Background Print only logo
Cert logo
på svenska | in English
www.viestintävirasto.fi
Etusivu | Varoitukset | Tietoturva nyt! | Haavoittuvuudet | Ohjeet | Katsaukset | Palvelut | Esitykset |

Kyberturvallisuuskeskus

PL 313
00181 Helsinki

Mediayhteydenotot puhelimitse:
0295 390 248

Salausavaimet

Viestintävirasto

Itämerenkatu 3 A
00180 HELSINKI
Puhelinvaihde: 0295 390 100

Tarkat yhteystiedot

Tietoa evästeistä

Kyberturvallisuuskeskus Facebookissa

Etusivu > Haavoittuvuudet > 2008 > CERT-FI Statement on the Outpost24 TCP Issues

CERT-FI Statement on the Outpost24 TCP Issues

Version Information

CERT-FI Reference FICORA #193744
CVE Reference: CVE-2008-4609
Release Date 02 October 2008 14:00 UTC
Last Revision 8 Sep 2009
Version Number 1.5 (archive version)

The case has been disclosed in the following advisory: https://www.cert.fi/haavoittuvuudet/2008/tcp-vulnerabilities.html.

Summary

CERT-FI has been informed of possible weaknesses in TCP implementations by Outpost24. CERT-FI has been co-ordinating the remediation efforts regarding possible vulnerabilities together with Outpost24 and a number of software and hardware vendors since October 2008.

Work on determining the scope and impact of the vulnerability has now been largely completed. Several vendors are currently in various phases of patch development process and have also documented various workarounds and mitigating factors. Judging by the current progress, CERT-FI is confident that functional fixes to mitigate the threat can be expected to be released during this year. The specifics of the weaknesses have not been made public. CERT-FI has shared the information with select set of vendors to help facilitate their investigation and remidiation process. However, the following characteristics have been publicly acknowledged:

  • The weaknesses can be exploited to induce a denial of service condition on the TCP connection queue of a target host.
  • The weaknesses can be exploited using relatively small amounts of traffic.
  • In some test scenarios, specific implementations have been found to suffer from long-lasting or permanent effects.
  • Exploiting the weaknesses requires the successful completion of a three-way handshake. Thus, the threat can be effectively mitigated by source address level filtering.

In February 2009, CPNI of UK published a thorough security assessment of the TCP protocol, which presents a number of TCP vulnerabilities and mitigation advice. The report can be downloaded athttp://www.cpni.gov.uk/Products/technicalnotes/Feb-09-security-assessment-TCP.aspx

Coordination Developments

Oct 17 2008. The TCP issue reported by Outpost24 is being coordinated by CERT-FI. We are in a process of determining the impact of the techniques and principles described by the reporters of the issue. We are researching and handling the issue with several vendors from all potentially affected branches of network equipment and software. Once we are fully aware of what types of network equipments and services are most possibly affected, we will make more vendor contacts. Based on previous experience from similar coordination projects, we estimate that the full publication of the details of the issue may take until next year. CERT-FI will publish more information on the developments of the issue coordination as the coordination progresses.

March 23 2009. Discussions have been ongoing with a number of vendors, and several of them are currently in various phases of patch development process. Judging by the current progress, CERT-FI is confident that functional fixes to mitigate the risk can be expected to be released during this year.

June 1 2009. CERT-FI has contacted 65 vendors regarding the TCP issue, and are working actively with 38 of them. Some vendors have successfully prepared patches, while others are still working towards reliably working mitigation. As we are aiming to disclose the issues in a coordinated fashion, there is no certainty of a final disclosure date at this stage.

June 15 2009. In the issue #66 of the Phrack magazine there was an article on exploiting TCP Persist Timer weaknesses (http://www.phrack.com/issues.html?issue=66&id=9#article) to cause Denial of Service conditions. The article discusses issues similar but not the same as the issues reported by Outpost24. The publication of the Phrack-magazine article will not affect the coordination and schedule related to the issues reported by Outpost24. CERT-FI emphasizes that the eventual release of the issues reported by Outpost24 will be done in a coordinated fashion

Sep 8 2009. CERT-FI released its advisory about the issues.

Contact Information

CERT-FI Vulnerability Coordination can be contacted as follows:

Email:
vulncoord@ficora.fi
Please quote the advisory reference in the subject line

Telephone:
+358 9 6966 510
Monday - Friday 08:00 - 16:15 (EET: UTC+2)

Fax:
+358 9 6966 515

Post:
Vulnerability Coordination
FICORA/CERT-FI
P.O. Box 313
FI-00181 Helsinki FINLAND

CERT-FI encourages those who wish to communicate via email to make use of our PGP key. The key is available at https://www.cert.fi/en/activities/contact/pgp-keys.html

Version History

Oct 2 2008: Initial publication (1.0)
Oct 17 2008: Added the Coordination Developments section and an entry on the situation on Oct 17th. (1.1)
March 23 2009: Updated the status of the coordination process (1.2)
June 2 2009: Updated the status of the coordination process (1.3)
June 15 2009: Updated the statement to reflect the publication of Phrack- magazine TCP article (1.4)
Sep 8 2009: Added mention of the advisory, and archived the statement. (1.5)

Sivua päivitetty 16.09.2009   Tulostusversio Tulostusversio