TCP RFC Alert
April 20, 2004
Overview:
A recently published NISCC advisory (236929/TCP)
describes a potential RST attack on any operating system or
software that has implemented TCP based on RFC 793 and RFC
1323. While the practical application of this vulnerability
is very remote (because an attacker must know both IP addresses
of a valid, currently connected pair of computers), if exploited,
this vulnerability could allow an attacker to create a Denial
of Service condition against existing TCP connections, resulting
in premature session termination. For more information about
the vulnerability, see the NISCC advisory.
Check Point VPN-1/FireWall-1 can protect your entire network against this attack by enforcing that RST packet sequence numbers exactly match the expected sequence within the TCP connection window.
Solution:
By upgrading to Check Point VPN-1/FireWall-1 R55 HFA-03 or
newer, customers are able to protect their entire network
from this vulnerability; thus providing additional time and
security until other systems and software can be patched.
Customers using older versions of NG or NG with Application Intelligence should apply NG FP3 HFA-325 or R54 HFA-410.
Installation Instructions:
- Download R55 HFA-03, R54 HFA-410 or NG FP3 HFA-325
- Apply HFA to both the enforcement point(s) and the management
station
- Set the kernel global variable fwseqvalid_exact_syn_on_rst
to control this feature
- Enable the TCP sequence verifier within the SmartDefense GUI, and install the policy to the enforcement point(s)
Note: For more information about setting the kernel global parameter, refer to SecureKnowledge Solution: sk25826
By installing the HFA, you will then be able to modify the kernel global variable fwseqvalid_exact_syn_on_rst. The default value of 0 provides no extra protection against this attack, as the RST packet which has a sequence number that is in the legal window will be accepted.
For maximum protection, set the value to 1. The sequence
number must exactly match the next expected sequence number.
Note: This configuration may cause legitimate RST packets to be lost in instances when packets preceding RST were dropped. VPN-1/FireWall-1 would expect a different sequence number than the one which has been sent.
The recommended approach is to set the kernel global variable to 2, which improves connectivity. The security difference between setting this value to 2, rather than 1, is insignificant. The sequence number must exactly match either the next expected sequence number or the last acknowledged sequence number. This option is useful in case a legitimate RST packet has been dropped by VPN-1/FireWall-1 (for the reasons specified above). The next time the peer (which did not get the RST) sends a packet, another RST would be sent in reply, and this time would be accepted by VPN-1/FireWall-1.
VPN-1/FireWall-1 NG with Application
Intelligence R55
Hotfix HFA-04
VPN-1/FireWall-1 R55 HFA-04 for IPSO
VPN-1/FireWall-1 NG with Application Intelligence R54 HFA-410
VPN-1/FireWall-1 Next Generation FP3 HFA-325
Provider-1 NG with Application Intelligence R55 Hotfix HFA
Provider-1 NG with Application Intelligence R54 Hotfix HFA
Provider-1 NG FP3 Hotfix HFA
Performance Pack NG with Application Intelligence R55 TCP Hotfix
Performance Pack NG with Application Intelligence R54 TCP Hotfix