TCP Reset Spoofing a serious flaw with routers: Protect yourself

See how a well-known flaw called "TCP Reset Spoofing" has been discovered to be a lot more dangerous than security experts originally thought.

A critical flaw in TCP has been discovered, and vendors have been rushing to get fixes in place. The threat involves what are known as reset attacks. The flaw, which is sometimes called "TCP Reset Spoofing," is not totally new, but the latest research shows that the vulnerability may be far easier to trigger than previously thought.

The attack vector is actually well known but, like many cryptographic hacks, it would be so difficult to implement that it hasn't been considered a serious threat. The problem now is that TCP resets can be initiated not just by using the exact sequence number used on the TCP connection, but also by coming "close," as a SANS report states, "by simply landing somewhere in the current TCP window, the RST will succeed." The threat analysis done previously apparently hadn't included this information in weighting the level of threat.

This is very serious since TCP is the transport layer protocol used in TCP/IP, which underlies all Internet and most private networks by providing the core data stream verification and routing technology. Among many other things, TCP manages the reassembly of packets that can, of course, arrive via many different physical routes, and often not in the original transmission sequence.

TCP creates an acknowledgement number that tells the intended recipient how to arrange the packets in the correct sequence. As a security feature, packets that don't have an acknowledgement identifier number falling within a certain range are rejected simply because they don't appear to be part of that particular data stream. The problem arises because the RFC793 specification allows a current TCP session to be terminated upon receipt of a legitimate reset flag (RST) or a synchronize (SYN) flag. The authenticity is determined by TCP looking at the identifier number of the RST or SYN message. New information indicates that it is much easier to guess a number than previously thought and that number, when combined with a source and destination IP address, will cause the TCP session to terminate abnormally.

Of course, the source and destination IP addresses are often simple to determine, and TCP ports are easy to find for any standard service. It also turns out that many programs, such as Cisco IOS software (see the Cisco BugTraq report) also use port values that can be predicted.

This increased TCP vulnerability was initially reported by NISCC, the UK-based National Infrastructure Security Co-Ordination Centre. A report in CNET further discusses this issue.

The BugTraq report states, "As a general rule, all protocols where a TCP connection stays established for longer than one minute should be considered exposed."

The list of software known to be affected by this is huge. The following is a brief summary of the list posted by Symantec:
  • Check Point Software Firewall-1 and VPN-1
  • Cray UNICOS
  • A Cisco BugTraq report simply states that all products with a TCP stack are vulnerable, but further down in the report is a long list of known vulnerable versions

In a strong debut effort, the Open Source Vulnerability Database lists the following as being vulnerable:
  • Cisco IOS—all versions
  • Microsoft Windows—all versions
  • Linux—all versions
  • Nokia IPSO—all versions
  • Hewlett-Packard HP-UX—all versions
  • Juniper Router—all versions
  • Check Point FireWall-1 prior to R55 HFA-03
  • Cray UNICOS—all versions
  • Internet Security Systems Proventia M Series 1.5
  • NetBSD versions prior to April 22, 2004 are also vulnerable to the TCP threat

Risk level—Uncertain, possibly serious to extreme
This is a critical threat to almost the entire Internet infrastructure if it can be exploited easily. My research makes it appear that this is probably not going to prove to be a big threat, but that's mostly because a lot of the big players such as Cisco are working quickly to plug this hole.

Left unpatched, this definitely would have quickly become a critical threat. For example, according to Cisco, breaking Border Gateway Protocol (BGP) sessions several times over a short interval could cause affected routes to be removed from the routing table for 45 minutes (default time) because it triggers something called BGP route dampening, which is intended to block a temporarily bad path. That would have had negative repercussions on the Internet, which relies on a lot of Cisco routers that use BGP.

Mitigating factors
Cisco indicates that this only affects the terminal end of a transmission. It doesn't affect any hardware that merely passes packets of data.

Fix—Apply patches if available
A complete fix would require the replacement of the router's operating system (the IOS in Cisco's case). A workaround that will eliminate or greatly reduce the threat from this vulnerability is to enable MD5 checksums on BGP sessions so peers can ignore spoofed TCP resets (RFC 2385—"Protection of BGP Sessions via the TCP MD5 Signature Option"). Not all operating environments support RFC 2385.

The Open Source Vulnerability Database reports:

Final word
This threat is especially dangerous for Cisco routers. In fact, Cisco is now rivaling Microsoft for the number of new problems reported on a regular basis. Is this because Cisco products are all of a sudden full of vulnerabilities? No. The surge of reports may indicate that hackers are identifying more threats on Cisco devices because they are shifting some of their focus away from Windows, which is becoming harder to exploit with all the security attention it's getting these days.

Also watch out for …
  • There is also report about another Cisco security issue, this one in the VPN3000 Concentrator.
  • Eugene Spafford and Cynthia Irvine of the Naval Postgraduate School have released a report saying that Linux is not suitable for top security applications such as military hardware or weapons control. What makes this report less than useful is the fact that they also give Windows and Solaris failing grades, leaving the obvious question—so, what do we use? They don't mention UNIX as being any more secure. Read this report for more information.
  • Malware attacks are just getting worse. A look at just April 20-21, 2004 shows four elevated threats (Netsky.Z, Blaster.T, Mydoom.J, and Opassa) and two serious threats (Netsky.X and Netsky.Y) discovered by Symantec on just those two days.
  • As I alluded to earlier in this column, the Open Source Vulnerability Database, which strives to list all Internet vulnerabilities, has now gone live online. This massive and welcome open source project was initially undertaken by a group of security specialists about two years ago. Unlike Mitre's CVE, which is only intended to provide a unique identifier for every new exploit, the OSVD includes a lot of details regarding all the included vulnerabilities.

Editor's Picks