A critical vulnerability, affecting multiple vendors, has been identified in the Transmission Control Protocol (TCP) used for Internet connections, mainly routing infrastructure including networked operating systems and network equipment. However, experts say the problem is being corrected and isn't that big of a deal.
"It is a design flaw of TCP, so it is as old as the Internet," said Alan Paller, director of the Bethesda, Md.-based SANS Institute. "The folks at the core have been fixing their systems for about four weeks. For me, the bottom line is that the sky is not falling."
The TCP injection vulnerability, combined with a vulnerability in the Border Gateway Protocol, can allow a remote attacker to terminate network sessions. US-CERT said sustained exploitation could lead to a denial of service, affecting large portions of the Internet. Routing operations would recover quickly after such attacks ended, US-CERT said.
Another flaw, the TCP/IP Initial Sequence Number vulnerability, could allow Web sites and services that rely on constant TCP sessions to be attacked and suffer from data corruption, session hijacking or denial-of-service. According to the UK National Infrastructure Security Coordination Centre, such session terminations "will affect the application layer, the nature and severity of the effects being dependent on the application layer protocol. The primary dependency is on the duration of the TCP connection, with a further dependency on knowledge of the network (IP) addresses of the end points of the TCP connection."
Products from Certicom, Check Point Software Technologies and Cisco Systems are among those vulnerable to the flaws. More information on specific vendors can be found here.
"Any router engineer has known about these issues for years and should know how to protect against them," James H. Edwards, a routing and security administrator at Internet at Cyber Mesa in New Mexico, said in a posting to the Full-Disclosure security mailing list. "There is really nothing new here, but I hope this big press blowup will force more engineers to do what they already should have done a long time ago."
A TCP/IP Initial Sequence Number vulnerability identified in 2001 is just one example of how an attacker could inject TCP packets into a session. An attacker sending a reset packet, for example, could cause the TCP session between two endpoints to terminate without any further communication.
But a spokesman at Atlanta-based Internet Security Systems said it considers "network infrastructure providers and enterprises' internal networks to be the most vulnerable to potential denial-of-service/distributed denial-of-service attacks that can cause significant outages and downtime to users and customers."
Experts recommend immediately applying patches issued by affected vendors. Workarounds include: ingress and egress filtering; prohibiting externally initiated inbound connections to non-authorized services and preventing machines providing public services from initiating outbound connections to the Internet; deploying and using cryptographically secure protocols, such as IPSec; and network isolation. Specific details on these recommendations can be found here.