TCP Sequence Number Approximation Vulnerability

General BGP solution:

For BGP implementations that support it, the TCP MD5 Signature Option should be enabled. Passwords that the MD5 checksum is applied to should be set to strong values and changed on a regular basis.

Secure BGP configuration instructions were also provided for Cisco and Juniper: http://www.cymru.com/Documents/secure-bgp-template.html http://www.qorbit.net/documents/junos-bgp-template.pdf http:/www.cymru.com/Documents/secure-bgp-template.html http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/np1_c/1cprt1/1cbgp.pdf

NISCC has provided the following best practices guide for BGP: http://www.niscc.gov.uk/BGP%20Filtering%20Guide.pdf

Further workaround and resolution information is provided in the NISCC "Vulnerability Issues in TCP" advisory.

Cisco: Cisco has recommended the following workarounds for IOS products, it should be noted that these workarounds cannot be applied to Cisco IOS Firewall.

The workaround recommended for BGP is to configure MD5 secret for each session between peers. This can be configured as follows: router(config)#router bgp <as-_number> router(config-router)#neighbor <ip_address> password <enter_your_secret_here>

It is necessary to configure the same shared MD5 secret on both peers and at the same time.

An attacker must spoof a source address of one of the peers to exploit this issue. It is possible to block spoofed packets either using the Unicast Reverse Path Forwarding (uRPF) feature or by using access control lists (ACLs). By enabling uRPF, all spoofed packets will be dropped at the first device. URPF can be enabled as follows: router(config)# ip cef router(config)# interface <interface> <interface #=""> router(config-if)# ip verify unicast reverse-path

uRPF must be configured on a device that is at least one hop away from the vulnerable device to be effective.

RST packets are rate-limited in Cisco IOS software by default. Committed Access Rate (CAR) can be used to limit the rate of RST packets, in order to make an attack impractical. CAR can be configured as follows: router(config)#access-list 103 deny tcp any host 10.1.1.1 established router(config)#access-list 103 permit tcp any host 10.1.1.1 router(config)#interface <interface> <interface #=""> router(config-if)#rate-limit input access-group 103 8000 8000 8000 conform-action transmit exceed-action drop

For non IOS products, cisco has recommended the following workaround: An attacker must spoof a source address of one of the peers to exploit this issue. It is possible to block spoofed packets either using the Unicast Reverse Path Forwarding (uRPF) feature or by using access control lists (ACLs). By enabling uRPF, all spoofed packets will be dropped at the first device. URPF can be enabled as follows: router(config)# ip cef router(config)# interface <interface> <interface #=""> router(config-if)# ip verify unicast reverse-path

uRPF must be configured on a device that is at least one hop away from the vulnerable device to be effective.

Further details regarding these workarounds can be found in the referenced advisories.

Cisco has released two updated advisories (cisco-sa-20040420-tcp-ios) and (cisco-sa-20040420-tcp-nonios) (ver 1.6) to address this issue in IOS based and non-IOS based Cisco products. The updated advisories contain additional affected packages and fix details as well as workarounds. Customers are advised to see referenced advisories for further details regarding obtaining and applying appropriate fixes.

Juniper: Juniper Networks have acknowledged that the issue described in this BID affects M-series and T-series routers that are running software built prior to March 1st 2004, all Juniper E-series routers running software previous to Release 5.2.1 and all NetScreen firewalls running ScreenOS previous to release 5.0R6. Customers are advised to contact their customer representative in order to retrieve further details regarding obtaining and applying updates.

SGI: SGI has released an advisory (20040403-01-A), the advisory acknowledges the vulnerability and reports that SGI are currently investigating this issue in SGI products. Please see the referenced advisory for further details.

Check Point: Check Point have released an alert (TCP RFC Alert) and have acknowledged that the issue described in this BID affects Check Point SecurePlatform NG and above. Check point have advised that customers upgrade to VPN-1/FireWall-1 R55 HFA-03 or newer, although this product is not affected, this upgrade will allow the Firewall to be configured so that it protects the entire network against the vulnerability described in this BID. Please see referenced advisory for further details.

Cray: Cray have acknowledged that the issue described in this BID affects UNICOS/mp, UNICOS and UNICOS/mk. Customers are advised to contact their customer representative in order to retrieve further details regarding obtaining and applying updates.

SEIL: SEIL have released an advisory (announce_en_20040421_01) to address this issue in SEIL products. Customers are advised to see the referenced advisory for further details regarding obtaining and applying appropriate fixes. Updated firmware will be reportedly available on April 23rd 2004.

Blue Coat: Blue Coat Systems have released an advisory (advisory_tcp_can-2004-0230) to address this issue in Blue Coat Systems products. Customers are advised to see the referenced advisory for further details regarding obtaining and applying appropriate fixes.

Various implementations and products including Check Point, Cisco, Cray Inc, Hitachi, Internet Initiative Japan, Inc (IIJ), Juniper Networks, NEC, Polycom, and Yamaha are currently undergoing review. Users are advised to contact vendors in order to obtain more information about affected products and fixes.

It has been reported that Check Point VPN-1/FireWall-1 R55 HFA-03 contains a fix to address this issue.

The Internet Engineering Task Force (IETF) has developed a draft to address this issue. This draft can be found at the following location when it is available: http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt

ISS (Internet Security Systems) has released an advisory along with the relevant updates dealing with this issue. Please see the referenced advisory for more information and details on obtaining the updates.

NetBSD has released an advisory (2005-006) as well as fix information dealing with this issue. Please see the referenced advisory for information on applying the fixes.

(Apr 30) Cisco has released revisions for their two advisories for IOS and non-IOS products. The IOS advisory includes resolution details for IOS 12.1, 12.3T FW, 12.1DA, 12.3T and 12.2 releases. The non-IOS advisory states that Cisco FWSM for Cisco Catalyst 6500/7600 Series was initially thought to be invulnerable but is now considered vulnerable. The non-IOS advisory also includes additional information about Cisco ACNS being vulnerable and resolution details for PIX Firewall. Please refer to the advisories for more information.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk