
                                                   JPCERT-AT-2009-0019
                                                             JPCERT/CC
                                                            2009-09-09

                  <<< JPCERT/CC Alert 2009-09-09 >>>

            Multiple vulnerabilities exist in wide range of
                      TCP stack implementations

         https://www.jpcert.or.jp/english/at/2009/at090019.txt


I. Overview

  Multiple vendors' TCP protocol stack implementations are vulnerable
to packets transmitted with manipulated contents such as TCP window
sizes.  An attacker using such techniques may be able to cause a
denial of service condition on a targeted system.

  As of 9 September 2009, JPCERT/CC has not observed the exploitation
of these vulnerabilities in the wild.  However, tools making use of
this vulnerability have already been made public.  For this reason,
special measures should be taken to apply updates to vulnerable
systems or take alternative countermeasures, particularly for those
systems which are externally facing.

II. Products affected

  Multiple networking devices and operating systems are affected by
this vulnerability.  Several vendors such as Cisco, Microsoft and
Redhat have already provided information to their customers concerning
this issue.  It is expected that the number of products similarly
affected will increase.

  For more detailed information, please consult the following
references.  For systems and products not listed below, please consult
the manufacturer directly.

  Check Point response to Sockstress TCP DoS attacks (CVE-2008-4609)
  https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk42723

  Cisco Security Advisory
  TCP State Manipulation Denial of Service Vulnerabilities in Multiple Cisco Products
  http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml

  Microsoft Security Bulletin MS09-048 - Critical
  Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723)
  http://www.microsoft.com/japan/technet/security/bulletin/ms09-048.mspx

  Red Hat Knowledgebase
  Does CVE-2008-4609 affect Red Hat Enterprise Linux?
  http://kbase.redhat.com/faq/docs/DOC-18730


III. Solution

  It is recommended that affected sites apply vendor supplied patches.
Please consult CERT-FI's original advisory as well as vendor-provided
information for more details.

  If patches are not available or installing patches in the short term
is difficult, please consider using packet filtering or firewalls to
block suspicious connections potentially exploiting this vulnerability
against your systems.  Please consult Red Hat's Knowledgebase article
for an example of how this may be done.

IV. References

  CERT-FI - CERT-FI Advisory on the Outpost24 TCP Issues
  https://www.cert.fi/haavoittuvuudet/2008/tcp-vulnerabilities.html

If you have any further questions or information regarding this alert,
please contact JPCERT/CC.

======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600  FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/