Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

RST attack on RFC-based TCP stacks

Attack ID: CPAI-2004-17
Publish Date:
Last Update:
Category: RST attack on RFC-based TCP stacks
Vulnerable Systems: Any operating system or software that has implemented TCP based on RFC 793 and RFC 1323
Source: NISCC
CAN-2004-0230
Description: A security vulnerability has been discovered in the implementation of TCP designed in accordance with the TCP RFC. The vulnerability allows a malicious user to send a specially crafted TCP packet with a RST or SYN flag inside an existing connection and cause its termination.
Severity:
Details: A recently published NISCC advisory describes a potential RST attack on any operating system or software that has implemented TCP based on RFC 793 and RFC 1323. A malicious user could attempt to send a spoofed TCP packet matching an existing session with a RST or SYN flag and cause its termination. Although the sequence number mechanism is supposed to protect the session from this kind of attack, an attacker can send a guessed sequence number within a certain window, as the TCP stack would accept any TCP sequence number that lies within the window range.
Attack Detection: Using SmartView Tracker, it is possible to identify attempts to send specially crafted packets exploiting this vulnerability. For VPN-1/FireWall-1 NG with Application Intelligence R54 and R55, a DROP log entry with a “reason: TCP sequence verifier: Invalid sequence number” message will be generated.

For VPN-1/FireWall-1 FP3: a DROP log entry with a “TCP sequence validator: dropped packet with data out of window” message will be generated.
Solution:

Check Point VPN-1/FireWall-1 can protect your entire network against this attack by enforcing that RST packet sequence numbers exactly match the expected sequence within the TCP connection window.

Users of VPN-1/FireWall-1 FP3 and above should apply Check Point’s hotfix designed to enhance the SmartDefense TCP Sequence Verifier protection. For the hotfix, go to Check Point's Alert page and click the link that matches your VPN-1/FireWall-1 version. Users of InterSpect 1.0 should upgrade to InterSpect 1.1

To prevent the exploitation of this vulnerability, the TCP Sequence Verifier within the SmartDefense GUI should be turned on.

To activate the protection in VPN-1/FireWall-1 NG AI R54 and above:

  1. From SmartDefense menu select Network Security > TCP > Sequence Verifier.
  2. Select Track: Log and Track on anomalous out of state packets.
  3. Install policy on all modules.

To activate the VPN-1/FireWall-1 NG AI FP3 protection:

  1. From SmartDefense menu select TCP > Sequence Verifier.
  2. Select Track: Log and Track on anomalous out of state packets.
  3. Install policy on all modules.

Industry Reference:
Additional Information: CERT: CA-2001-09
CVE-1999-0077
CA-2001-09
CERT:TA 04-111A