AusCERT - ESB-2005.0993 -- [Juniper] -- Optimistic TCP acknowledgements can cause denial of service

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
ESB-2005.0993 -- [Juniper] -- Optimistic TCP acknowledgements can cause denial of service
Date: 19 December 2005

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                        ESB-2005.0993 -- [Juniper]
        Optimistic TCP acknowledgements can cause denial of service
                             19 December 2005

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           All Juniper Networks products
Publisher:         Juniper Networks
Operating System:  E/M/T/J-series
                   IVE OS
                   ScreenOS
Platform:          E/M/T/J-series
                   NetScreen Firewall/VPN
                   NetScreen IDP
                   NetScreen NSM/GPRO
                   NetScreen SSL VPN
Impact:            Denial of Service
Access:            Remote/Unauthenticated

Original Bulletin: http://www.kb.cert.org/vuls/id/102014

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bulletin PSN-2005-12-004

Title:    Optimistic TCP acknowledgements can cause denial of service
          (CERT/CC VU#102014)

Products Affected:  All Juniper Networks products, including
                    E/M/T/J-series, IVE OS and ScreenOS.

Platforms Affected: E-series
                    J-series
                    M-series
                    T-series
                    NetScreen Firewall/VPN
                    NetScreen IDP
                    NetScreen NSM/GPRO
                    NetScreen SSL VPN
                    
Revision Number:    3
Issue Date:         2005-12-08

- - ----------------------------------------------------------------------

PSN Issue:
The Transmission Control Protocol (TCP) is described in RFC 793 as a
means to provide reliable host-to-host transmission between hosts in a
packet-switched computer network. Numerous Internet protocols such as
HTTP, SMTP, and FTP rely on TCP as their underlying transport
protocol. Several different TCP congestion control mechanisms are
specified in RFC 2581.

In the course of normal operation a TCP client acknowledges (ACKs) the
receipt of packets sent to it by the server. A TCP sender varies its
transmission rate based on receiving ACKs of the packets it sends. An
optimistic ACK is an ACK sent by a client for a data segment that it
has not yet received. A vulnerability exists in the potential for a
client to craft optimistic ACKs timed in such a way that they
correspond to legitimate packets that the sender has already injected
into the network (often referred to as "in-flight" packets). As a
result, the sender believes that the transfer is progressing better
than it actually is and may increase the rate at which it sends
packets. An important side effect of this condition is the
amplification factor that it introduces. An attacker exploiting this
vulnerability can potentially cause victims to transmit much more data
than the bandwidth available to the attacker.

- - ----------------------------------------------------------------------

Solution:
The Juniper Networks Security Incident Response Team (SIRT) has
assessed this advisory as a very low risk potential vulnerability to
any Juniper routing or firewall products due to the low data volume
nature of TCP applications currently running on these platforms. Even
a BGP peering session that exchanges a lot of routing updates won't
have the kind of data volume that could cause a significant DoS
attack.

While Juniper Networks has been looking at ways to address the
problem, we are not aware of any practical means of eliminating the
behavior described in the alert within the framework of existing RFCs.
For these reasons, we do not have any current plans to develop any
corrective code for our products to mitigate or eliminate this
vulnerability.

Solution Implementation: None.

Status: FINAL RELEASE

Disclaimer:
Juniper Networks is providing this notice on an "AS IS" basis. No
warranty or guarantee of any kind is expressed in this notice and none
should be implied. Juniper Networks expressly excludes and disclaims
any warranties regarding this notice or materials referred to in this
notice, including, without limitation, any implied warranty of
merchantability, fitness for a particular purpose, absence of hidden
defects, or of noninfringement. Your use or reliance on this notice or
materials referred to in this notice is at your own risk. Juniper
Networks may change this notice at any time.

- - ----------------------------------------------------------------------

Related Links:
Vulnerability Note VU#102014: Optimistic TCP acknowledgements can
cause denial of service <http://www.kb.cert.org/vuls/id/102014>

Audience:           For Public Distribution

Alert Type:         Product Support Notification

Risk Level:         Low

Risk Assessment:    In Juniper products, the volume of TCP traffic is
                    not sufficient to cause problems, even if a user
                    was able to exploit this vulnerability. We are not
                    aware of any practical means of eliminating the
                    behavior described in the alert within the
                    definitions of existing RFCs.
                    
Created Date:       2005-12-05 16:48:18.0

Last Modified Date: 2005-12-08 12:08:45.0

- - ----------------------------------------------------------------------

 Copyright (c) 1998-2005, Juniper Networks, Inc. All Rights Reserved

- -----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.3 (Build 2932)

iQA/AwUBQ58mQgJw4nLp1sbREQJ8YQCg4G8Jf+c+mMb5W9oz9nsKc/Dls20An2XW
4u8Eqhh/8Ruds8bQNby79Kmt
=Wn59
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQ6YInih9+71yA2DNAQJRAAQAjpJ0ED2dyzBrLhucpN3IfTZsl46rMIKU
8qcSwCEW3LRxteFjv5XWpunMEIQzNPJ98ZWySj7CPcbfP5whVJAmdA/aNaOhQrkS
juByoWJV4RTPDpAcYB68O707H3lu4fDs9guqQTOYtHUL9A54Oa+gKzlcMOW1LjEJ
DPyUl7PBvCU=
=QaJa
-----END PGP SIGNATURE-----