Another security hole in the Transport Control Protocol (TCP) has been uncovered, this time relating to the protocol's timestamps option.
The problem opens the possibility of denial of service (DOS) attacks, where the vulnerability can be used to trigger repeated resets, paralyzing the switch or router in question and possibly leaving it vulnerable to further security breaches. Several similar holes in TCP have been found, including one that got lots of publicity in April (see
Industry Mobilizes on Latest TCP Flaw).
Cisco Systems Inc. (Nasdaq: CSCO) reported the flaw on its Website yesterday, as is the company's policy. Because the problem appears to be inherent to certain TCP implementations, it's likely other firms' products are vulnerable as well -- although it's worth noting that timestamps are an
option and that, judging from Cisco's wording, not all timestamp implementations are affected.
Cisco's IOS, subject of many a DOS vulnerability alert, is not affected.
Rather, the problem can be exploited in
Microsoft Corp.'s (Nasdaq: MSFT) Windows operating system, which runs on products including Cisco Call Manager and Cisco MeetingPlace. Other Cisco boxes affected include the SN5400 series of storage routers, the AP350 and AP1200 lines of access points, the MGX family of WAN switches, and the CSS11000 series of content services switches.
The flaw allows the TCP timestamp function to be misused by "specifically crafted packets" to stall a TCP session until it is reset, according to the Cisco alert. Neighboring TCP sessions aren't affected. The trick only works if the attacker knows the IP address and TCP port number at the source and destination of the session.
Cisco's report can be found at
www.cisco.com/warp/public/707/cisco-sn-20050518-tcpts.shtml.
— Craig Matsumoto, Senior Editor,
Light Reading
