Posted by: Samker
« on: 09. September 2009., 07:38:40 »Microsoft and Cisco have issued updates that protect against a new class of attack that requires very little bandwidth and can leave servers and routers paralyzed even after a flood of malicious data has stopped.
The bug in the TCP, or transmission control protocol, was disclosed in October by security researchers Jack Louis and Robert E. Lee of Sweden-based Outpost24. It gave many security watchers pause because it provided attackers with a new way to launch potentially crippling attacks on a wide array of equipment used to route traffic over the internet.
"This is definitely momentum and other vendors, once they fully understand what has been talked about here, will come up with mitigation strategies of their own," Lee told The Register. "This really is good progress from both Microsoft and Cisco."
On Tuesday, Microsoft responded with MS09-048, a security advisory that fixes a variety of networking vulnerabilities in Windows operating systems, including those discovered by Louis and Lee: http://www.microsoft.com/technet/security/bulletin/ms09-048.mspx
The update implements a new feature called memory pressure protection, which automatically drops existing TCP connections and SYN requests when attacks are detected: http://support.microsoft.com/kb/974288/
The update from Microsoft came during the company's Patch Tuesday, in which it fixed a total of eight security vulnerabilities in various versions of its Windows operating system. In all, Microsoft issued five patches, which change the way Windows processes javascript, MP3 audio files and wireless signals. As always, the Sans Institute provides a helpful overview here: http://isc.sans.org/diary.html
Cisco issued it's own bulletin warning that multiple products are vulnerable to DoS, or denial-of-service attacks that can be especially disruptive: http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml
"By manipulating the state of TCP connections, an attacker could force a system that is under attack to maintain TCP connections for long periods of time, or indefinitely in some cases," the bulletin stated. "With a sufficient number of open TCP connections, the attacker may be able to cause a system to consume internal buffer and memory resources, resulting in new TCP connections being denied access to a targeted port or an entire system."
Several other companies issued their own advisories concerning the vulnerability, according to this advisory from the Computer Emergency Response Team in Finland: https://www.cert.fi/haavoittuvuudet/2008/tcp-vulnerabilities.html
Security firm Check Point Software said it was updating several security gateway products: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_dogoviewsolutiondetails=&solutionid=sk42723
Linux distributor Red Hat, meanwhile, stopped short of issuing a fix, but offered this workaround: http://kbase.redhat.com/faq/docs/DOC-18730
The industry wide advisories are designed to address a design flaw in a core internet protocol. Louis and Lee discovered it in 2005 and kept it secret last year. The researchers have provided few public details about how to exploit the bug to prevent it from being targeted in real-world attacks. Now that fixes are being released, he plans to write several blog posts in the coming weeks that for the first time will publicly reveal how attacks are carried out.
The vulnerability is unusual in that it causes a server or router to stop working with relatively modest amounts of malformed traffic. What's more, the disruption lasts even after the malicious assault has ended. In many cases, the only way to repair a disabled device is to restart it, a remedy that's not suitable in most data centers.
Not all industry players agree on the severity of the flaw. Researchers from router maker Juniper Networks said they "found no unexpected or adverse impact to our equipment which is different from other types of TCP Denial of Service." VMware and Clavister said none of their products are vulnerable, either.
Lee cautioned that many companies are wrong when they claim their products are unaffected by the DoS vulnerabilities. In particular, he said Juniper's insistence that its products aren't vulnerable "means the guys at Juniper didn't get it." He went on to say: "I'm reasonably certain they're absolutely vulnerable."
Juniper officials weren't immediately available for comment. This article will be updated if they can be reached.
(Register)