Citrix has released a security notice and updated software to address the multiple vendor TCP and IP window size processing denial of service vulnerability. US-CERT has released a VU Note.
Description
Multiple products contain a vulnerability that could allow an unauthenticated, remote attacker to exhaust available TCP and IP connections, resulting in a denial of service (DoS) condition.
This vulnerability exists due to improper handling of malformed TCP and IP packets. An unauthenticated, remote attacker could exploit this vulnerability by establishing a large number of TCP and IP connections with a vulnerable system. If successful, the attacker could prevent the system from accepting new connections, resulting in a DoS condition.
Check Point, Cisco, McAfee, Microsoft, Stonesoft and Citrix have confirmed this vulnerability and released software updates. Sun and Nortel have also confirmed this vulnerability, but software updates are not available.
Warning Indicators
Cisco has published a list of affected Cisco IOS Software releases in the security advisory. Versions of Cisco PIX and ASA Software, Cisco CatOS Software, and Cisco IOS-XE Software are also affected, as listed in the security advisory. The Vendor Announcements section of this alert contains a link to the advisory.
The following Citrix products are vulnerable:
Citrix NetScaler Application Delivery Software 9.1 and prior
Citrix NetScaler VPX 9.1
Citrix Access Gateway Enterprise Edition versions 9.1 and prior
The following Microsoft systems are affected:
Windows 2000 SP4 and prior
Windows XP SP3 and prior
Windows XP Professional x64 Edition SP2 and prior
Windows Server 2003 SP2
Windows Server 2003 x64 Edition SP2
Windows Server 2003 for Itanium-based Systems SP2
Windows Vista SP2 and prior
Windows Vista x64 Edition SP2 and prior
Windows Server 2008 for 32-bit Systems SP2 and prior
Windows Server 2008 for x64-based Systems SP2 and prior
Windows Server 2008 for Itanium-based Systems SP2 and prior
Vulnerable Nortel products are listed in the Nortel advisory that is available in the vendor announcements section of this alert.
The following Stonesoft products are vulnerable:
StoneGate Firewall and VPN engines versions 4.2.10 and prior and versions 4.3.0 through 5.0.2
StoneGate IPS engine versions 4.2.3 and prior, 4.3.6 and prior and 5.0.1 and prior
StoneGate SSL VPN versions 1.3.1 and prior
The following Sun products are vulnerable:
SPARC Solaris 8 Solaris 9 Solaris 10
Intel Solaris 8 Solaris 9 Solaris 10
IntelliShield Analysis
To exploit this vulnerability, an attacker must establish a complete TCP three-way handshake to establish a connection to a vulnerable system. The establishment of a complete session requires additional resources on the part of an attacker, increasing the time that may be required for exploitation. Additionally, some network devices or end hosts may not accept direct connections from untrusted sources, reducing the chance of exploitation.
Although Microsoft has confirmed this vulnerability in Windows 2000 and Windows XP, updates for these operating systems will not be released.
Cisco has re-released a security advisory to state that Cisco PIX and Cisco ASA security appliances versions 7.0.x are not affected by this vulnerability.
An exploit could prevent a targeted system from establishing any additional incoming TCP and IP connections. Some devices, such as perimeter network filtering devices, may be rendered completely unavailable as the result of exploitation. Other systems, particularly end-user hosts, may be impacted to a lesser extent, as these systems rarely accept critical incoming network connections.
Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.
The Cisco Applied Intelligence team has created an Applied Mitigation Bulletin to address vulnerabilities that Microsoft disclosed in the September 2009 security bulletin release. This Cisco bulletin, which assists administrators in identifying or mitigating these vulnerabilities using Cisco devices, is available at the following link: Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin Release for September 2009
Vendor Announcements
Check Point has released a security advisory at the following link: CVE-2008-4609
Sun has released an alert notification at the following link: 267088
US-CERT has released a vulnerability note at the following link: VU#723308
Impact
An unauthenticated, remote attacker could exploit this vulnerability to exhaust available TCP and IP connections on an affected system, resulting in a DoS condition.
Technical Information
This vulnerability exists due to improper handling of malformed TCP and IP packets. Affected systems and devices do not properly handle TCP and IP packets with small or zero window sizes. The processing of a malformed packet could cause a system to maintain the connection indefinitely in an open wait state.
An unauthenticated, remote attacker could exploit this vulnerability by establishing a large number of TCP and IP connections with a targeted system. Sessions established using malicious TCP and IP packets may stay open in a waiting state, exhausting available connections and preventing the system from accepting new incoming connections, resulting in a DoS condition.
Safeguards
Administrators are advised to apply the available software updates.
Administrators can help protect affected systems from external attacks by using a solid firewall strategy.
Administrators are advised to monitor critical systems.
The Cisco Applied Intelligence team has created the following companion document to guide administrators in identifying and mitigating attempts to exploit this vulnerability prior to applying updated software: cisco-amb-20090908-tcp24
Patches/Software
Check Point has provided links to updated software in the security advisory at this link: CVE-2008-4609
Cisco customers with active contracts can obtain updates through the Software Center at the following link: Cisco. Cisco customers without contracts can obtain upgrades by contacting the Cisco Technical Assistance Center at 1-800-553-2447 or 1-408-526-7209 or via e-mail at tac@cisco.com.
Citrix has released updated software at the following links:
Microsoft customers can obtain updates directly by using the links in the security bulletin. These updates are also distributed by Windows automatic update features and available on the Windows Update website. Microsoft Windows Server Update Services (WSUS), Systems Management Server, and System Center Configuration Manager can assist administrators in deploying software updates.
Nortel has provided update instructions and mitigation techniques in their vendor advisory. Several of the listed products are fixed by applying the Microsoft, Sun, or Check Point fixes that are listed in this alert. Because the problems are with the operating system being used, not the applications themselves, the products will not be listed in the product list for this alert.
Stonesoft has released updated software for registered users at the following links:
Version 8, October 20, 2009, 11:34 PM: Nortel has released a security advisory and mitigation techniques to address the TCP and IP window size processing denial of service vulnerability.
Version 7, October 6, 2009, 3:39 PM: McAfee has released a security advisory and updated software to address the TCP and IP window size processing denial of service vulnerability.
Version 6, October 5, 2009, 10:22 AM: Stonesoft has released a security advisory and updated software to address the TCP and IP window size processing denial of service vulnerability.
Version 5, September 23, 2009, 6:03 PM: Check Point has released an alert notification and updated software to address the TCP and IP window size processing denial of service vulnerability.
Version 4, September 11, 2009, 5:53 PM: Cisco has re-released an alert notification with additional version information regarding the TCP and IP window size processing denial of service vulnerability.
Version 3, September 11, 2009, 2:11 PM: Microsoft has re-released an alert notification with additional version information regarding the TCP and IP window size processing denial of service vulnerability.
Version 2, September 11, 2009, 10:57 AM: Sun has released an alert notification to address the TCP and IP window size processing denial of service vulnerability.
Version 1, September 8, 2009, 3:08 PM: Multiple products contain a vulnerability that could allow an unauthenticated, remote attacker to exhaust available TCP and IP connections, resulting in a denial of service condition. Updates are available.
The security vulnerability applies to the following combinations of products.
Primary Products:
Check Point Software Tech, Inc.
Connectra NGX
R60 Base | R61 Base | R62 Base | R62CM Base | R65 Base | R66 Base | R70 Base
Check Point Software Tech, Inc.
VPN-1 Power/UTM
NGX R60 Base | NGX R61 Base | NGX R62 Base, Hotfix 1 (IPSO), Hotfix 1 (Linux) , Hotfix 1 (Solaris) , Hotfix 1 (Windows) | NGX R62CM Base | NGX R65 Base, Hot Fix 1 (IPSO), Hot Fix 1 (Linux), Hot Fix 1 (Solaris) , Hot Fix 1 (Windows) , Hot Fix 2 (IPSO) , Hot Fix 2 (Linux) , Hot Fix 2 (Solaris), Hot Fix 2 (Windows) | NGX R66 Base | NGX R70 Base
Check Point Software Tech, Inc.
VPN-1 Power VSX
NGX R60 Base | NGX R61 Base | NGX R62 Base | NGX R62CM Base | NGX R65 Base | NGX R66 Base | NGX R70 Base
Check Point Software Tech, Inc.
VPN-1 Pro/Express
NGX R60 Base, Hot Fix 1 (IPSO), Hot Fix 1 (Linux), Hot Fix 1 (Solaris), Hot Fix 1 (Windows), Hot Fix 2 (IPSO), Hot Fix 2 (Linux), Hot Fix 2 (Solaris) , Hot Fix 2 (Windows) | NGX R61 Base, Hot Fix 1 (IPSO), Hot Fix 1 (Linux), Hot Fix 1 (Solaris), Hot Fix 1 (Windows), Hot Fix 2 (IPSO) , Hot Fix 2 (Linux), Hot Fix 2 (Solaris), Hot Fix 2 (Windows) | NGX R62 Base | NGX R62CM Base | NGX R65 Base | NGX R66 Base | NGX R70 Base
Cisco
Cisco Catalyst Operating System (CatOS) Software
7.6(1) Base | 7.6(10) Base | 7.6(11) Base | 7.6(12) Base | 7.6(13) Base | 7.6(14) Base | 7.6(15) Base | 7.6(16) Base | 7.6(17) Base | 7.6(18) Base | 7.6(19) Base | 7.6(2) Base | 7.6(2a) Base | 7.6(3a) Base | 7.6(5) Base | 7.6(6) Base | 7.6(8) Base | 7.6(9) Base | 8.1 Base | 8.2(1) Base | 8.2(2) Base | 8.3 (5), (6) | 8.3(1) Base | 8.3(1)GLX Base | 8.3(2) Base | 8.3(2)GLX Base | 8.3(3) Base | 8.3(4) Base | 8.3(5) Base | 8.3(6) Base | 8.4 (1), (2), (3), (4), (5), (6) | 8.4.2 Base | 8.5 (1), (2), (3), (4), (5), (6), (7), (8) | 8.6 (1), Base
12.0 Base | 12.0DA Base | 12.0DB Base | 12.0DC Base | 12.0S Base | 12.0SC Base | 12.0SL Base | 12.0SP Base | 12.0ST Base | 12.0SX Base | 12.0SY Base | 12.0SZ Base | 12.0T Base | 12.0W Base | 12.0WC Base | 12.0XA Base | 12.0XB Base | 12.0XC Base | 12.0XD Base | 12.0XE Base | 12.0XG Base | 12.0XH Base | 12.0XI Base | 12.0XJ Base | 12.0XK Base | 12.0XL Base | 12.0XM Base | 12.0XN Base | 12.0XQ Base | 12.0XR Base | 12.0XS Base | 12.0XT Base | 12.0XV Base | 12.1 Base | 12.1AA Base | 12.1AX Base | 12.1AY Base | 12.1AZ Base | 12.1CX Base | 12.1DA Base | 12.1DB Base | 12.1DC Base | 12.1E Base | 12.1EA Base | 12.1EB Base | 12.1EC Base | 12.1EO Base | 12.1EU Base | 12.1EV Base | 12.1EW Base | 12.1EX Base | 12.1EY Base | 12.1EZ Base | 12.1GA Base | 12.1GB Base | 12.1T Base | 12.1XA Base | 12.1XB Base | 12.1XC Base | 12.1XD Base | 12.1XE Base | 12.1XF Base | 12.1XG Base | 12.1XH Base | 12.1XI Base | 12.1XJ Base | 12.1XL Base | 12.1XM Base | 12.1XP Base | 12.1XQ Base | 12.1XR Base | 12.1XS Base | 12.1XT Base | 12.1XU Base | 12.1XV Base | 12.1XW Base | 12.1XX Base | 12.1XY Base | 12.1XZ Base | 12.1YA Base | 12.1YB Base | 12.1YC Base | 12.1YD Base | 12.1YE Base | 12.1YF Base | 12.1YH Base | 12.1YI Base | 12.1YJ Base | 12.2 Base | 12.2B Base | 12.2BC Base | 12.2BW Base | 12.2BX Base | 12.2BY Base | 12.2BZ Base | 12.2CX Base | 12.2CY Base | 12.2CZ Base | 12.2DA Base | 12.2DD Base | 12.2DX Base | 12.2EW Base | 12.2EWA Base | 12.2EX Base | 12.2EY Base | 12.2EZ Base | 12.2FX Base | 12.2FY Base | 12.2FZ Base | 12.2IRA Base | 12.2IRB Base | 12.2IXA Base | 12.2IXB Base | 12.2IXC Base | 12.2IXD Base | 12.2IXE Base | 12.2IXF Base | 12.2IXG Base | 12.2JA Base | 12.2JK Base | 12.2MB Base | 12.2MC Base | 12.2S Base | 12.2SB Base | 12.2SBC Base | 12.2SCA Base | 12.2SCB Base | 12.2SE Base | 12.2SEA Base | 12.2SEB Base | 12.2SEC Base | 12.2SED Base | 12.2SEE Base | 12.2SEF Base | 12.2SEG Base | 12.2SG Base | 12.2SGA Base | 12.2SM Base | 12.2SO Base | 12.2SQ Base | 12.2SRA Base | 12.2SRB Base | 12.2SRC Base | 12.2SRD Base | 12.2STE Base | 12.2SU Base | 12.2SV Base | 12.2SVA Base | 12.2SVC Base | 12.2SVD Base | 12.2SVE Base | 12.2SW Base | 12.2SX Base | 12.2SXA Base | 12.2SXB Base | 12.2SXD Base | 12.2SXE Base | 12.2SXF Base | 12.2SXH Base | 12.2SXI Base | 12.2SY Base | 12.2SZ Base | 12.2T Base | 12.2tpc Base | 12.2XA Base | 12.2XB Base | 12.2XC Base | 12.2XD Base | 12.2XE Base | 12.2XF Base | 12.2XG Base | 12.2XH Base | 12.2XI Base | 12.2XJ Base | 12.2XK Base | 12.2XL Base | 12.2XM Base | 12.2XN Base | 12.2XNA Base | 12.2XO Base | 12.2XQ Base | 12.2XR Base | 12.2XS Base | 12.2XT Base | 12.2XU Base | 12.2XV Base | 12.2XW Base | 12.2YA Base | 12.2YB Base | 12.2YC Base | 12.2YD Base | 12.2YE Base | 12.2YF Base | 12.2YG Base | 12.2YH Base | 12.2YJ Base | 12.2YK Base | 12.2YL Base | 12.2YM Base | 12.2YN Base | 12.2YO Base | 12.2YP Base | 12.2YQ Base | 12.2YR Base | 12.2YS Base | 12.2YT Base | 12.2YU Base | 12.2YV Base | 12.2YW Base | 12.2YX Base | 12.2YY Base | 12.2YZ Base | 12.2ZA Base | 12.2ZB Base | 12.2ZC Base | 12.2ZD Base | 12.2ZE Base | 12.2ZF Base | 12.2ZG Base | 12.2ZH Base | 12.2ZJ Base | 12.2ZL Base | 12.2ZP Base | 12.2ZU Base | 12.2ZX Base | 12.2ZY Base | 12.2ZYA Base | 12.3 Base, T | 12.3B Base | 12.3BC Base | 12.3BW Base | 12.3JA Base | 12.3JEA Base | 12.3JEB Base | 12.3JEC Base | 12.3JK Base | 12.3JL Base | 12.3JX Base | 12.3T Base | 12.3TPC Base | 12.3VA Base | 12.3XA Base | 12.3XB Base | 12.3XC Base | 12.3XD Base | 12.3XE Base | 12.3XF Base | 12.3XG Base | 12.3XI Base | 12.3XJ Base | 12.3XK Base | 12.3XL Base | 12.3XQ Base | 12.3XR Base | 12.3XS Base | 12.3XU Base | 12.3XW Base | 12.3XX Base | 12.3XY Base | 12.3XZ Base | 12.3YA Base | 12.3YD Base | 12.3YF Base | 12.3YG Base | 12.3YH Base | 12.3YI Base | 12.3YJ Base | 12.3YK Base | 12.3YM Base | 12.3YQ Base | 12.3YS Base | 12.3YT Base | 12.3YU Base | 12.3YX Base | 12.3YZ Base | 12.3ZA Base | 12.4 Base | 12.4JA Base | 12.4JDA Base | 12.4JK Base | 12.4JL Base | 12.4JMA Base | 12.4JMB Base | 12.4JX Base | 12.4MD Base | 12.4MR Base | 12.4SW Base | 12.4T Base | 12.4XA Base | 12.4XB Base | 12.4XC Base | 12.4XD Base | 12.4XE Base | 12.4XF Base | 12.4XG Base | 12.4XJ Base | 12.4XK Base | 12.4XL Base | 12.4XM Base | 12.4XN Base | 12.4XP Base | 12.4XQ Base | 12.4XR Base | 12.4XT Base | 12.4XV Base | 12.4XW Base | 12.4XY Base | 12.4XZ Base | 12.4YA Base | 12.4YB Base | 12.4YD Base | 12.4YE Base
Citrix Systems, Inc.
Citrix Access Gateway Enterprise Edition
7.0 Base | 8.0 Base | 8.1 Base | 9.0 Base | 9.1 Base
Citrix Systems, Inc.
NetScaler Application Delivery
7.0 Base | 8.0 Base | 8.1 Base | 9.0 Base | 9.1 Base
Citrix Systems, Inc.
NetScaler VPX
9.1 Base
McAfee
McAfee Email and Web Security Appliance Software
5.0 Base | 5.1 Base, Patch 1, Patch 2, Patch 3
Microsoft, Inc.
Windows 2000
Advanced Server Base, SP1, SP2, SP3, SP4, rev.2031, rev.2072, rev.2195 | Datacenter Server Base, SP1, SP2, SP3, SP4 | Professional Base, SP1, SP2, SP3, SP4 | Server Base, SP1, SP2, SP3, SP4
Home Edition Base, SP1, SP2, SP3 | Media Center Edition 2005, Base | Original Release Base, SP1 | Professional Edition Base, SP1, SP2, SP3 | Professional x64 (AMD/EM64T) Base, SP1, SP2 | Tablet PC Edition 2005, Base
Nortel Networks
Ethernet Routing Switch
2500 Base | 2526T Base | 2526-T-PWR Base | 2550-T Base | 2550-T-PWR Base | 4500 Base | 4524GT Base | 4524GT-PWR Base | 4526FX Base | 4526G-PWR Base | 4526GTX Base | 4526T Base | 4526T-PWR Base | 4548GT-PWR Base | 4550T Base | 4550T-PWR Base | 5000 Base | 5650TD Base | 5650TD-PWR Base | 5698TFD Base | 5698TFD-PWR Base
Nortel Networks
Ethernet Routing Switch 8600
3.7 .10, .8, .9 | 4.0 .1, .2, .2.1, .3.2
Nortel Networks
Secure Network Access
Identity Engines Ignition Server Base | Switch 4050 Base | Switch 4070 Base
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment. Cisco is pleased to offer a free trial of the service.
To register for full access, please visit the IntelliShield trial registration page.
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
