Vendors are finally releasing patches today for the TCP vulnerabilities first publicized nearly a year ago that affect a huge range of networking products, including any device running a version of Cisco’s IOS software, and a number of Microsoft server and desktop operating systems. Both Microsoft and Cisco released fixes for the vulnerabilities on Tuesday.
The Microsoft Patch Tuesday release included the fix for the TCP flaw, which affects Windows Server 2003 and 2008, as well as Windows Vista, both the 32-bit and 64-bit editions, and Windows 2000 SP4, for which there is no fix coming. The Microsoft bulletin is rated critical.
“The security update addresses the vulnerabilities by dropping existing TCP connections adaptively and limiting the number of new TCP connections until system resources are restored, and changing the manner in which TCP/IP packets are processed,” Microsoft’s bulletin says.
On Tuesday Cisco also released patches for the TCP flaw, which the company said affects every version of its IOS operating system.
“By manipulating the state of a TCP connection, an attacker could force the TCP connection to remain in a long-lived state, possibly indefinitely. If enough TCP connections are forced into a long-lived or indefinite state, resources on a system under attack may be consumed, preventing new TCP connections from being accepted. In some cases, a system reboot may be necessary to recover normal system operation. To exploit these vulnerabilities, an attacker must be able to complete a TCP three-way handshake with a vulnerable system. In addition to these vulnerabilities, Cisco Nexus 5000 devices contain a TCP DoS vulnerability that may result in a system crash,” Cisco said.
The TCP flaws were identified several years ago and were made public last year by two researchers at Outpost24, Jack C. Louis and Robert E. Lee. Louis, who has since died, developed a tool called Sockstress which tested for the flaw and was able to maintain extremely long-term TCP connections with remote machines using very little bandwidth. Louis and Lee notified vendors about the problems in 2008, but the process of fixing the vulnerability was a long one, given the huge number of vendors and products affected.
Cisco and Microsoft are only two of the vendors affected by the vulnerability, but now that the details of the problem have become public, it may be sooner rather than later that other vendors release their own fixes.