Sourced from: https://www.cert.fi/haavoittuvuudet/2008/tcp-vulnerabilities.html

CERT-FI Statement on the Outpost24 TCP Issues

Version Information

CERT-FI Reference FICORA #193744
CVE Reference: CVE-2008-4609
Release Date 02 October 2008 14:00 UTC
Last Revision 23 March 2009
Version Number 1.2

Summary

CERT-FI has been informed of possible weaknesses in TCP implementations by Outpost24. CERT-FI has been co-ordinating the remediation efforts regarding possible vulnerabilities together with Outpost24 and a number of software and hardware vendors since October 2008.

Work on determining the scope and impact of the vulnerability has now been largely completed. Several vendors are currently in various phases of patch development process and have also documented various workarounds and mitigating factors. Judging by the current progress, CERT-FI is confident that functional fixes to mitigate the threat can be expected to be released during this year.

The specifics of the weaknesses have not been made public. CERT-FI has shared the information with select set of vendors to help facilitate their investigation and remidiation process. However, the following characteristics have been publicly acknowledged:

• The weaknesses can be exploited to induce a denial of service condition on the TCP connection queue of a target host.
• The weaknesses can be exploited using relatively small amounts of traffic.
• In some test scenarios, specific implementations have been found to suffer from long-lasting or permanent effects.
• Exploiting the weaknesses requires the successful completion of a three-way handshake. Thus, the threat can be effectively mitigated by source address level filtering.

In February 2009, CPNI of UK published a thorough security assessment of the TCP protocol, which presents a number of TCP vulnerabilities and mitigation advice. The report can be downloaded athttp://www.cpni.gov.uk/Products/technicalnotes/Feb-09-security-assessment-TCP.aspx

Coordination Developments

Oct 17 2008. The TCP issue reported by Outpost24 is being coordinated by CERT-FI. We are in a process of determining the impact of the techniques and principles described by the reporters of the issue. We are researching and handling the issue with several vendors from all potentially affected branches of network equipment and software. Once we are fully aware of what types of network equipments and services are most possibly affected, we will make more vendor contacts. Based on previous experience from similar coordination projects, we estimate that the full publication of the details of the issue may take until next year. CERT-FI will publish more information on the developments of the issue coordination as the coordination progresses.

March 23 2009. Discussions have been ongoing with a number of vendors, and several of them are currently in various phases of patch development process. Judging by the current progress, CERT-FI is confident that functional fixes to mitigate the risk can be expected to be released during this year.

Contact Information

CERT-FI Vulnerability Coordination can be contacted as follows:

Email:
vulncoord@ficora.fi
Please quote the advisory reference in the subject line

Telephone:
+358 9 6966 510
Monday - Friday 08:00 - 16:15 (EET: UTC+2)

Fax :
+358 9 6966 515

Post:
Vulnerability Coordination
FICORA/CERT-FI
P.O. Box 313
FI-00181 Helsinki
FINLAND

CERT-FI encourages those who wish to communicate via email to make use of our PGP key. The key is available at https://www.cert.fi/en/activities/contact/pgp-keys.html

Version History

Oct 2 2008: Initial publication (1.0)

Oct 17 2008: Added the Coordination Developments section and an entry on the situation on Oct 17th. (1.1)