A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer), and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, the attack vector does not directly compromise data integrity or confidentiality. All Cisco products which contain a TCP stack are susceptible to this vulnerability. This advisory is available at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20040420-tcp-nonios, and it describes this vulnerability as it applies to Cisco products that do not run Cisco IOS® software. A companion advisory that describes this vulnerability for products that run Cisco IOS software is available at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20040420-tcp-ios.
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer), and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, the attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain a TCP stack are susceptible to this vulnerability.
This advisory is available at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20040420-tcp-nonios, and it describes this vulnerability as it applies to Cisco products that do not run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that run Cisco IOS software is available at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20040420-tcp-ios.
This section provides details on affected products.
Products which contain a TCP stack are susceptible to this vulnerability. All Cisco products and models are affected. The severity of the exposure depends upon the protocols and applications that utilize TCP.
In some cases the vulnerability lies in the underlying operating system. In these cases, we rely on the original OS vendor to provide the patch.
The nonexhaustive list of vulnerable non-IOS based Cisco products is as follows:
No other Cisco products are currently known to be affected by these vulnerabilities.
TCP is the transport layer protocol designed to provide connection-oriented reliable delivery of a data stream. To accomplish this, TCP uses a mixture of flags to indicate state and sequence numbers to identify the order in which the packets are to be reassembled. TCP also provides a number, called an acknowledgement number, that is used to indicate the sequence number of the next packet expected. The packets are reassembled by the receiving TCP implementation only if their sequence numbers fall within a range of the acknowledgement number (called a "window"). The acknowledgement number is not used in a packet with the reset (RST) flag set because a reset does not expect a packet in return. The full specification of the TCP protocol can be found at http://www.ietf.org/rfc/rfc0793.txt .
According to the RFC793 specification, it is possible to reset an established TCP connection by sending a packet with the RST or synchronize (SYN) flag set. In order for this to occur, the 4-tuple must be known or guessed (source and destination IP address and ports) together with a sequence number. However, the sequence number does not have to be an exact match; it is sufficient to fall within the advertised window. This significantly decreases the effort required by an adversary: the larger the window, the easier it is to reset the connection. While source and destination IP addresses may be relatively easy to determine, the source TCP port must be guessed. The destination TCP port is usually known for all standard services (for example, 23 for Telnet, 80 for HTTP). Many operating systems (OSs) use predictable ephemeral ports for known services with a predictable increment (the next port which will be used for a subsequent connection). These values, while constant for a particular OS and protocol, do vary from one OS release to another.
Here is an example of a normal termination of a TCP session:
Host(1) Host(2) | | | | | ACK ack=1001, window=5000 | |<----------------------------| | | Host(1) is closing the session | RST seq=1001 | |---------------------------->| | | Host(2) is closing the session
In addition, the following scenario is also permitted:
Host(1) Host(2) | | | | | ACK ack=1001, window=5000 | |<----------------------------| | | Host(1) is closing the session | RST seq=4321 | |---------------------------->| | | Host(2) is closing the session
Note how the RST packet was able to terminate the session although the sequence number was not the next expected one (which is 1001). It was sufficient for the sequence number to fall within the advertised "window". In this example, Host(2) was accepting sequence numbers from 1001 to 6001 and 4321 is clearly within the acceptable range.
Cisco fixed this vulnerability in accordance with the http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-02.txt .
As a general rule, all protocols where a TCP connection stays established for longer than one minute should be considered exposed.
The effectiveness of any workaround is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround is the most appropriate for use in the intended network before it is deployed.
There are no workarounds available to mitigate the effects of this vulnerability.
It is possible to mitigate the exposure on this vulnerability by applying anti-spoofing measures on the edge of the network.
By enabling Unicast Reverse Path Forwarding (uRPF), all spoofed packets will be dropped at the first device. To enable uRPF, use the following commands.
router(config)#ip cef
router(config)#interface
router(config-if)#ip verify unicast reverse-path
Please consult http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ft_urpf.html and ftp://ftp-eng.cisco.com/cons/isp/security/URPF-ISP.pdf for further descriptions of how uRPF works and how to configure it in various scenarios. This is especially important if you are using asymmetric routing.
Access control lists (ACLs) should also be deployed as close to the edge as possible. Unlike uRPF, you must specify the exact IP range that is permitted. Specifying which addresses should be blocked is not the optimal solution because it tends to be harder to maintain.
Caution: In order for anti-spoofing measures to be effective, they must be deployed at least one hop away from the devices which are being protected. Ideally, they will be deployed at the network edge.
For all Cisco products that are based on a third party Operating System and when Cisco is not supplying the OS, please contact your respective vendor for the appropriate patches.
Be advised that Cisco released multiple advisories on 2004-April-20.
Product |
Defect ID |
Intended First Fixed Release |
---|---|---|
LAN Switching |
||
Catalyst 1200, 1900, 28xx, 29xx, 3000, 3900, 4000, 5000, 6000 |
CSCed32349 ( registered customers only) |
6.4(13), 6.4(12.3), 7.6(8.6), 8.3(2.8), 8.3(3.4), 8.4(0.47COC, 8.4(0.91)COC, 8.4(1.2)GLX, 8.4(2.1)GLX, 8.6(0.1)TAL, 8.6(0.21)TAL |
Catalyst 1900 and 2820 |
9.00.07 Available on 2004-Apr-27 |
|
Catalyst 6500 Series SSL Services Module |
CSCee35285 ( registered customers only) |
2.1(2) |
Network Storage |
||
Cisco MDS 9000 Family |
CSCed27956 ( registered customers only) , CSCed38527 ( registered customers only) , CSCed65607 ( registered customers only) |
1.3(4a) |
Cisco Channel Interface Processor (CIP) |
CSCee35335 ( registered customers only) |
27-x and 28-x, No software available; date has not been determined yet. |
Cisco SN5428 and SN5428-2 Storage Routers |
CSCee36193 ( registered customers only) |
3.5(3)-K9 |
Unified Computing |
||
Cisco Standalone rack server CIMC |
CSCur03816 ( registered customers only) |
No software available; date has not been determined yet. |
Voice Products |
||
VG248 Analog Phone Gateway |
CSCsk45124 ( registered customers only) |
No software available; date has not been determined yet. |
WS-6624 analog station gateway module for the Catalyst 6500 |
CSCee22691 ( registered customers only) |
No software available; date has not been determined yet. |
Windows-based CallManager |
Fixed by http://www.microsoft.com/technet/security/Bulletin/MS05-019.mspx |
Windows version 2000.2.7sr5 and later contain the fix |
RedHat-based CallManager |
Waiting on RedHat to provide the fix |
No software available; date has not been determined yet. |
Wireless Products |
||
Cisco Aironet Access Point 340, 350, 1200 Series (only VxWorks-based) |
CSCee22526 ( registered customers only) |
No software available; date has not been determined yet. Customers are encouraged to migrate to IOS. |
Security Products |
||
Cisco Intrusion Detection System (IDS) |
CSCee33732 ( registered customers only) |
5.0 No software available; date has not been determined yet. |
Cisco Firewall Services Module for Cisco Catalyst 6500 and 7600 Series (FWSM) |
CSCee07453 ( registered customers only) |
1.1(3.17) Contact TAC |
Cisco PIX Firewall |
CSCed31689 ( registered customers only) , CSCed91445 ( registered customers only) , CSCed70062 ( registered customers only) , CSCed91726 ( registered customers only) |
6.1.5(104), 6.2.3(110), and 6.3.3(133) Contact TAC |
Content Networking |
||
Cisco CSS11500 Family |
CSCee06117 ( registered customers only) , SSL termination |
07.30(00.09)S 07.20(03.10)S 07.30(00.08)S 07.10(05.07)S 07.20(03.09)S, 07.30(1.06), 07.20(4.05) |
Cisco CSS11000 and CSS11500 Family |
CSCee39336 ( registered customers only) , TCP management connections |
07.30(01.02), 07.30(01.06), 07.20(04.05), 05.00(05.05)S, 06.10(03.10)S |
Cisco Content Switching Module (CSM) |
CSCee33252 ( registered customers only) |
4.1(2) Available 2004-Jun, for 3.x releases contact TAC |
Cisco ACNS |
CSCee37496 ( registered customers only) |
No software available; date has not been determined yet. |
Cisco 11000 Series Secure Content Accelerator (SCA) |
CSCee49634 ( registered customers only) |
No software available; date has not been determined yet. |
Cisco LocalDirector |
CSCee08921 ( registered customers only) |
4.2(1), 4.2(2), 4.2(3), 4.2(4), 4.2(5), 4.2(6) |
Optical Products |
||
Cisco ONS 15327, 15454 and 15454SDH Optical Transport Platform |
CSCed73026 ( registered customers only) |
R4.14 available 2004-Apr-27; future releases R4.62, R2.35. |
Cisco ONS 15501 Optical Transport Platform |
CSCee41687 ( registered customers only) |
No software available; date has not been determined yet. |
Cisco ONS 15600 Optical Transport Platform |
CSCed73026 ( registered customers only) |
Future releases R5.0 |
WAN Switching |
||
MGX 8850, MGX 8830, MGX 8950 |
CSCee34615 ( registered customers only) |
4.0.17, 5.1.20, 5.2.00. |
SES |
CSCee34615 ( registered customers only) |
4.0.X. No software available; date has not been determined yet. |
MGX 8230, MGX 8250 |
CSCee34620 ( registered customers only) |
1.2.23, 1.3.11. |
MGX 8220 |
This product reached End-of-Support. Customers are recomended to upgrade to MGX 8230 or MGX8250 models. http://www.cisco.com/en/US/products/hw/switches/ps1925/ prod_eol_notice09186a00800a445d.html CSCee34624 ( registered customers only) |
No fixed software planned. |
BPX 8600, IGX 8400 |
CSCee34625 ( registered customers only) |
9.3.51, 9.4.12 |
VPN Concentrators |
||
VPN 3000 Series Concentrators |
CSCsc28894 ( registered customers only) |
04.7.02.C 4.1.7.K. > Release |
This vulnerability was presented at the public conference. The Cisco PSIRT is not aware malicious use of the vulnerability described in this advisory.
The exploitation of the vulnerability with packets having RST flag set (reset packets) was discovered by Paul (Tony) Watson of OSVDB.org. The extension of the attack vector to packets with SYN flag set and data injection was discovered by the vendors cooperating on the resolution of this issue.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Revision 2.10 | 2014-October-23 | Added CSCur03816, Cisco Standalone rack server CIMC. |
Revision 2.9 |
2008-January-08 |
Removed CSCee07451 and CSCee07450 as Cisco FWSM itself is not affected. Added fixed software releases for the following MGX models: 8230, 8250, 8830, 8850 and 8950. MGX8220 reached End-of-Support. Added fixed software releases for BPX 8600 and IGX 8400. |
Revision 2.8 |
2007-October-04 |
Added information for VG248. |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.