Software vendors and security officials in several countries have been working for nearly six months on a fix for a serious flaw in a number of TCP implementations that caused a lot of controversy and speculation last fall. The problem could allow attackers to consume all of the resources on a given remote server, essentially making it unusable.
Now, it appears that the release of a patch for the weakness may not come for several more months.
CERT-FI, the Finnish computer emergency response center, has been working with vendors that are affected by the weakness and officials said that they have mostly determined the scope and seriousness of the problem. There’s no specific timetable for a concurrent release of a patch for the problem, but officials said they’re hopeful that a fix will be ready “during this year.”
“Work on determining the scope and impact of the vulnerability has now been largely completed. Several vendors are currently in various phases of patch development process and have also documented various workarounds and mitigating factors. Judging by the current progress, CERT-FI is confident that functional fixes to mitigate the threat can be expected to be released during this year,” CERT-FI said in a statement.
Few details about the nature of the TCP attack have been made public, but the morsels that have come out are tantalizing. The attack was developed by a pair of experts at a Swedish security company called Outpost24. While doing some large penetration tests, Jack C. Louis and Robert E. Lee found that they could use up all of the resources of the TCP service on a remote machine. They needed very little bandwidth to execute the attack, and it turned out that the only reliable way to recover from the attack is to reboot the server.
Louis wrote a tool called Sockstress that exploited the TCP weakness and allowed him to avoid the protection mechanism known as SYN cookies that some servers use to prevent SYN flood attacks.
On his blog, Lee said that he his hopeful that the full release of information on the TCP problem will come in June.