-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetGear RP114 TCP SYN Flooding Denial of Service scip AG Vulnerability (12/12/2005) I. INTRODUCTION NetGear is a popular manufacturer for network devices. Especially their SOHO and appliance boxes are widely in private use. One of the user products is RP114, a hub device with additional routing, packet and simple content filtering functionality. More Information are available at the official NetGear web site: http://www.netgear.com II. DESCRIPTION Marc Ruef found an old fashioned denial of service flaw in this device. By starting a transit TCP SYN flooding the routing between the internal and the external interface is not possible anymore. An attacker can use this to prevent legitimate users from accessing connected networks (e.g. the WAN/Internet). Other devices by NetGear (e.g. routers and wlan access points) may be also affected. III. EXPLOITATION Running TCP SYN flooding is very simple and can be realized by a large variety of public attack tools. But it is also possible to initialize such an attack my misusing a port scanning utility. Starting a scan with nmap by Fyodor with the following command is able to reproduce the denial of service: nmap -PS80 192.168.0.0/24 It does not matter how many target ports or hosts are defined. It is just important to open approx. more than 740 persistant and half-open connections. It is also required to scan something on the other interface of the device than the attacker is connected to (e.g. scanning an external host by sitting on the internal interface and vice versa). IV. IMPACT After a successfull attack no further routing between the networks is possible anymore. This makes it impossible for legitimate users to connect to the Internet or another network segment. During this time direct connections to the affected device remains possible (e.g. connection to the web interface or ping). Just a reboot of the device can restore the productive status immediately. Or you have to wait approx. 2 minutes for the device to flush all half-open connections and return to full operational status. V. DETECTION The detection of this attack is not possible on the device itself. But further security devices (e.g. dedicated firewalls or intrusion detection systems) are able to detect this kind of classical attack. VI. WORKAROUND Do not plug the RP114 in not-trusted networks where the inter-connection requires a high availability. In this case move to more professional hardware that is able to handle a large amount of persistant connections adequately. VII. VENDOR RESPONSE No response from NetGear came back. Due the fact the affected device RP114 is not listed on the web site anymore and the last firmware is dated back to 2002, no firmware update could be expected. VIII. SOURCES scip AG Vulnerability Database (german) http://www.scip.ch/cgi-bin/smss/showadvf.pl scip monthly Security Summary (german) http://www.scip.ch/publikationen/smss/ computec.ch document data base (german) http://www.computec.ch/download.php?list.7 (Denial of Service) http://www.computec.ch/download.php?list.8 (Firewalling) http://www.computec.ch/download.php?list.11 (Networking) IX. DISCLOSURE TIMELINE 11/23/05 Marc Ruef verifies the for a long time suspected flaw 11/24/05 Inform the vendor by sending an email to pressrelations-at-netgear.com 12/12/05 Public advisory X. CREDITS The vulnerability was discovered and analyzed by Marc Ruef at scip AG, Switzerland. Marc Ruef, scip AG maru-at-scip.ch http://www.scip.ch A1. BIBLIOGRAPHY See VIII. for some useful web ressources. A2. LEGAL NOTICES Copyright (c) 2005 by scip AG, Switzerland. Permission is granted for the re-distribution of this alert. It may not be edited in any way without permission of scip AG. The information in the advisory is believed to be accurate at the time of publishing. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage from use of or reliance on this advisory. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 Comment: http://www.scip.ch iQA/AwUBQ508Dhe5hzJzqVMhEQLEagCfWfWq7GDfBBKu64QwoXTnt43aF84AoJwS T4IiiG+jatHKlgo9aguvrwyn =59cT -----END PGP SIGNATURE-----