Update Protection against Multiple Vendor ICMP Connection Reset Denial of Service Vulnerabilities
| Check Point Reference: | CPAI-2005-356 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | Secunia Advisory: SA14904 | |
| Industry Reference(s): | CVE-2004-0790 | |
| Protection Provided by: |
Security Gateway
|
|
| Who is Vulnerable? Microsoft Windows 2000 (all versions)
Microsoft Windows 98
Microsoft Windows 98 SE
Microsoft Windows ME
Microsoft Windows XP (all versions)
Microsoft Windows XP 64-bit Edition (Itanium)
Microsoft Windows XP 64-Bit Edition Version 2000 (Itanium)
Microsoft Windows Server 2003 (Base)
Cisco Systems Carrier Voice Gateways MGX 8250 Series
Cisco Systems Carrier Voice Gateways MGX 8850 Series
Cisco Systems Catalyst Content Services Switch 6608
Cisco Systems Catalyst Content Services Switch 6624
Cisco Systems Catalyst Content Services Switch 11000
Cisco Systems Catalyst Content Services Switch 11500
Cisco Systems Content Switching Module any
Cisco Systems CRS-1 any
Cisco Systems Global Site Selector any
Cisco Systems IOS XR
Cisco Systems IP Phone 7940
Cisco Systems IP Phone 7960
Cisco Systems IP Phone 7970
Cisco Systems Multilayer Switches MDS 9000 Series
Cisco Systems ONS 15302
Cisco Systems ONS 15303
Cisco Systems ONS 15454
Cisco Systems PIX Security Appliance any
Cisco Systems VPN Concentrator 5000 Series
Sun Microsystems Solaris 10.0_x86
Sun Microsystems Solaris 7.0
Sun Microsystems Solaris 10.0
Sun Microsystems Solaris 7.0_x86
Sun Microsystems Solaris 8.0
Sun Microsystems Solaris 8.0_x86
Sun Microsystems Solaris 9.0
Sun Microsystems Solaris 9.0_x86
| ||
| Vulnerability Description The Internet Control Message Protocol (ICMP) is part of the Internet Protocol suite. ICMP facilitates error, control, and informational message exchange between network devices. For instance, ICMP may be used to test network connectivity between two hosts. |
||
|
Vulnerability Details There exists a vulnerability in multiple vendor's TCP/IP and Internet Control Message Protocol (ICMP) implementations. A spoofed ICMP message containing crafted fields can force the vulnerable system to reset TCP connection. A remote attacker can exploit this vulnerability to interrupt services or degrade the network performance of the target system. In order for an attack to be executed there must exist an open TCP connection between a pair of hosts. The attacker then has the option of attacking either one of the two connected hosts. The resulting behaviour needs to be explored from both sides of the connection. Upon receiving the malicious packet from the attacker the vulnerable host will terminate the TCP connection, thereby destroying the socket used to maintain the connection. No announcement will be send to the other host, the connected host. Therefore the connected host will remain unaware that the connection has been terminated. If the connected host was in the listening mode at the time of the attack it may remain in this mode indefinitely. Alternatively, if it tries to communicate with the vulnerable host, it will receive a TCP RST, since the vulnerable host has already closed the connection and destroyed the socket. |
Protection Overview
This protection will detect and block attempts to exploit this vulnerability.
In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, Protection tab and select the version of your choice.
To configure the defense, select your product from the list below and follow the related protection steps.