In a spring where alerts poured into mailboxes like April showers, one announcing major flaws in the Transmission Control Protocol got a lot of attention. Perhaps too much.
It's ho hum, according to some. But others say the "critical" TCP vulnerability affecting multiple vendors is somewhat severe at the carrier class level, according to an informal survey by SearchSecurity.com.
TCP is used for Internet connections, mainly routing infrastructure, including networked operating systems and network equipment. Products from Certicom, Check Point Software Technologies and Cisco Systems are among those vulnerable. The TCP injection vulnerability, combined with one in the Border Gateway Protocol, can allow a remote attacker to terminate network sessions. US-CERT says sustained exploitation could lead to a denial of service, affecting large portions of the Internet.
Another, the TCP/IP Initial Sequence Number vulnerability, could allow data corruption, session hijacking or denial of service on Web sites and services that rely on constant TCP sessions. The UK National Infrastructure Security Coordination Centre says such session terminations "will affect the application layer, the nature and severity of the effects being dependent on the application layer protocol."
The survey found that opinions were divided about equally into thirds for categorizing the flaw as a low-level, moderate or critical threat.
But a considerable number of the 30 online respondents say
"It's just a denial-of-service attack," said one respondent. And "it requires substantial effort on the attacker's part to attack even one target." Another reason: "Known about for years, most companies already had measures in place to counteract it."
However, those that ranked it as critical cited the widespread use of Cisco equipment in critical infrastructure, as well as a lack of cohesive response from numerous ISPs and lack of faith in ISP security measures.
Most respondents indicated that, if left unpatched, this vulnerability wouldn't have affected their systems adversely or would have done so indirectly through an ISP. They cited filtering as an effective measure and categorized as "minor" consequences a denial of service to all Internet facing traffic and dropped connections.
Part of the debate about the seriousness of the flaw centers around the belief that any router engineer should know how to protect against TCP flaws, which have been around for years.
"People have been killing and injecting into TCP streams for years," said one IT worker who answered the survey. "There is no excuse for routing engineers to overlook fundamentals or setting up a highly reliable and resilient network architecture," said another.
A third pointed out that best practices are key: "All software has flaws, you apply layers of security to protect your network. Security 101."
Despite the validity of those opinions, others say it leaves security to chance, particularly when "companies hire the least qualified people to save money."
TCP flaws are also more complicated to protect against then the average network issue. "Protecting against these flaws on Internet-connected systems requires coordination between different organizations -- like a corporation and an ISP -- and requires that one of the parties mandates the change or both parties agree there is a security problem worth fixing."
And the icing on their argument: Those who may be in the know about TCP flaws aren't the ones making the decisions. Said a respondent, "I'd say 80% to 90% of people maintaining critical equipment are not router engineers."