TCP State Manipulation Denial of Service Vulnerabilities in Multiple Cisco Products

On September 8, 2009, the The Cisco Product Security Incident Response Team (PSIRT) has published one important vulnerability advisories: TCP State Manipulation Denial of Service Vulnerabilities in Multiple Cisco Products.

Multiple Cisco products are affected by denial of service (DoS) vulnerabilities that manipulate the state of Transmission Control Protocol (TCP) connections. By manipulating the state of a TCP connection, an attacker could force the TCP connection to remain in a long-lived state, possibly indefinitely. If enough TCP connections are forced into a long-lived or indefinite state, resources on a system under attack may be consumed, preventing new TCP connections from being accepted. In some cases, a system reboot may be necessary to recover normal system operation. To exploit these vulnerabilities, an attacker must be able to complete a TCP three-way handshake with a vulnerable system.

In addition to these vulnerabilities, Cisco Nexus 5000 devices contain a TCP DoS vulnerability that may result in a system crash. This additional vulnerability was found as a result of testing the TCP state manipulation vulnerabilities.

Multiple Cisco products are affected by DoS vulnerabilities in the TCP protocol. By manipulating the state of TCP connections, an attacker could force a system that is under attack to maintain TCP connections for long periods of time, or indefinitely in some cases. With a sufficient number of open TCP connections, the attacker may be able to cause a system to consume internal buffer and memory resources, resulting in new TCP connections being denied access to a targeted port or an entire system. A system reboot may be required to restore full system functionality. A full TCP three-way handshake is required to exploit these vulnerabilities.

Network devices are not directly impacted by TCP state manipulation DoS attacks transiting a device; however, network devices that maintain the state of TCP connections may be impacted. If the attacker can establish enough TCP connections through a transit device that maintains TCP state, device resources may be exhausted and prevent the device from processing new TCP connections, resulting in a DoS condition. If an affected device that forwards traffic (that is, routes) in a network is the target of a TCP state manipulation attack, the attacker could cause a network-impacting DoS condition.

Successful exploitation of the TCP state manipulation vulnerabilities may result in a DoS condition where new TCP connections are not accepted on an affected system. Repeated exploitation may result in a sustained DoS condition. A reboot may be required to recover affected systems. In addition, Cisco Nexus 5000 systems may crash upon receiving a specific sequence of TCP packets.