Various vendors' TCP/IP implementations handle packets containing unusual flag combinations in different ways, which may lead to a violation of implicit or explicit security policies.
Background on TCP/IP Connection Semantics
To establish a TCP connection, a client and server must participate in a three-way handshake (as outlined in RFC793 - "Transmission Control Protocol"):
The impact of this vulnerability is that an attacker may be able to establish connections with hosts behind firewalls in violation of implied security policies. As a result, an attacker can send data to hosts and services that he ordinarily cannot reach. An intruder could also leverage this flaw to exploit a vulnerability in passive software listening promiscuously on the inside of the firewall (e.g., vulnerability in tcpdump or some similar vulnerability). Note that the specific kinds of packets that may bypass a firewall are highly dependent on the implementation of the firewall.
Apply a vendor patch. If a vendor patch is not available for your TCP implementation (and even if one is), you may wish to:
The SCO Group (SCO Linux)
Apple Computer, Inc.
Foundry Networks Inc.
Ingrian Networks, Inc.
Sun Microsystems, Inc.
Berkeley Software Design, Inc.
Cisco Systems, Inc.
F5 Networks, Inc.
Juniper Networks, Inc.
MontaVista Software, Inc.
Nortel Networks, Inc.
Red Hat, Inc.
Sequent Computer Systems, Inc.
The SCO Group (SCO Unix)
Wind River Systems, Inc.
This issue was initially described by Paul Starzetz in a mail message sent to the Bugtraq mailing list. We also thank Florian Weimer, Avi Freedman, Alan Cox, and David Waitzman for their invaluable feedback on this subject.
This document was written by Ian A Finlay.
|Date First Published:||2003-03-20|
|Date Last Updated:||2012-02-03 18:46 UTC|