Background Print only logo
Cert logo
på svenska | in English
www.viestintävirasto.fi
Etusivu | Varoitukset | Tietoturva nyt! | Haavoittuvuudet | Ohjeet | Katsaukset | Palvelut | Esitykset |

Kyberturvallisuuskeskus

PL 313
00181 Helsinki

Mediayhteydenotot puhelimitse:
0295 390 248

Salausavaimet

Viestintävirasto

Itämerenkatu 3 A
00180 HELSINKI
Puhelinvaihde: 0295 390 100

Tarkat yhteystiedot

Tietoa evästeistä

Kyberturvallisuuskeskus Facebookissa

Etusivu > Haavoittuvuudet > 2008 > CERT-FI Advisory on the Outpost24 TCP Issues

CERT-FI Advisory on the Outpost24 TCP Issues

Target - servers and server applications
- workstations and end user applications
- network devices
- embedded systems
- mobile devices
- other
Access Vector - remote
Impact - denial of service
Remediation - fix provided by vendor
- workaround

Details

The vulnerabilities described in this advisory can potentially affect systems and applications that run an implementation of TCP protocol (RFC793 et al.). The issues were found by the Sockstress tool developed by Outpost24.

Sockstress is an user-land TCP socket stress testing framework that can open an arbitrary number of sockets. The attacks use different variations in terms of payloads, window sizes and stalling TCP states. The attacks take advantage of the exposed resources the target makes available post TCP handshake, namely kernel and system resource such as counters, timers, and memory pools. The attacks do not require significant bandwidth.

The full effects of these attacks are still being studied. The referenced CPNI article "Security Assessment of the Transmission Control Protocol (TCP)"contains information on generic TCP attacks, but does not detail the expected result when used against a specific vendor's TCP stack.

Impact


General impact of the tool and attack scenarios is a denial of service (DoS). However, the impact varies by stack implementation. The overall impact on a given setup depends on the target application and the operating system running on the target. The impact on specific systems falls into three categories:

1) Temporary impact on the application

CVSS Vector and score: AV:N/AC:M/Au:N/C:N/I:N/A:P - 4.3

The application fails to accept connections from legitimate users when the attack is ongoing. This state is temporary and the application will become usable once the attack stops.

2) Permanent impact on the application

CVSS Vector and score: AV:N/AC:M/Au:N/C:N/I:N/A:P - 4.3


The application fails to accept connections from legitimate users once the attack has started and lasted for some period of time. This state is permanent in the sense that the application will not become responsive until it has been restarted.

3) Permanent impact on the system

CVSS Vector and score: AV:N/AC:M/Au:N/C:N/I:N/A:C - 7.1

The system (the OS kernel) stops performing its essential functions once the attack has been started and has lasted for some period of time. As a result, the system will be unusable. The system becomes usable once it has has been rebooted.

Severity


The severity of the attacks range from a CVSS score of 4.3 (medium severity)1 through 7.1 (high severity) depending on the persistence and scope of the DoS condition. This varies by vendor. Please see the 'Vendor Information' section below for further information. Alternatively, contact your vendor for product specific information.

If the attacks are successful in initiating perpetually stalled connections, the connection table of the server can quickly be filled, effectively creating a denial of service condition for a specific service. In many cases the attacks have also been seen to consume significant amounts of event queues and system memory, which intensifies the effects of the attacks. In some cases, this has results in systems that no longer have event timers for TCP communication. Some systems become effectively frozen once attacked, while some reboot.

While it is trivial to get a single service to become unavailable in a matter of seconds, to make an entire system become defunct can take many minutes, and in some cases hours. As a general rule, the more services a system has, the faster it will succumb to the system wide (broken TCP, system lock, reboot, etc) effects of the attacks. As with most types of denial of service attacks, attack amplification can be achieved by attacking from a larger number of IP addresses.


Vulnerability Coordination Information and Acknowledgments


CERT-FI has coordinated the release of this vulnerability between the vulnerability researcher and the affected vendors. CERT-FI would like to thank Jack C. Louis and Robert E. Lee for making the tool and information available to the most potentially affected vendors. CERT-FI would also like to thank the vendors for their co-operation and to JPCERT/CC for co-ordinating this issue in Japan.

Vendor Information


Microsoft

VMware

  • VMware products are not vulnerable.

Cisco

CheckPoint

Juniper

  • Juniper Networks received the Sockstress tool and executed testing on all our platforms. We have found no unexpected or adverse impact to our equipment which is different from other types of TCP Denial of Service (DOS). When the Sockstress DOS attack is removed, Juniper systems recover normally. Given that Sockstress is not a new 'class' of TCP attacks, existing Best Common Practices (BCPs) used to protect Juniper products from TCP based DOS attacks are the best investment of time. Juniper Security Advisory is PSN-2008-10-041 and can be found at https://www.juniper.net/alerts/viewalert.jsp?actionbtn=Search&txtalertnumber=PSN-2008-10-041. Access is via Entitled Disclosure. Please contact Juniper SIRT Team at sirt@juniper.net for any questions on this or other feasible vulnerabilities and risk to Juniper Network's products and services.

Clavister

  • We can report that the TCP stack in our Security Gateway products are not affected by these vulnerabilities.

Red Hat

Sun Microsystems

Wind River

Fortinet

  • We can report that the TCP stack in our Fortigate products are not affected by these vulnerabilities.
Aruba
  • During our internal testing, we did not find the services on ArubaOS vulnerable to majority of the DoS attacks mentioned in CERT-FI's advisory. However we have made some performance specific changes to one component of ArubaOS which seemed affected by one class of DoS attacks. These changes have been included in AOS 3.4.X, AOS 3.3.1.31, AOS 3.3.2.20, AOS 3.3.3.1, AOS 3.3.2.18-FIPS and AOS 3.3.2.18-RN-3.1.2 patch releases, which are available from Aruba's support site for download. Aruba recommends that you upgrade your ArubaOS to these patches for your respective releases.
    https://airheads.arubanetworks.com/article/arubaos-exposure-cert-fi-advisory-outpost24-tcp-issues
McAfee
Stonesoft
Bluecoat
Nortel
NetApp

  • NetApp has determined that each of the products as referenced is NOT vulnerable to the Outpost24 issues.

    Data ONTAP versions 5.4+, 6.x, 7.x, 8.0, 10.0.x
    NetCache 5.2+, 6.0.x, 6.1.x
    Datafort
F5

Remediation


Patch the vulnerable software components according to the guidance published by the vendor. Where available, refer to the 'Vendor Information' section of this advisory for platform specific remediation.

Since an attacker must be able to establish TCP sockets to affect the target, the attacks can not be spoofed. White-listing access to TCP services on routers and critical systems is the currently most effective means for mitigation. Limiting the number of incoming connections from a single source IP will require an attacker to use more source IP addresses in the attack. The referenced CPNI TCP document contains mitigation advice on TCP issues.


References

Contact Information


CERT-FI Vulnerability Coordination can be contacted as follows:

Email:
vulncoord@ficora.fi
Please quote the advisory reference [FICORA #193744] in the subject line

Telephone:
+358 9 6966 510
Monday - Friday 08:00 - 16:15 (EET: UTC+2)

Fax :
+358 9 6966 515

Post:
Vulnerability Coordination
FICORA/CERT-FI
P.O. Box 313
FI-00181 Helsinki
FINLAND

CERT-FI encourages those who wish to communicate via email to make use of our PGP key. The key is available at https://www.cert.fi/en/activities/contact/pgp-keys.html

Revision History

8 Sept 2009 18:00 UTC: Released
10 Sept 2009 09:00 UTC: Added reference to Sun Microsystems' advisory
15 Sept 2009 15:30 UTC: Added Wind River's vendor statement
18 Sept 2009 12:45 UTC: Added Fortinet's vendor statement
22 Sept 2009 12:30 UTC: Added Aruba's vendor statement
30 Sept 2009 15:30 UTC: Added reference to McAfee's advisory
7 Oct 2009: 9:30 UTC: Added reference to Stonesoft's advisory
21 Oct 2009: 15:00 UTC: Added reference to Bluecoat's and Nortel's advisories
24 Nov 2009: 07:55 UTC: Added reference to US-CERT vulnerability note
18 Dec 2009: 16:11 UTC: Added NetApp's vendor statement
5 Feb 2010: 14:57 UTC: Added reference to F5's vulnerability advisory_
16 Aug 2010: 12:52 UTC: Added reference to JPCERT/CC advisory

Sivua päivitetty 16.08.2010   Tulostusversio Tulostusversio