Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] TCP Does Not Adequately Validate Segments Before Updating Timesta

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] TCP Does Not Adequately Validate Segments Before Updating Timestamp Value
Date: 22 May 2005 18:08:24 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  TCP Does Not Adequately Validate Segments Before Updating Timestamp Value
------------------------------------------------------------------------


SUMMARY

Certain TCP implementations may allow a remote attacker to arbitrarily 
modify host timestamp values, leading to a denial-of-service condition.

DETAILS

Systems Affected:
Vendor - Status - Date Updated
3Com - Unknown - 9-Mar-2005
Alcatel - Unknown - 9-Mar-2005
Apple Computer Inc. - Unknown - 9-Mar-2005
AT&T - Unknown - 9-Mar-2005
Avaya - Unknown - 9-Mar-2005
Avici Systems Inc. - Unknown - 9-Mar-2005
Borderware - Unknown - 9-Mar-2005
Check Point - Not Vulnerable - 19-May-2005
Chiaro Networks - Unknown - 18-May-2005
Cisco Systems Inc. - Vulnerable - 18-May-2005
Clavister - Not Vulnerable - 18-May-2005
Computer Associates - Unknown - 9-Mar-2005
Conectiva - Unknown - 9-Mar-2005
Cray Inc. - Unknown - 9-Mar-2005
Cwnt - Unknown - 9-Mar-2005
Data Connection - Unknown - 9-Mar-2005
Debian - Unknown - 9-Mar-2005
EMC Corporation - Unknown - 9-Mar-2005
Engarde - Unknown - 9-Mar-2005
eSoft - Unknown - 9-Mar-2005
Extreme Networks - Unknown - 9-Mar-2005
F5 Networks - Unknown - 9-Mar-2005
Fortinet - Unknown - 9-Mar-2005
Foundry Networks Inc. - Not Vulnerable - 18-May-2005
FreeBSD - Vulnerable - 16-Mar-2005
Fujitsu - Unknown - 9-Mar-2005
GTA - Unknown - 9-Mar-2005
Hewlett-Packard Company - Unknown - 17-May-2005
Hitachi - Vulnerable - 19-May-2005
Hyperchip - Unknown - 9-Mar-2005
IBM - Unknown - 9-Mar-2005
IBM eServer - Unknown - 9-Mar-2005
IBM zSeries - Unknown - 9-Mar-2005
Immunix - Unknown - 9-Mar-2005
Ingrian Networks - Unknown - 9-Mar-2005
Inoto - Unknown - 9-Mar-2005
Intel - Unknown - 9-Mar-2005
Internet Security Systems Inc. - Unknown - 9-Mar-2005
IP Filter - Unknown - 9-Mar-2005
Juniper Networks - Unknown - 9-Mar-2005
Lachman - Unknown - 9-Mar-2005
Linksys - Unknown - 9-Mar-2005
Lucent Technologies - Unknown - 9-Mar-2005
Luminous - Unknown - 9-Mar-2005
MandrakeSoft - Unknown - 9-Mar-2005
Microsoft Corporation - Vulnerable - 18-May-2005
MontaVista Software - Unknown - 9-Mar-2005
Multi-Tech Systems Inc. - Unknown - 9-Mar-2005
Multinet - Unknown - 9-Mar-2005
NEC Corporation - Not Vulnerable - 17-May-2005
NetBSD - Unknown - 9-Mar-2005
Netfilter - Not Vulnerable - 17-Mar-2005
Netscreen - Unknown - 9-Mar-2005
Network Appliance - Unknown - 9-Mar-2005
NextHop - Not Vulnerable - 16-Mar-2005
Nokia - Unknown - 9-Mar-2005
Nortel Networks - Unknown - 9-Mar-2005
Novell - Unknown - 9-Mar-2005
OpenBSD - Vulnerable - 18-May-2005
Openwall GNU/*/Linux - Unknown - 9-Mar-2005
Red Hat Inc. - Unknown - 9-Mar-2005
Redback Networks Inc. - Vulnerable - 19-May-2005
Riverstone Networks - Unknown - 9-Mar-2005
SCO Linux - Unknown - 9-Mar-2005
SCO Unix - Unknown - 9-Mar-2005
Secure Computing Corporation - Not Vulnerable - 11-Apr-2005
SecureWorx - Unknown - 9-Mar-2005
Sequent - Unknown - 9-Mar-2005
SGI - Unknown - 9-Mar-2005
Sony Corporation - Unknown - 9-Mar-2005
Stonesoft - Unknown - 9-Mar-2005
Sun Microsystems Inc. - Not Vulnerable - 11-Apr-2005
SuSE Inc. - Unknown - 9-Mar-2005
Symantec Corporation - Unknown - 9-Mar-2005
TurboLinux - Unknown - 9-Mar-2005
Unisys - Unknown - 9-Mar-2005
WatchGuard - Not Vulnerable - 15-Apr-2005
Wind River Systems Inc. - Unknown - 18-May-2005
ZyXEL - Unknown - 9-Mar-2005

The Transmission Control Protocol (TCP) is defined in RFC 793 as a means 
to provides reliable host-to-host transmission between hosts in a 
packet-switched computer networks. RFC 1323 introduced techniques to 
increase the performance of TCP. Two such techniques are TCP timestamps 
and Protection Against Wrapped Sequence Numbers (PAWS).

In certain implementations of TCP with timestamps enabled, both hosts 
maintain an internal timer that is used to detect segment loss and 
regulate traffic flow. PAWS uses timestamps to prevent duplicate or old 
segments from corrupting an active connection. In PAWS with the timestamps 
option enabled, hosts use an internal timer to track the value of the 
timestamp in incoming segments against the last valid timestamp recorded. 
If the segment's timestamp is larger than the value of the last valid 
timestamp and the sequence number is less than the last acknowledgment 
sent, then the host's internal timer is updated with the new timestamp 
value and the segment is passed on for further processing. Otherwise, the 
segment is rejected as too old or a duplicate.

If a remote attacker can determine the source and destination ports and IP 
addresses of both hosts engaged in an active connection, that attacker may 
be able to inject a specially crafted segment into the connection. When 
the spoofed segment is received the host's internal timer value will be 
changed to the value in the crafted segment. Please note that, in certain 
TCP implementations, sequence numbers are not properly validated before 
the internal timer is updated, thus an attacker does not need to know a 
correct sequence number to change the internal timer. If the internal 
timer value is set to a large value, then it will likely be larger than 
the timestamp value in subsequent incoming segments. This will cause new, 
legitimate TCP segments to be evaluated as too old and discarded. As 
segments are rejected, the flow of data between hosts stops, resulting in 
a denial-of-service condition.

For more information about TCP, timestamps, and PAWS please see RFC 793 
and RFC 1323.

Impact:
An unauthenticated, remote attacker could cause TCP connections to 
abort/drop segments, leading to a denial-of-service condition.

Solution:
Apply Patch
Users who suspect they are vulnerable are encouraged to check with their 
vendor to determine the appropriate action to take. Please see the list of 
vendors we have notified below.

Disable PAWS
As a workaround, disable PAWS and TCP timestamps if they are not needed.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0356> 
CAN-2005-0356


ADDITIONAL INFORMATION

The information has been provided by Noritoshi Demizu.
The original article can be found at:  
<http://www.kb.cert.org/vuls/id/637934> 
http://www.kb.cert.org/vuls/id/637934



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] TCP Does Not Adequately Validate Segments Before Updating Timestamp Value, SecuriTeam <=
Previous by Date:  [UNIX] Linux Binfmt Elf Core Dump Buffer Overflow, SecuriTeam
Next by Date:  [EXPL] Procps Buffer Overflow (pwdx, Exploit), SecuriTeam
Previous by Thread:  [UNIX] Linux Binfmt Elf Core Dump Buffer Overflow, SecuriTeam
Next by Thread:  [EXPL] Procps Buffer Overflow (pwdx, Exploit), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]