search menu icon-carat-right cmu-wordmark

CERT Coordination Center

TCP may keep its offered receive window closed indefinitely (RFC 1122)

Vulnerability Note VU#723308

Original Release Date: 2009-11-23 | Last Revised: 2013-02-13

Overview

Part of the Transmission Control Protocol (TCP) specification (RFC 1122) allows a receiver to advertise a zero byte window, instructing the sender to maintain the connection but not send additional TCP payload data. The sender should then probe the receiver to check if the receiver is ready to accept data. Narrow interpretation of this part of the specification can create a denial-of-service vulnerability. By advertising a zero receive window and acknowledging probes, a malicious receiver can cause a sender to consume resources (TCP state, buffers, and application memory), preventing the targeted service or system from handling legitimate connections.

Description

TCP implementations from multiple vendors are vulnerable to malicious or misbehaving connections that indefinitely advertize a zero receive window. RFC 1122 section 4.2.2.17 states that "A TCP MAY keep its offered receive window closed indefinitely. As long as the receiving TCP continues to send acknowledgments in response to the probe segments, the sending TCP MUST allow the connection to stay open." The TCP connection is open however no data is being transmitted. This "stalled" state is generally referred to as the TCP persist condition.

The intent of RFC 1122 section 4.2.2.17 is that TCP must not terminate connections in the persist condition under normal operating conditions. It is possible to interpret the language narrowly to mean that TCP must not terminate connections in the persist condition under any circumstances, and this interpretation is likely to cause denial-of-services vulnerabilities. An attacker can asymmetrically consume server resources by making TCP connections, optionally requesting data, then setting the receive window to zero and repeatedly acknowledging window probes from the server.

General consensus of the IETF TCP Maintenance and Minor Extensions (TCPM) working group is that an operating system or application can abort TCP connections for any reason, including resource exhaustion. TCP itself cannot reliably decide to abort connections, and doing so would violate protocol standards, however there is no guidance against an operating system or application from aborting connections to recover memory resources.

This vulnerability, one specific attack (section 3), and a proposed defense (section 7) are further described in the individual IETF Internet-Draft "Clarification of sender behaviour in persist condition." A more comprehensive review of TCP state vulnerabilities is presented in CPNI Technical Note 3/2009: Security Assessment of the Transmission Control Protocol (TCP). The CPNI document describes the persist condition in section 3.7.2 and suggests countermeasures in section 7.1.2.

Persist condition attacks are implemented in the sockstress and Nkiller2 tools. Typically, these tools leverage a lightweight userland connection framework to generate many attacking connections without the overhead of full TCP state. There are different variants of attacks that exploit the persist condition, and some attack tools exploit other timers and states in TCP. Please see the CERT-FI Advisory on the Outpost24 TCP Issues for further information about sockstress including vendor responses.

The security aspects of the TCP persist condition has been discussed on the TCPM working group mailing list since at least 2006.

Impact

A remote, unauthenticated attacker can cause a denial of service. The attacker may be able to cause the operating system or network application to be unresponsive for the duration of the attack.

Solution

Modifications can be made to TCP implementations, interfaces, operating systems, and network applications, however any changes should consider the balance between improved resiliency and decreased interoperability. The IETF TCPM is considering the problem and any potential changes to TCP or guidance to implementors. As of the publication of this vulnerability note, the IETF has not yet decided whether additional clarifications of the TCP specifications are necessary. Some vendors have implemented changes to improve resiliency against zero window and other TCP state attacks. Consider the analysis and advice provided in the CPNI assessment.


Abort misbehaving TCP connections under resource exhaustion conditions

The consensus of the TCPM discussion seems to be that an operating system or application that faces resource exhaustion can selectively abort TCP connections that appear to be malicious (i.e., in persist condition and consuming relatively large amounts of memory). TCP must implement the persist behavior in RFC 1122, but a higher protocol layer can decide to abort a connection for any reason, including resource exhaustion. How and when to abort connections are open questions, and beyond the scope of the TCP protocol specification.

Section 7 of the "Clarification..." I-D describes an approach in which an application can limit how long the underlying TCP socket should tolerate connections in the persist condition. However, section 7.1.2 of the CPNI assessment warns that "...an attacker could simply open the window (i.e., advertise a TCP window larger than zero) from time to time to prevent this enforced limit from causing his malicious connections to be aborted."

A system that aborts TCP connections too aggressively is likely to drop legitimate connections. Carefully consider the likelihood of attack, the cost of dropping legitimate connections, and the benefit of dropping malicious connections before making design or configuration changes to TCP components of operating systems and applications. It is unlikely that one setting will work well for every TCP system.

Restrict Access

Restricting access or limiting connections to TCP services using firewalls can mitigate zero window attacks, at the cost of potentially blocking legitimate connections.

Vendor Information

Generally, any system or product that implements or uses TCP could be affected by this vulnerability, depending on how the product handles resource exhaustion and TCP connections in persist. By design, TCP does not inherently defend against denial-of-service attacks based on resource exhaustion. Decisions about how to detect and respond to such attacks are the responsibility of individual systems or products.

Please see the CERT-FI Advisory on the Outpost24 TCP Issues for further vendor information.

723308
 
Affected   Unknown   Unaffected

Check Point Software Technologies

Notified:  June 26, 2009 Updated:  November 05, 2009

Statement Date:   October 15, 2009

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

On September 08, 2009 when CERT-FI has published the Sockstress advisory (CVE-2008-4609) Check Point has released protections that mitigate both Sockstress and NKiller2 attacks. The following SecureKnowledge articles discuss these advisories:

Vendor References

Cisco Systems, Inc.

Notified:  June 26, 2009 Updated:  November 18, 2009

Status

  Vulnerable

Vendor Statement

Cisco has published a Security Advisory dealing with the Outpost24 vulnerabilities

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

Extreme Networks

Notified:  June 26, 2009 Updated:  October 14, 2009

Status

  Vulnerable

Vendor Statement

This issue is being tracked internally by Product Defect Number PD4-899333484.

Workaround:
Use the "access-profile" to allow only the trusted IP address, while enabling TCP based applications (like telnet, ssh, http, https) on the switch.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Force10 Networks, Inc.

Notified:  June 26, 2009 Updated:  July 22, 2011

Status

  Affected

Vendor Statement

This vulnerability is being worked on. The fix will be available in FTOS version 8.6.1

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hewlett-Packard Company

Notified:  June 26, 2009 Updated:  November 18, 2009

Statement Date:   November 18, 2009

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

Linux Kernel Archives

Updated:  November 18, 2009

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

Microsoft Corporation

Notified:  June 26, 2009 Updated:  November 23, 2009

Statement Date:   October 16, 2009

Status

  Vulnerable

Vendor Statement

Please see MS09-048.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

Red Hat, Inc.

Notified:  June 26, 2009 Updated:  December 01, 2009

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

http://kbase.redhat.com/faq/docs/DOC-21623

Vendor References

Sun Microsystems, Inc.

Notified:  June 26, 2009 Updated:  November 05, 2009

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

The SCO Group

Notified:  June 26, 2009 Updated:  December 01, 2009

Statement Date:   July 03, 2009

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NetApp

Notified:  June 26, 2009 Updated:  October 14, 2009

Status

  Not Vulnerable

Vendor Statement

NetApp would like to announce officially that Data ONTAP(R) is not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

VMware

Notified:  September 04, 2009 Updated:  October 14, 2009

Status

  Not Vulnerable

Vendor Statement

VMware products are not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

3com, Inc.

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ACCESS

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

AT&T

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Alcatel-Lucent

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Apple Inc.

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Avaya, Inc.

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Barracuda Networks

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Belkin, Inc.

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Borderware Technologies

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Charlotte's Web Networks

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Clavister

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Computer Associates

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Computer Associates eTrust Security Management

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Conectiva Inc.

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cray Inc.

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

D-Link Systems, Inc.

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Debian GNU/Linux

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

DragonFly BSD Project

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

EMC Corporation

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Engarde Secure Linux

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Enterasys Networks

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ericsson

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

F5 Networks, Inc.

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fortinet, Inc.

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Foundry Networks, Inc.

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

FreeBSD, Inc.

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fujitsu

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gentoo Linux

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Global Technology Associates

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hitachi

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation (zseries)

Notified:  November 24, 2009 Updated:  November 23, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM eServer

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IP Filter

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IP Infusion, Inc.

Notified:  October 14, 2009 Updated:  October 14, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Infoblox

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Intel Corporation

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Internet Security Systems, Inc.

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Intoto

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Juniper Networks, Inc.

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Luminous Networks

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mandriva S. A.

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

McAfee

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

MontaVista Software, Inc.

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Multitech, Inc.

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NEC Corporation

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NetBSD

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nokia

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nortel Networks, Inc.

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Novell, Inc.

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenBSD

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Openwall GNU/*/Linux

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

PePLink

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Process Software

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Q1 Labs

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

QNX, Software Systems, Inc.

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Quagga

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

RadWare, Inc.

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Redback Networks, Inc.

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SUSE Linux

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SafeNet

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Secureworx, Inc.

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Silicon Graphics, Inc.

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Slackware Linux Inc.

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SmoothWall

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Snort

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Soapstone Networks

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sony Corporation

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sourcefire

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Stonesoft

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Symantec

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

TippingPoint, Technologies, Inc.

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Turbolinux

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

U4EA Technologies, Inc.

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ubuntu

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Unisys

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vyatta

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Watchguard Technologies, Inc.

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Wind River Systems, Inc.

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ZyXEL

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

eSoft, Inc.

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

m0n0wall

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

netfilter

Notified:  June 26, 2009 Updated:  June 26, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 96 vendors View less vendors


CVSS Metrics

Group Score Vector
Base 0.0 AV:--/AC:--/Au:--/C:--/I:--/A:--
Temporal 0.0 E:ND/RL:ND/RC:ND
Environmental 0 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Mahesh Jethanandani and CERT-FI for their efforts researching and coordinating vendor responses to this vulnerability. Thanks also to Barry Greene, Lars Eggert, Wesley Eddy, and David Borman for their review and comments.

This document was written by David Warren and Art Manion.

Other Information

CVE IDs: CVE-2009-1926, CVE-2008-4609
Severity Metric: 15.59
Date Public: 2006-07-20
Date First Published: 2009-11-23
Date Last Updated: 2013-02-13 19:33 UTC
Document Revision: 122

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.