Certain TCP implementations may allow a remote attacker to arbitrarily modify host timestamp values, leading to a denial-of-service condition.
The Transmission Control Protocol (TCP) is defined in RFC 793 as a means to provide reliable host-to-host transmission between hosts in a packet-switched computer networks. RFC 1323 introduced techniques to increase the performance of TCP. Two such techniques are TCP timestamps and Protection Against Wrapped Sequence Numbers (PAWS).
In certain implementations of TCP with timestamps enabled, both hosts maintain an internal timer that is used to detect segment loss and regulate traffic flow. PAWS uses timestamps to prevent duplicate or old segments from corrupting an active connection. In PAWS with the timestamps option enabled, hosts use an internal timer to track the value of the timestamp in incoming segments against the last valid timestamp recorded. If the segment's timestamp is larger than the value of the last valid timestamp and the sequence number is less than the last acknowledgement sent, then the host's internal timer is updated with the new timestamp value and the segment is passed on for further processing. Otherwise, the segment is rejected as too old or a duplicate.
An unauthenticated, remote attacker could cause TCP connections to abort/drop segments, leading to a denial-of-service condition.
Apply a patch
Thanks to Noritoshi Demizu for researching and reporting this vulnerability.
This document was written by Jeff Gennari.
|Date First Published:||2005-05-18|
|Date Last Updated:||2005-08-23 15:39 UTC|