Cisco TCP stack vulnerable to DoS attacks
Cisco has released a software update to fix a DoS vulnerability in a number of its products. An attacker can manipulate the state of an open TCP connection so that it never times out and remains connected indefinitely. According to Cisco, such connections hang in the FINWAIT1 state.
If an attacker can achieve this with a large number of connections, they will consume sufficient resources to prevent further connections to the system being established. A reboot is required to resolve the problem. Crashes may also occur.
Cisco IOS, IOS-XE, CatOS, ASA, PIX, NX-OS and Linksys products are all affected. Precise details of which systems are affected and which are not, can be found in the vendor's own security advisory.
The problem is not new, but has been smouldering in the TCP stacks of a number of vendors for a while and is actually a bug in the TCP protocol itself. The problem was first reported by Robert E. Lee and Jack C. Louis from Outpost24 back in October. They used a special tool to demonstrate that a low bandwidth internet connection was able to knock a broadband server off the web. Vendors have been scrabbling around for a solution ever since.
Yesterday, Microsoft too released a patch to fix this problem. Checkpoint, Juniper and other vendors have also now reacted. The Finnish CERT has now finally released details of the problem and of the Sockstress tool used, and distributed to vendors, to test the issue.
- TCP State Manipulation Denial of Service Vulnerabilities in Multiple Cisco Products, Advisory from Cisco.
- CERT-FI Advisory on the Outpost24 TCP Issues, Report by CERT-FI.
- Speculation surrounds DoS vulnerability in the TCP protocol, a report from The H Security.