Cisco Security Response

Cisco Response to Outpost24 TCP State Table Manipulation Denial of Service Vulnerabilities

Document ID: 622

http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20081017-tcp

Revision 1.1

For Public Release 2008 October 17 16:00  UTC (GMT)


Contents

Response
Additional Information
Status of this Notice: Final
Revision History
Cisco Security Procedures

Cisco Response

This Security Response has an associated Security Advisory at:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090908-tcp24

This is Cisco's response to research presented by Robert E. Lee and Jack Louis of Outpost24 who have announced several denial of service (DoS) vulnerabilities that involve the manipulation of TCP state table information. These vulnerabilities have been discussed on numerous websites and blogs, including a presentation delivered by Lee and Louis at the T2 conference in Helsinki, Finland on October 17, 2008.

Cisco PSIRT is aware of the vulnerabilities and is actively investigating what impact these vulnerabilities may have on Cisco products. PSIRT will disclose any security vulnerabilities discovered in compliance with Cisco's security vulnerability policy:

http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html

PSIRT is working with Outpost24 and the Finnish Computer Emergency Response Team (CERT-FI) as part of the industry response to these vulnerabilities. An announcement from CERT-FI is available at the following link:

https://www.cert.fi/haavoittuvuudet/2008/tcp-vulnerabilities.html

Additional Information

Cisco PSIRT research indicates an attacker must complete a TCP three-way handshake to a device to successfully exploit the DoS vulnerabilities. This requirement makes spoofing the source of an attack more challenging. The TCP vulnerabilities that Outpost24 announced are an extension of well-known weaknesses in the TCP protocol.

It is possible to mitigate the risk of these vulnerabilities by allowing only trusted sources to access TCP-based services. This mitigation is particularly important for critical infrastructure devices. PSIRT recommends the implementation of infrastructure access control lists (IACLs) and control plane policing (CoPP) to protect core network functionality. For more information, reference the IACL documentation at the following links:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml#limitaccess

Information on CoPP can be found at the following links:

http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

Status of this Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.


Revision History

Revision 1.1

2009-September-09

Added link to associated Security Advisory.

Revision 1.0

2008-October-17

Initial public release.

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.


Download this document (PDF)
View Printable Version