4/26/2004 -- Cisco Systems Inc. warned of vulnerabilities in nearly all versions of its products as a result of an endemic TCP flaw disclosed early last week. In a separate disclosure, Cisco acknowledged that certain versions of its Internetwork Operating System (IOS) software are vulnerable to an SNMP denial-of-service (DoS) attack.

The United Kingdoms National Infrastructure Security Co-ordination Centre (NISCC) warned of the endemic TCP flaw that could expose networking devices from a range of manufacturers to DOS attack. An attacker who successfully exploits this vulnerability could reset TCP sessions in a much shorter time that was previously thought possible, NISCC said. The problem is especially acute in routers, the organization warned, because of susceptibility in the Border Gateway Protocol (BGP), which relies on persistent TCP sessions between peers.

In a security disclosure regarding the announcement, Cisco warned that All Cisco products which contain a TCP stack are susceptible to this vulnerability.

Cisco announced a software update for its TCP stack, and, along with NISCC, suggested workarounds to mitigate the potential for exposure. The NISCC, for example, suggested that users implement IPSEC (which encrypts TCP information), reduce TCP window sizes, and refrain from publishing TCP port information. For BPG routers, NISCC advised users to implement ingress and egress filtering (to check TCP endpoints), implement the TCP MD5 signature option, and limit the amount of information passing through looking glasses and DNS resource records. Cisco, for its part, suggested implementing Unicast Reverse Path Forwarding (uRPF), which drops spoofed packets, along with access control lists (ACL).

In lieu of a vendor-supplied fix, the U.S. Computer Emergency Readiness Team (CERT) Coordination Center recommends decreasing TCP window sizes -- the smaller the TCP window, the smaller the range of sequence numbers that will be accepted in the TCP stream -- along with the use of MD5 signatures where possible. If this form of verification is supported and enabled between two peers, then an attacker would have to obtain the key used to transmit the packet in order to successfully inject a packet into the TCP session, CERT researchers write. Another potential workaround, CERT speculates, is to tunnel BGP over IPSEC. This would provide a form of authentication between the BGP peers and the data that they transmit. The lack of authentication when using TCP for BGP makes this type of attack more viable, they conclude.

Meanwhile, last week Cisco also warned of vulnerabilities in IOS software releases versions 12.0S, 12.1E, 12.2, 12.2S, 12.3, 12.3B, and 12.3T. An attacker could exploit a flaw in the way IOS processes SNMP solicited operations to trigger memory corruption that could cause a device to restart. Cisco says that this behavior was introduced via a code change to CSCeb22276 and is resolved with CSCed68575.

The networking giant is providing a software update to patch the problem. Workarounds include disabling SNMP on a vulnerable device, implementing receive and infrastructure ACLs, and blocking individual ports. -Stephen Swoyer