-of-service condition.
The Transmission Control Protocol (TCP) is defined in RFC 793 as a means to provide reliable host-to-host transmission between hosts in a packet-switched computer networks. RFC 1323 introduced techniques to increase the performance of TCP. Two such techniques are TCP timestamps and Protection Against Wrapped Sequence Numbers (PAWS).
In certain implementations of TCP with timestamps enabled, both hosts maintain an internal timer that is used to detect segment loss and regulate traffic flow. PAWS uses timestamps to prevent duplicate or old segments from corrupting an active connection. In PAWS with the timestamps option enabled, hosts use an internal timer to track the value of the timestamp in incoming segments against the last valid timestamp recorded. If the segment's timestamp is larger than the value of the last valid timestamp and the sequence number is less than the last acknowledgement sent, then the host's internal timer is updated with the new timestamp value and the segment is passed on for further processing. Otherwise, the segment is rejected as too old or a duplicate.
An unauthenticated, remote attacker could cause TCP connections to abort/drop segments, leading to a denial-of-service condition.
Apply a patch
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Avaya||Affected||09 Mar 2005||30 Jun 2005|
|Blue Coat Systems||Affected||-||30 Jun 2005|
|Cisco Systems Inc.||Affected||09 Mar 2005||06 Jun 2005|
|FreeBSD||Affected||09 Mar 2005||25 May 2005|
|Hitachi||Affected||09 Mar 2005||20 Jun 2005|
|Microsoft Corporation||Affected||09 Mar 2005||18 May 2005|
|OpenBSD||Affected||09 Mar 2005||18 May 2005|
|Redback Networks Inc.||Affected||09 Mar 2005||19 May 2005|
|Yamaha||Affected||-||26 May 2005|
|Check Point||Not Affected||09 Mar 2005||19 May 2005|
|Clavister||Not Affected||09 Mar 2005||18 May 2005|
|Foundry Networks Inc.||Not Affected||09 Mar 2005||18 May 2005|
|Fujitsu||Not Affected||09 Mar 2005||23 May 2005|
|NEC Corporation||Not Affected||09 Mar 2005||17 May 2005|
|Netfilter||Not Affected||09 Mar 2005||17 Mar 2005|
CVSS Metrics (Learn More)
Thanks to Noritoshi Demizu for researching and reporting this vulnerability.
This document was written by Jeff Gennari.
- CVE IDs: CAN-2005-0356
- Date Public: 18 May 2005
- Date First Published: 18 May 2005
- Date Last Updated: 23 Aug 2005
- Severity Metric: 4.72
- Document Revision: 215
If you have feedback, comments, or additional information about this vulnerability, please send us email.