NISCC Vulnerability Advisory 236929 - Vulnerability Issues in TCP. The vulnerability described in this advisory affects implementations of the Transmission Control Protocol (TCP) that comply with the Internet Engineering Task Force's
df3df0b689c29353e8bb99088ce42074ae415df606a7e58c98c4815661db4b6b<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>NISCC Vulnerability Advisory 236929</title>
<style>
<!--
body { font-family: Verdana }
-->
</style>
</head>
<body bgcolor="#FFFFCC">
<div class=Section1 style="width: 100%;">
<div align="center"><img src="http://www.niscc.gov.uk/images/newtitle.gif" width="766" height="80" alt="National Infrastructure Security Co-Ordination Centre"></div>
<br>
<font size="4"><b><font color="#FF0000">NISCC Vulnerability Advisory 236929</b></font><br>
<br>
<b>Vulnerability Issues in TCP</b></font><br>
<br>
<br>
<b><font size="3">Version</font> Information</b>
<br><br>
<table border="1" width="61%">
<tr>
<td width="58%">Advisory Reference</td>
<td width="77%">236929</td>
</tr>
<tr>
<td width="58%">Release Date</td>
<td width="77%">20 April 2004</td>
</tr>
<tr>
<td width="58%">Last Revision</td>
<td width="77%">22 April 2004</td>
</tr>
<tr>
<td width="58%">Version Number</td>
<td width="77%">1.4</td>
</tr>
</table>
<br><br>
<b>What is Affected?</b><br>
<br>
The vulnerability described in this advisory affects implementations of the
Transmission Control Protocol (TCP) that comply with the Internet Engineering
Task Force’s (IETF’s) Requests For Comments (RFCs) for TCP, including
<a href="http://www.ietf.org/rfc/rfc0793.txt">RFC 793</a>, the
original specification, and <a href="http://www.ietf.org/rfc/rfc1323.txt">RFC 1323</a>, TCP Extensions for High Performance.<br>
<br>
TCP is a
core network protocol used in the majority of networked computer systems today.
Many vendors include support for this protocol in their products and may be
impacted to varying degrees. Furthermore any network service or application that
relies on a TCP connection will also be impacted, the severity depending
primarily on the duration of the TCP session.
<br>
<br>
<br>
<b>Severity</b><br>
<br>
The impact of this vulnerability varies by vendor and application, but in some
deployment scenarios it is rated critical. Please see the vendor section below
for further information. Alternatively contact your vendor for product specific
information.<br>
<br>
If exploited, the vulnerability could allow an attacker to create a
Denial of Service condition against existing TCP connections, resulting in
premature session termination. The resulting session termination will affect the
application layer, the nature and severity of the effects being dependent on the
application layer protocol. The primary dependency is on the duration of the TCP
connection, with a further dependency on knowledge of the network (IP) addresses
of the end points of the TCP connection.<br>
<br>
The Border Gateway Protocol (BGP) is judged to be potentially most affected
by this vulnerability.<br>
<br>
BGP relies on a persistent TCP session between BGP peers. Resetting the
connection can result in medium term unavailability due to the need to rebuild
routing tables and route flapping. Route flapping may result in route dampening
(suppression) if the route flaps occur frequently within a short time interval. The overall impact on BGP is likely to be moderate based on
the likelihood of successful attack. If the TCP MD5 Signature Option and
anti-spoofing measures are used
then the impact will be low as these measures will successfully mitigate the
vulnerability.<br>
<br>
There is a potential impact on other application protocols such as DNS (Domain
Name System) and SSL (Secure Sockets Layer) in the case of zone transfers and
ecommerce transactions respectively, but the duration of the sessions is
relatively short and the sessions can be restarted without medium term
unavailability problems. In the case of SSL it may be difficult to guess the
source IP address.<br>
<br>
Data injection may be possible. However, this has not been demonstrated and
appears to be problematic.
<br>
<br>
<br>
<b>Summary</b><br>
<br>
The issue described in this advisory is the practicability of resetting an
established TCP connection by sending suitable TCP packets with the RST (Reset)
or SYN (Synchronise) flags set.<br>
<br>
The packets need to have source and destination
IP addresses that match the established connection as well as the same source
and destination TCP ports.<br>
<br>
The fact that TCP sessions can be reset by sending
suitable RST and SYN packets is a design feature of TCP according to
<a href="http://www.ietf.org/rfc/rfc0793.txt">RFC 793</a>,
but a reset attack is only possible at all because the source IP address and TCP
port can be forged or “spoofed”.<br>
<br>
Although denial of service using crafted TCP
packets is a well known weakness of TCP, until recently it was believed that a
successful denial of service attack was not achievable in practice. The reason
for this is that the receiving TCP implementation checks the sequence number of
the RST or SYN packet, which is a 32 bit number, giving a probability of 1/2<sup><font size="2">32</font></sup> of
guessing the sequence number correctly (assuming a random distribution).<br>
<br>
The discoverer of the practicability of the RST attack was Paul A. Watson, who
describes his research in his paper “Slipping In The Window: TCP Reset Attacks”,
presented at the CanSecWest 2004 conference. He noticed that the probability of
guessing an acceptable sequence number is much higher than 1/2<sup><font size="2">32</font></sup> because the
receiving TCP implementation will accept any sequence number in a certain range
(or “window”) of the expected sequence number. The window makes TCP reset
attacks practicable.<br>
<br>
Any application protocol which relies on long term TCP
connections and for which the source and destination IP addresses and TCP ports
are known or can be easily guessed will be vulnerable to at least denial of
service attacks.
<br>
<br>
<br>
<b>Details</b><br>
<br>
TCP is the transport layer protocol designed to provide connection-oriented
reliable delivery of IP packets. To do this TCP uses a mixture of flags, to
indicate state, and sequence numbers, to identify the order in which the packets
are to be reassembled.<br>
<br>
TCP also provides a number, called an acknowledgement number, that is used to
indicate the sequence number of the next packet expected. The packets are
reassembled by the receiving TCP implementation only if their sequence numbers
fall within a range of the acknowledgement number (called a "window"). The
acknowledgement number is not used in a RST packet because a reset does not
expect a packet in return. (To be completely accurate, although the last
statement is true for a RST packet without the ACK flag set, used to indicate
that a TCP port is closed, a RST/ACK is used to terminate an active connection
in the event of error. In a RST/ACK packet an acknowledgement number is included
in the packet, although it is not checked by the receiving TCP implementation.)<br>
<br>
<a href="http://www.ietf.org/rfc/rfc0793.txt">RFC 793</a>, p36, states the following:<br>
<br>
"In all states except SYN-SENT, all reset (RST) segments are validated by
checking their SEQ-fields [sequence numbers]. A reset is valid if its sequence
number is in the window. In the SYN-SENT state (a RST received in response to an
initial SYN), the RST is acceptable if the ACK field acknowledges the SYN."<br>
<br>
Resets must be processed immediately.
<a href="http://www.ietf.org/rfc/rfc0793.txt">RFC 793</a>, p25, says "[…] [E]ven when the
receive window is zero, a TCP must process the RST and URG fields of all
incoming segments."<br>
<br>
It is also possible to perform the same attack with SYN (synchronise) packets.
An established connection will abort by sending a RST if it receives a duplicate
SYN packet with initial sequence number within the TCP window.
<a href="http://www.ietf.org/rfc/rfc0793.txt">RFC 793</a>, p31
states:<br>
<br>
“The principle reason for the three-way handshake is to prevent old duplicate
connection initiations from causing confusion. To deal with this, a special
control message, reset, has been devised. […] If the TCP is in one of the
synchronized states (ESTABLISHED, FIN-WAIT-1, FIN-WAIT-2, CLOSE-WAIT, CLOSING,
LAST-ACK, TIME-WAIT), it aborts the connection and informs its user.”<br>
<br>
TCP window sizes are negotiated in the initial 3-way handshake used to set up a
TCP connection, with higher values serving to improve throughput in some
circumstances. Vendor-chosen defaults also influence the selection. In any case,
the larger the window size, the greater is the probability that a randomly
chosen TCP sequence number will lie within the window range. This is the basis
for the attack.<br>
<br>
A TCP connection is defined by a 4-tuple comprising source and destination IP
addresses, and source and destination ports. An attacker seeking to disrupt an
existing TCP connection must supply the 4-tuple correctly. As the source port
varies, additional work is generally called for on the part of the attacker.
However, research (referenced below) has shown that the process of source port
selection on many platforms includes predictable elements, so that the attack
remains practicable. By weighting 'likely' source port values carefully, an
attacker can disrupt TCP implementations that employ a range of window sizes.<br>
<br>
Application layer protocols that are critically affected are those that:<br>
<br>
<table border="0" cellpadding="4" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber6">
<tr>
<td width="3%" align="left" valign="top">• </td>
<td width="96%">Depend on long lived TCP connections</td>
</tr>
<tr>
<td width="3%" align="left" valign="top">• </td>
<td width="96%">Have known or easy-to-guess IP address end points</td>
</tr>
<tr>
<td width="3%" align="left" valign="top">• </td>
<td width="96%">Have easy to an easy-to-guess source TCP port</td>
</tr>
</table>
<p>As noted above BGP does use long lived TCP connections, and the IP addresses and
source port (and destination port) are sometimes available through the use of
BGP looking glasses (multi-source, multi-destination trace route tools) or DNS
resource records. Using “trace route” commands can provide information on
peering point IP addresses. Thus BGP is likely to be critically affected by the
TCP vulnerability.<br>
<br>
These denial of service attacks can be carried out by single machine, or by
multiple co-operating systems (to form a distributed denial of service attack).<br>
<br>
It is also possible to inject packets, which will be processed if they are in
the window. The difficulty with data injection attacks is that the receiving TCP
implementation will reassemble the packets received according to sequence
number, dropping any duplicate packets.<br>
<br>
<br>
Vendor specific information will be released as it becomes available and if vendor permission has been received. Subscribers are advised to check the following URL regularly for updates:<br>
<br>
<a href="http://www.uniras.gov.uk/vuls/2004/236929/index.htm">http://www.uniras.gov.uk/vuls/2004/236929/index.htm</a><br>
<br>
<i>[Please note that updates to this advisory will not be notified by email.]</i><br>
<br>
This vulnerability has been assigned the <a href="http://cve.mitre.org/cve">CVE</a>
name
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0230">CAN-2004-0230</a>.<br>
<br>
The <a href="http://www.osvdb.org">Open Source Vulnerability Database</a> ID
number for this vulnerability is
<a href="http://www.osvdb.org/displayvuln.php?osvdb_id=4030">4030</a>.<br>
<br>
<br>
<b>Mitigation</b><br>
<br>
The following mitigation steps are still being evaluated and may be incomplete.
Customers should work with vendors for the workaround most appropriate for the
product in question.<br>
<br>
In the absence of vendor patching of the TCP implementation, the following are
general mitigating steps:<br>
<br>
<table border="0" cellpadding="4" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber4">
<tr>
<td width="3%" align="left" valign="top">• </td>
<td width="97%">Implement IP Security (IPSEC) which will encrypt traffic at the network layer,
so TCP information will not be visible</td>
</tr>
<tr>
<td width="3%" align="left" valign="top">• </td>
<td width="97%">Reduce the TCP window size (although this could increase
traffic loss and subsequent retransmission)</td>
</tr>
<tr>
<td width="3%" align="left" valign="top">• </td>
<td width="97%">Do not publish TCP source port information</td>
</tr>
</table>
<p>It should be noted that IPSEC provides confidentiality and authentication
services at the network layer, and can provide a measure of trust in the
authenticity of the end points as well as encryption of traffic between the end
points. However, in the context of the current attack IPSEC will reject
RST and SYN packets that are not part of a secure IP packet stream.<br>
<br>
To change the TCP window size, in some Unix variants you can set a value of the
default TCP windows size by using the “sysctl” program (“ndd -set” in the case
of Sun Solaris). In the case of Microsoft Windows NT/2000/XP/2003, the default
window size can be changed by modifying the value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
key. As noted above, great care should be exercised when altering the default
TCP window size as network performance could be adversely affected.<br>
<br>
In the case of BGP, the following may counter the problem:<br>
<br>
<table border="0" cellpadding="4" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber5">
<tr>
<td width="3%" align="left" valign="top">• </td>
<td width="96%">Implement ingress and egress filtering to check that the
traffic entering or leaving the network has a source IP address that is
expected on the router/firewall interface that receives the traffic</td>
</tr>
<tr>
<td width="3%" align="left" valign="top">• </td>
<td width="96%">Implement the TCP MD5 Signature Option to checksum the TCP
packet carrying the BGP application data (see <a href="http://www.ietf.org/rfc/rfc2385.txt">RFC 2385</a>),
being careful to set and maintain strong (i.e. difficult to guess) passwords to
which the MD5 checksum is applied. Also see
<a href="http://www.ietf.org/rfc/rfc3562.txt">RFC 3562</a> which discusses
the security requirements of this keying material.</td>
</tr>
<tr>
<td width="3%" align="left" valign="top">• </td>
<td width="96%">Limit the amount of information available through looking
glasses and DNS resource records, being careful not to expose TCP port
information unnecessarily</td>
</tr>
</table>
<p>
The IETF ingress filtering standard is defined in
<a href="http://www.ietf.org/rfc/rfc2827.txt">RFC 2827</a>.
A discussion of egress filtering can be found at
<a href="http://www.sans.org/y2k/egress.htm">http://www.sans.org/y2k/egress.htm</a>.<br>
<br>
The use of the TCP MD5 Signature Option will prevent the exploitation of this
vulnerability. Router customers should implement this on all BGP peering points
if it is supported by the router, upgrading the router firmware if necessary.<br>
<br>
<br>
<b>Solution</b><br>
<br>
Please refer to the Vendor Information section of this advisory for
implementation specific remediation.<br>
<br>
Some vendors will have reduced the
likelihood of successful denial of service by amending the TCP implementation to
issue a further acknowledgment packet challenge for RST and SYN packets that do
not have exactly the expected sequence number.<br>
<br>
<a href="http://www.ietf.org">The Internet Engineering Task Force</a> (IETF) has
published an Internet Draft to co-incide
with the release of this advisory.
The text of this draft is available from
the IETF web site:<br>
<a href="http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt">http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt</a><br>
<br>
NISCC has produced best practice guidelines for BGP available at<br>
<a href="http://www.niscc.gov.uk/BGP%20Filtering%20Guide.pdf">http://www.niscc.gov.uk/BGP Filtering Guide.pdf</a><br>
<br>
Secure configuration templates for BGP implementations on Cisco IOS and Juniper JUNOS can be found at:<br>
<br>
<table border="0" cellpadding="4" cellspacing="1" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber2">
<tr>
<td width="3%">• </td>
<td width="11%">Cisco
</td>
<td width="99%"><a href="http://www.cymru.com/Documents/secure-bgp-template.html">http://www.cymru.com/Documents/secure-bgp-template.html
</a></td>
</tr>
<tr>
<td width="3%">• </td>
<td width="11%">Juniper </td>
<td width="99%">
<a href="http://www.qorbit.net/documents/junos-bgp-template.pdf">http://www.qorbit.net/documents/junos-bgp-template.pdf
</a>
</td>
</tr>
</table>
<p>
Guidance on tuning of the IP stack for a number of different UNIX operating systems is available at
<a href="http://www.cymru.com/Documents/ip-stack-tuning.html">http://www.cymru.com/Documents/ip-stack-tuning.html
</a>
<br>
<br>
<br>
<B>Vendor Information</B>
<br>
<br>
The following vendors have provided information about how their products are affected
by these vulnerabilities.<br>
<br>
<i><font size="2">Please note that <a href="http://www.jpcert.or.jp">JPCERT/CC</a> have released a Japanese language advisory for this vulnerability
which contains additional information regarding Japanese vendors. This advisory is available at
<a href="http://www.jpcert.or.jp/at/2004/at040003.txt">http://www.jpcert.or.jp/at/2004/at040003.txt</a>.</font></i><br>
<br>
</p>
</p>
</p>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1">
<tr>
<td width="33%"><font size="2"><a href="#certicom">Certicom</a></font></td>
<td width="33%"><font size="2"><a href="#iij">Internet Initiative Japan, Inc</a></font></td>
<td width="34%"><font size="2"><a href="#nec">NEC</a></font></td>
</tr>
<tr>
<td width="33%"><font size="2"><a href="#checkpoint">Check Point</a></font></td>
<td width="33%"><font size="2"><a href="#interniche">InterNiche</a></font></td>
<td width="34%"><font size="2"><a href="#nortel">Nortel</a></font></td>
</tr>
<tr>
<td width="33%"><font size="2"><a href="#cisco">Cisco</a></font></td>
<td width="33%"><font size="2"><a href="#juniper">Juniper Networks</a></font></td>
<td width="34%"><font size="2"><a href="#polycom">Polycom</a></font></td>
</tr>
<tr>
<td width="33%"><font size="2"><a href="#cray">Cray Inc</a></font></td>
<td width="33%"><font size="2"><a href="#lucent">Lucent Technologies</a></font></td>
<td width="34%"><font size="2"><a href="#seccomp">Secure Computing Corporation</a></font></td>
</tr>
<tr>
<td width="33%"><font size="2"><a href="#hitachi">Hitachi</a></font></td>
<td width="33%"><font size="2"><a href="#mitel">Mitel Networks</a></font></td>
<td width="34%"><font size="2"><a href="#yamaha">Yamaha</a></font></td>
</tr>
<tr>
<td width="33%"><font size="2"><a href="#innovaphone">Innovaphone</a></font></td>
<td width="33%"><font size="2"><a href="#mrlg">MRLG</a></font></td>
<td width="34%"> </td>
</tr>
</table>
</p>
<br>
<table border="0" width="100%" cellpadding="8" cellspacing="0">
<tr>
<td width="100%" colspan="2" bgcolor="#FFFFbe">
<u><a name="certicom"></a>Certicom</u></td>
</tr>
<tr>
<td width="3%" bgcolor="#FFFFbe">
</td>
<td width="97%" bgcolor="#FFFFbe">
Certicom has examined the National Infrastructure Security Coordination
Centre (NISCC) advisory and determined it is not vulnerable.<br>
<br>Certicom
Developer Toolkits for SSL (SSL Plus, SSL Plus for Java, Security Builder
SSL-C and Security Builder SSL-J) do not provide a TCP/IP transport
mechanism, but rather utilize the supported operating system's TCP/IP stack.
The vulnerability is against the TCP/IP stack itself, and not directly
against the functionality offered by Certicom toolkits. Therefore, there is
no patch or workaround that can be implemented within Certicom products. The
patch or workaround must be provided by the operating system vendor.<br>
<br>
Customers are urged to contact their operating system vendors to determine
if they have provided a workaround to this advisory. If you have any further
questions please do not hesitate to contact
<a href="mailto:support@certicom.com">support@certicom.com</a>.</td>
</tr>
<tr>
<td width="100%" colspan="2" bgcolor="#FFFFaf"><u><a name="checkpoint"></a>
Check Point</u></td>
</tr>
<tr>
<td width="3%" bgcolor="#FFFFaf"> </td>
<td width="97%" bgcolor="#FFFFaf">The latest release for VPN-1/FireWall-1
(R55 HFA-03) contains a protection against this vulnerability. The
protection applies to both the firewall device and to hosts behind the
firewall.<br>
<br>
Please refer to the Check Point web site for further information at:<br>
<a HREF="http://www.checkpoint.com/techsupport/alerts/tcp_dos.html">
http://www.checkpoint.com/techsupport/alerts/tcp_dos.html</a>.</td>
</tr>
<tr>
<td width="100%" colspan="2" bgcolor="#FFFFbe">
<u><a name="cisco"></a>Cisco</u></td>
</tr>
<tr>
<td width="3%" bgcolor="#FFFFbe">
</td>
<td width="97%" bgcolor="#FFFFbe">
Cisco Systems is addressing the vulnerabilities identified by NISCC
Vulnerability Advisory 236929 across its entire product line. Cisco
has released two related advisories:<br>
<br>
TCP Vulnerabilities in Multiple IOS-Based Cisco Products<br>
<a href="http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml">http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml</a><br>
<br>
TCP Vulnerabilities in Multiple Non-IOS Cisco Products<br>
<a href="http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml">http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml</a></td>
</tr>
<tr>
<td width="100%" colspan="2" bgcolor="#FFFFaf">
<u><a name="cray"></a>Cray Inc</u></td>
</tr>
<tr>
<td width="3%" bgcolor="#FFFFaf"> </td>
<td width="97%" bgcolor="#FFFFaf">Cray Inc. is vulnerable on their UNICOS,
UNICOS/mk and UNICOS/mp systems. Spr's have been opened to track this
issue. Please contact your local Cray Service Representative for more
information.</td>
</tr>
<tr>
<td width="100%" colspan="2" bgcolor="#FFFFbe">
<u><a name="hitachi"></a>Hitachi</u></td>
</tr>
<tr>
<td width="3%" bgcolor="#FFFFbe">
</td>
<td width="97%" bgcolor="#FFFFbe">
Hitachi is investigating the potential impact to Hitachi's products.</td>
</tr>
<tr>
<td width="100%" colspan="2" bgcolor="#FFFFaf">
<u><a name="innovaphone"></a>Innovaphone</u></td>
</tr>
<tr>
<td width="3%" bgcolor="#FFFFaf"> </td>
<td width="97%" bgcolor="#FFFFaf">
Not vulnerable.</td>
</tr>
<tr>
<td width="100%" colspan="2" bgcolor="#FFFFbe">
<u><a name="iij"></a>Internet Initiative Japan, Inc (IIJ)</u></td>
</tr>
<tr>
<td width="3%" bgcolor="#FFFFbe">
</td>
<td width="97%" bgcolor="#FFFFbe">
IIJ will release a new firmware to fix this vulnerability. Details are
available on their web site at
<a href="http://www.seil.jp/en/ann/announce_en_20040421_01.txt">
http://www.seil.jp/en/ann/announce_en_20040421_01.txt</a>.</td>
</tr>
<tr>
<td width="100%" colspan="2" bgcolor="#FFFFaf">
<u><a name="interniche"></a>InterNiche</u></td>
</tr>
<tr>
<td width="3%" bgcolor="#FFFFaf"> </td>
<td width="97%" bgcolor="#FFFFaf">=== NicheStack v2.0 TCP/IP ===<br>
<br>
InterNiche Technologies has updated its
NicheStack v2.0 TCP/IP product to handle the scenarios described in NISCC
Vulnerability Notice #236929.
The patch is available to all InterNiche customers in accordance with the
terms of their current support agreements.<br>
<br>
More information can be found on <a href="http://www.iNiche.com">www.iNiche.com</a> or through
<a href="mailto:support@iNiche.com">support@iNiche.com</a>
<br><br><br>
=== NicheLite v2.0 TCP/IP ===<br>
<br>
InterNiche Technologies has updated its
NicheLite v2.0 TCP/IP product to handle the scenarios described in NISCC
Vulnerability Notice #236929.
The patch is available to all InterNiche customers in accordance with the
terms of their current support agreements. <br>
<br>
More information can be found on <a href="http://www.iNiche.com">www.iNiche.com</a> or through
<a href="mailto:support@iNiche.com">support@iNiche.com</a> </td>
</tr>
<tr>
<td width="100%" colspan="2" bgcolor="#FFFFbe">
<u><a name="juniper"></a>
Juniper Networks</u></td>
</tr>
<tr>
<td width="3%" bgcolor="#FFFFbe">
</td>
<td width="97%" bgcolor="#FFFFbe">
Juniper Networks products are susceptible to this vulnerability. Software is
available that implements several mechanisms to mitigate the associated risks. Customers
should contact Juniper Networks Technical Assistance Center for availability and
download instructions.<br>
<br>Additional information is posted on our web site at
<a href="https://www.juniper.net/support">https://www.juniper.net/support</a>. </td>
</tr>
<tr>
<td width="100%" colspan="2" bgcolor="#FFFFaf">
<u><a name="lucent"></a>Lucent Technologies</u></td>
</tr>
<tr>
<td width="3%" bgcolor="#FFFFaf"> </td>
<td width="97%" bgcolor="#FFFFaf">Lucent Technologies is aware of this
vulnerability advisory and is investigating any potential impact to its
product portfolio. As further information becomes available, Lucent will
provide information directly to its customers, if appropriate.</td>
</tr>
<tr>
<td width="100%" colspan="2" bgcolor="#FFFFbe">
<u><a name="mitel"></a>Mitel Networks</u></td>
</tr>
<tr>
<td width="3%" bgcolor="#FFFFbe">
</td>
<td width="97%" bgcolor="#FFFFbe">
Mitel is aware of the vulnerability and is
working with the vendors of our underlying networking software to assess the
impact and, if necessary, determine potential solutions. When more
information becomes available, an advisory will be issued. Please contact '<a href="mailto:security@mitel.com">security@mitel.com</a>'
if you have specific questions.</td>
</tr>
<tr>
<td width="100%" colspan="2" bgcolor="#FFFFaf">
<u><a name="mrlg"></a>MRLG</u></td>
</tr>
<tr>
<td width="3%" bgcolor="#FFFFaf"> </td>
<td width="97%" bgcolor="#FFFFaf">A new version of the Multi-Router Looking Glass tool (4.3.0) has been released.
This includes a patch that prevents a remote user from utilising the "sh ip
bgp neighbors" functionality. This new version is available from
<a href="ftp://ftp.enterzone.net/looking-glass/CURRENT/">
ftp://ftp.enterzone.net/looking-glass/CURRENT/</a>. </td>
</tr>
<tr>
<td width="100%" colspan="2" bgcolor="#FFFFbe">
<u><a name="nec"></a>NEC</u></td>
</tr>
<tr>
<td width="3%" bgcolor="#FFFFbe">
</td>
<td width="97%" bgcolor="#FFFFbe">
NEC is aware of this vulnerability and is trying to determine potential
impacts on our products.</td>
</tr>
<tr>
<td width="100%" colspan="2" bgcolor="#FFFFaf">
<u><a name="nortel"></a>Nortel Networks</u></td>
</tr>
<tr>
<td width="3%" bgcolor="#FFFFaf"> </td>
<td width="97%" bgcolor="#FFFFaf">Nortel Networks has evaluated this issue and testing has confirmed that it
is possible to successfully exploit this vulnerability. However, the
preconditions for a successful exploitation require levels of access to the
network that are unlikely to be achieved in a normal network operating
environment; furthermore, such levels of access would enable other forms of
attack with much greater impact than that achievable by exploiting this
vulnerability.<br>
<br>
Nortel Networks is continuing to validate that this
vulnerability has no serious consequences for Nortel equipment, and will
update this statement periodically.</td>
</tr>
<tr>
<td width="100%" colspan="2" bgcolor="#FFFFbe">
<u><a name="polycom"></a>Polycom</u></td>
</tr>
<tr>
<td width="3%" bgcolor="#FFFFbe">
</td>
<td width="97%" bgcolor="#FFFFbe">
Polycom has investigated the potential
impact to our products for NISCC Advisory 236929.<br>
<br>
Specific product information will be provided at
<a HREF="http://www.polycom.com/securitycenter">
http://www.polycom.com/securitycenter</a>.</td>
</tr>
<tr>
<td width="100%" colspan="2" bgcolor="#FFFFaf">
<u><a name="seccomp"></a>Secure Computing Corporation</u></td>
</tr>
<tr>
<td width="3%" bgcolor="#FFFFaf"> </td>
<td width="97%" bgcolor="#FFFFaf">The Sidewinder and Sidewinder G2 firewalls offer protection against this
attack at all releases. As application-layer firewalls, Sidewinder and
Sidewinder G2 offer protection to systems behind the firewall as well as
protecting management connections to the firewall.</td>
</tr>
<tr>
<td width="100%" colspan="2" bgcolor="#FFFFbe">
<u><a name="yamaha"></a>Yamaha</u></td>
</tr>
<tr>
<td width="3%" bgcolor="#FFFFbe">
</td>
<td width="97%" bgcolor="#FFFFbe">
Pending.</td>
</tr>
</table>
<br>
<br>
<b>Acknowledgements</b><br>
<br>
NISCC wishes to thank the following:<br>
<br>
<table border="0" cellpadding="6" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber3">
<tr>
<td width="3%" align="left" valign="top">• </td>
<td width="197%">Steve Bellovin, Rob Thomas and Paul Watson for their
contributions to this advisory.</td>
</tr>
<tr>
<td width="3%" align="left" valign="top">• </td>
<td width="197%">Cisco Systems Inc. and Juniper Networks Inc. for their help
with the content of this advisory and for their support during the
disclosure process.</td>
</tr>
<tr>
<td width="3%" align="left" valign="top">• </td>
<td width="197%">JPCERT/CC for their assistance in co-ordinating this disclosure
in Japan.</td>
</tr>
</table>
<br>
<br>
<b>References</b>
<br>
<table border="0" cellpadding="4" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber7">
<tr>
<td width="2%"> </td>
<td width="98%" colspan="3"><b>Internet Engineering Task Force</b></td>
</tr>
<tr>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="96%" colspan="2">RFC 793 Transmission Control Protocol</td>
</tr>
<tr>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="94%"><a href="http://www.ietf.org/rfc/rfc793.txt">
http://www.ietf.org/rfc/rfc793.txt</a></td>
</tr>
<tr>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="96%" colspan="2">RFC 1323 TCP Extensions for High Performance</td>
</tr>
<tr>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="96%"><a href="http://www.ietf.org/rfc/rfc1323.txt">
http://www.ietf.org/rfc/rfc1323.txt</a></td>
</tr>
<tr>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="96%" colspan="2">RFC 1771 A Border Gateway Protocol 4 (BGP-4)</td>
</tr>
<tr>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="94%"><a href="http://www.ietf.org/rfc/rfc1771.txt">
http://www.ietf.org/rfc/rfc1771.txt</a></td>
</tr>
<tr>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="96%" colspan="2">RFC 2385 Protection of BGP Sessions via the TCP
MD5 Signature Option</td>
</tr>
<tr>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="94%"><a href="http://www.ietf.org/rfc/rfc2385.txt">
http://www.ietf.org/rfc/rfc2385.txt</a></td>
</tr>
<tr>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="96%" colspan="2">RFC 2827 Network Ingress Filtering</td>
</tr>
<tr>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="94%"><a href="http://www.ietf.org/rfc/rfc2827.txt">
http://www.ietf.org/rfc/rfc2827.txt</a></td>
</tr>
<tr>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="96%" colspan="2">RFC 3562 Considerations for the TCP MD5
Signature Option</td>
</tr>
<tr>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="94%"><a href="http://www.ietf.org/rfc/rfc3562.txt">
http://www.ietf.org/rfc/rfc3562.txt</a></td>
</tr>
<tr>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="96%" colspan="2">RFC 3682 Generalized TTL Security Mechanism</td>
</tr>
<tr>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="94%"><a href="http://www.ietf.org/rfc/rfc3682.txt">
http://www.ietf.org/rfc/rfc3682.txt</a></td>
</tr>
<tr>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="96%" colspan="2">Internet Draft - Transmission Control Protocol
security considerations</td>
</tr>
<tr>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="94%">
<a href="http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt">
http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt</a></td>
</tr>
<tr>
<td width="2%"> </td>
<td width="98%" colspan="3"><b>NISCC</b></td>
</tr>
<tr>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="96%" colspan="2">Best Practice Guidelines - Border Gateway
Protocol</td>
</tr>
<tr>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="94%">
<a href="http://www.niscc.gov.uk/BGP%20Filtering%20Guide.pdf">
http://www.niscc.gov.uk/BGP Filtering Guide.pdf</a></td>
</tr>
<tr>
<td width="2%"> </td>
<td width="98%" colspan="3"><b>Configuration and Tuning Guides</b></td>
</tr>
<tr>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="96%" colspan="2">Secure BGP Template for Cisco IOS</td>
</tr>
<tr>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="94%">
<a href="http://www.cymru.com/Documents/secure-bgp-template.html">
http://www.cymru.com/Documents/secure-bgp-template.html</a></td>
</tr>
<tr>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="96%" colspan="2">JUNOS Secure BGP Template</td>
</tr>
<tr>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="94%">
<a href="http://www.qorbit.net/documents/junos-bgp-template.pdf">
http://www.qorbit.net/documents/junos-bgp-template.pdf</a></td>
</tr>
<tr>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="96%" colspan="2">UNIX IP Stack Tuning Guide</td>
</tr>
<tr>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="94%">
<a href="http://www.cymru.com/Documents/ip-stack-tuning.html">
http://www.cymru.com/Documents/ip-stack-tuning.html</a></td>
</tr>
<tr>
<td width="2%"> </td>
<td width="98%" colspan="3"><b>Other Documents</b></td>
</tr>
<tr>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="96%" colspan="2">SANS discussion on egress filtering</td>
</tr>
<tr>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="94%"><a href="http://www.sans.org/y2k/egress.htm">
http://www.sans.org/y2k/egress.htm</a></td>
</tr>
<tr>
<td width="2%"> </td>
<td width="98%" colspan="3"><b>Vulnerability Databases</b></td>
</tr>
<tr>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="96%" colspan="2">Common Vulnerabilities and Exposures (CVE)</td>
</tr>
<tr>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="94%">
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0230">
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0230</a></td>
</tr>
<tr>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="96%" colspan="2">Open Source Vulnerability Database (OSVDB)</td>
</tr>
<tr>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="2%"> </td>
<td width="94%">
<a href="http://www.osvdb.org/displayvuln.php?osvdb_id=4030">
http://www.osvdb.org/displayvuln.php?osvdb_id=4030</a></td>
</tr>
</table>
<p>
<br>
<br>
<b>Contact Information</b><br>
<br>
The NISCC Vulnerability Management Team can be contacted as follows:<br>
</p>
</p>
<table border="1" width="87%" cellspacing="3" cellpadding="5">
<tr>
<td width="30%" valign="top">Email</td>
<td width="70%"><a href="mailto:vulteam@niscc.gov.uk">vulteam@niscc.gov.uk</a>
<br><i>(Please quote the advisory reference in the subject line.)</i></td>
</tr>
<tr>
<td width="30%" valign="top">Telephone</td>
<td width="70%"> +44 (0)20 7821 1330 Extension 4511
<br><i>(Monday to Friday 08:30 - 17:00)</i></td>
</tr>
<tr>
<td width="30%" valign="top">Fax</td>
<td width="70%"> +44 (0)20 7821 1686</td>
</tr>
<tr>
<td width="30%" valign="top">Post</td>
<td width="70%"> Vulnerability Management Team<br>
NISCC<br>
PO Box 832<br>
London<br>
SW1P 1BG</td>
</tr>
</table>
<br>
We encourage those who wish to communicate via email to make use of our PGP key. This is available from <a href="http://www.uniras.gov.uk/UNIRAS.asc">http://www.uniras.gov.uk/UNIRAS.asc</a>.<br>
<br>
Please note that UK government protectively marked material should not be sent to the email address above.<br>
<br>
If you wish to be added to our email distribution list, please email your request to <a href="mailto:uniras@niscc.gov.uk">uniras@niscc.gov.uk</a>.<br>
<br>
<br>
<b>
What is NISCC?</b><br>
<br>
For further information regarding the UK National Infrastructure Security Co-Ordination Centre, please visit the NISCC web site at:
<br>
<a href="http://www.niscc.gov.uk/aboutniscc/index.htm">http://www.niscc.gov.uk/aboutniscc/index.htm</a><br>
<br>
Reference to any specific commercial product, process or service by trade name, trademark manufacturer or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by NISCC. The views and opinions of authors expressed within this notice shall not be used for advertising
or product endorsement purposes.<br>
<br>
Neither shall NISCC accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice.<br>
<br>
© 2004 Crown Copyright<br>
<br>
Revision History<br>
<br>
<table border="0" width="100%">
<tr>
<td width="23%">
<font size="2">April 20</font><SMALL>, 2004:
</SMALL>
</td>
<td width="77%">
<SMALL>
Initial release (1.0)</SMALL></td>
</tr>
<tr>
<td width="23%">
<font size="2">April 21, 2004:</font></td>
<td width="77%">
<font size="2">Corrected hyperlinks (1.1)</font></td>
</tr>
<tr>
<td width="23%">
</td>
<td width="77%">
<font size="2">Inserted impact statement for Cisco (1.1)</font></td>
</tr>
<tr>
<td width="23%">
</td>
<td width="77%">
<font size="2">Inserted impact statement for Mitel (1.1)</font></td>
</tr>
<tr>
<td width="23%">
</td>
<td width="77%">
<font size="2">Inserted MRLG patch reference (1.2)</font></td>
</tr>
<tr>
<td width="23%">
<font size="2">April 22, 2004:</font></td>
<td width="77%">
<font size="2">Revised impact statement for Certicom (1.3)</font></td>
</tr>
<tr>
<td width="23%">
</td>
<td width="77%">
<font size="2">Inserted impact statement for Nortel Networks (1.3)</font></td>
</tr>
<tr>
<td width="23%">
</td>
<td width="77%">
<font size="2">Inserted impact statement for Secure Computing Corporation (1.3)</font></td>
</tr>
<tr>
<td width="23%">
</td>
<td width="77%">
<font size="2">Inserted references section (1.4)</font></td>
</tr>
<tr>
<td width="23%">
</td>
<td width="77%">
<font size="2">Inserted impact statement for Lucent Technologies (1.4)</font></td>
</tr>
</table>
<br>
<End of NISCC Vulnerability Advisory><br>
</div>
</body>
</html>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed