VRDAフィード：脆弱性脅威分析用情報の定型データ配信

VRDA Feed by

Vulnerability Response Decision Assistance Feed : 脆弱性脅威分析用情報の定型データ配信

[ about VRDA Feed | JPCERT/CC ]

分析対象脆弱性情報 (リビジョン番号 : 1)

[ Download XML ]

VRDA-090909-001 ( sk42723 | sk42725 | cisco-sa-20090908-tcp24 | CVE-2008-4609 | MS09-048 | MS09-048 | 18730 )

CERT-FI Advisory on the Outpost24 TCP Issues

https://www.cert.fi/haavoittuvuudet/2008/tcp-vulnerabilities.html

The vulnerabilities described in this advisory can potentially affect systems and applications that run an implementation of TCP protocol (RFC793 et al.). The issues were found by the Sockstress tool developed by Outpost24.

この情報について

分析情報提供元:

JPCERT/CC

初版公開日:

2009-09-09

分析対象脆弱性情報の分類:

アドバイザリ・注意喚起

最終更新日:

2009-09-09

脆弱性の影響を受ける製品の識別子

lapt:/t::tcp

脆弱性の分析内容

[分析に利用した情報の信頼性]^[?]

低^[?]

中^[?]

高^[?]

[影響の大きさ]^[?]

小^[?]

小～中^[?]

中～大^[?]

大^[?]

[攻撃経路]^[?]

物理アクセス^[?]

ローカルマシン上^[?]

同一セグメント上^[?]

インターネット経由^[?]

[認証レベル]^[?]

管理者アカウント^[?]

一般ユーザアカウント^[?]

フリーアカウント^[?]

不要^[?]

[攻撃成立に必要なユーザの関与]^[?]

複雑^[?]

簡単^[?]

不要^[?]

[攻撃の難易度]^[?]

高^[?]

中～高^[?]

低～中^[?]

低^[?]

[対策の有無]^[?]

公式パッチ有り^[?]

公式回避策有り^[?]

非公式回避策・パッチ有り^[?]

なし^[?]

[インシデントの発生状況]^[?]

活動なし^[?]

Exploit/PoCあり^[?]

活動あり^[?]

On October 02, 2008 CERT-FI has published an advisory about an attack tool called Sockstress which exploits design flaws in the TCP protocol. A successful Sockstress attack may cause damage ranging from denying TCP connectivity to the target to an exhaustion of kernel memory that may lead to a system panic. The actual effect depends on the amount of RAM on the target machine and implementation details of the TCP/IP stack. Many TCP/IP implementations are vulnerable.

Check Point Support Search sk42725 Check Point response to Phrack article "Exploiting TCP Persist Timer Infiniteness"

Phrack issue 66 includes an article Exploiting TCP Persist Timer Infiniteness. This article describes nkiller2 - a DoS attack tool against a TCP servers. In this technique, the attacker opens TCP connections and sets TCP window size to zero after connection establishment. By acknowledging TCP window probes sent by the victim, the attacker may keep the TCP connection in this state indefinitely or until application under attack times out. This attack exploits RFC-compliant behavior of the TCP persist timer and many TCP implementations are likely to be vulnerable to it.

Cisco Security Advisory cisco-sa-20090908-tcp24 TCP State Manipulation Denial of Service Vulnerabilities in Multiple Cisco Products

Multiple Cisco products are affected by denial of service (DoS) vulnerabilities that manipulate the state of Transmission Control Protocol (TCP) connections. By manipulating the state of a TCP connection, an attacker could force the TCP connection to remain in a long-lived state, possibly indefinitely. If enough TCP connections are forced into a long-lived or indefinite state, resources on a system under attack may be consumed, preventing new TCP connections from being accepted. In some cases, a system reboot may be necessary to recover normal system operation. To exploit these vulnerabilities, an attacker must be able to complete a TCP three-way handshake with a vulnerable system.

Common Vulnerabilities and Exposures (CVE) CVE-2008-4609

The TCP implementation in (1) Linux, (2) platforms based on BSD Unix,(3) Microsoft Windows, (4) Cisco products, and probably otheroperating systems allows remote attackers to cause a denial of service(connection queue exhaustion) via multiple vectors that manipulateinformation in the TCP state table, as demonstrated by sockstress.

Security Research & Defense MS09-048 Assessing the risk of the September Critical security bulletins

Next up is MS09-048 addressing vulnerabilities in the TCP/IP stack implementation. To hit the vulnerable code, an attacker must flood a victim with specially-crafted TCP/IP packets inducing one of two denial-of-service outcomes: * System runs out of non-paged pool memory (CVE-2008-4609 and CVE-2009-1926) * System incorrectly handles the hash value of a connection, crashing in kernel-mode code leading to a reboot / blue-screen-of-death (CVE-2009-1925)

マイクロソフトセキュリティ情報 MS09-048 Windows TCP/IP の脆弱性により、リモートでコードが実行される (967723)

このセキュリティ更新プログラムは、伝送制御プロトコル/インターネットプロトコル (TCP/IP) の処理に存在する非公開で報告された、いくつかの脆弱性を解決します。この脆弱性で、攻撃者が特別に細工された TCP/IP パケットをネットワーク上で、リスニングサービスが含まれているコンピューターに送信した場合、リモートでコードが実行される可能性があります。ファイアウォールによる最善策および標準のファイアウォールの既定の構成を使用することにより、組織のネットワーク境界の外部からの攻撃を防ぎ、ネットワークを保護することができます。インターネットに接続したシステムについては、最善策として最低限の数のポートしか開かないようにすることを推奨します。

レッドハットナレッジベース 18730 Does CVE-2008-4609 affect Red Hat Enterprise Linux?

Denial of service flaws in the way TCP connections are handled have been disclosed by Robert E. Lee and the late Jack C. Louis of Outpost24 AB. These flaws allow an attacker to create crafted TCP connections, which can eventually exhaust the receiver's system resources and lead to a denial of service. These flaws are assigned CVE-2008-4609 (Red Hat Bugzilla bug 465932). Details of the attacks are described in the CERT-FI advisory.

参考情報