Cisco & Microsoft Patch TCP Stack DoS Exploit

Use Netsparker


A fairly serious flaw that was announced in October 2008 by Outpost24 (and apparently discovered way back in 2005), has finally been patched by the major players Cisco and Microsoft.

So far Redhat has offered a workaround for the flaw and Juniper has responded that their equipment is not vulnerable.

It could be that Juniper doesn’t really understand the attack yet, if so that’s bad news as most of the Internet backbone (ISP Level) runs on Juniper equipment.

Microsoft and Cisco have issued updates that protect against a new class of attack that requires very little bandwidth and can leave servers and routers paralyzed even after a flood of malicious data has stopped.

The bug in the TCP, or transmission control protocol, was disclosed in October by security researchers Jack Louis and Robert E. Lee of Sweden-based Outpost24. It gave many security watchers pause because it provided attackers with a new way to launch potentially crippling attacks on a wide array of equipment used to route traffic over the internet.

“This is definitely momentum and other vendors, once they fully understand what has been talked about here, will come up with mitigation strategies of their own,” Lee told The Register. “This really is good progress from both Microsoft and Cisco.”

Microsoft rolled it out in their normal “Patch Tuesday” fashion and Cisco issued a bulletin about especially disruptive DoS attacks.

Good to see it being addressed finally, I guess it took Microsoft some time and money in R&D to come up with a satisfactory solution.

I wonder if any other vendors will be following suite shortly.

On Tuesday, Microsoft responded with MS09-048, a security advisory that fixes a variety of networking vulnerabilities in Windows operating systems, including those discovered by Louis and Lee. The update implements a new feature called memory pressure protection, which automatically drops existing TCP connections and SYN requests when attacks are detected.

The update from Microsoft came during the company’s Patch Tuesday, in which it fixed a total of eight security vulnerabilities in various versions of its Windows operating system. In all, Microsoft issued five patches, which change the way Windows processes javascript, MP3 audio files and wireless signals. As always, the Sans Institute provides a helpful overview here.

Cisco issued it’s own bulletin warning that multiple products are vulnerable to DoS, or denial-of-service attacks that can be especially disruptive.

It’s often hard to fix problems like this in core components because a band-aid solution could end up breaking some of the functionality, especially with something like the TCP stack which is relied on so heavily.

Even then, a patch is released but how many people actually apply it? Cisco equipment is well known for being hard to manage/patch so I’d imagine many network devices will remain unpatched.

Source: The Register

Posted in: Exploits/Vulnerabilities, Networking Hacking, Windows Hacking

, , , , , , ,


Latest Posts:


Intercepter-NG - Android App For Hacking Intercepter-NG – Android App For Hacking
Intercepter-NG is a multi functional network toolkit including an Android app for hacking, the main purpose is to recover interesting data from the network stream and perform different kinds of MiTM attacks.
dcipher - Online Hash Cracking Using Rainbow & Lookup Tables dcipher – Online Hash Cracking Using Rainbow & Lookup Tables
dcipher is a JavaScript-based online hash cracking tool to decipher hashes using online rainbow & lookup table attack services.
HTTP Security Considerations - An Introduction To HTTP Basics HTTP Security Considerations – An Introduction To HTTP Basics
HTTP is ubiquitous now with pretty much everything being powered by an API, a web application or some kind of cloud-based HTTP driven infrastructure. With that HTTP Security becomes paramount and to secure HTTP you have to understand it.
Cangibrina - Admin Dashboard Finder Tool Cangibrina – Admin Dashboard Finder Tool
Cangibrina is a Python-based multi platform admin dashboard finder tool which aims to obtain the location of website dashboards by using brute-force, wordlists etc.
Enumall - Subdomain Discovery Using Recon-ng & AltDNS Enumall – Subdomain Discovery Using Recon-ng & AltDNS
Enumall is a Python-based tool that helps you do subdomain discovery using only one command by combining the abilities of Recon-ng and AltDNS.
RidRelay - SMB Relay Attack For Username Enumeration RidRelay – SMB Relay Attack For Username Enumeration
RidRelay is a Python-based tool to enumerate usernames on a domain where you have no credentials by using a SMB Relay Attack with low privileges.


4 Responses to Cisco & Microsoft Patch TCP Stack DoS Exploit

  1. cbrp1r8 September 9, 2009 at 7:33 pm #

    Even then, a patch is released but how many people actually apply it? Cisco equipment is well known for being hard to manage/patch so I

  2. Jeffrey September 11, 2009 at 7:23 am #

    <<< Even then, a patch is released but how many people actually apply it? Probably not many (right away). Most IT departments, if they are smart, will have to test it. I have finally been able to provoke my IT department to change from the Symantec Endpoint Protection suite they are using now to eEye Digital Security's Blink Professional endpoint protection suite for our desktop systems and Blink Server Edition on our servers. It allows us to not have to "panic patch" (as everyone calls it). Blink is already protecting from the vulnerability which gives us time to test and roll out our patches. I think the thing that sold the product even more, was the fact that each Blink node has Retina built into it which scans each host we have it on and then transmits its data back to eEye's REM management counsel. I havev been using the Personal Edition of Blink on my home systems and have been completely happy with it. It is nice to see companies, like eEye, that drive to protect their users from vulnerabilities. Blink Personal Edition is free for one year if anyone wants to try it. I have created a forum post (in eEye's forums) for new users of Blink trying to explain why it is so unique. http://forums.eeye.com/forums/t/998.aspx?PageIndex=1

  3. Morgan Storey September 14, 2009 at 2:36 am #

    @Jeffrey: You wouldn’t happen to be an employee of eEye would you, that whole post looks very marketing-esque. I heard some companies are now hiring blogspammers, please take it elsewhere people here are smart enough to make up their own minds. eEye has from what I have seen a small and very Niche market, most of the features you are touting there are on 90% of AV vendors out there, HIPS/HIDS is in McAfee, Sophos, Trend, iirc it can even be enabled in Symantecs end point.

    Back on topic, it is interesting that the Linux Kernel devs have advised they won’t be patching as yet, it is a bit of a worry, yes it is only a DOS, but this is like the Apache bug of similar ilk, if you don’t patch it or at least make an attempt you are being shown up, and showing that security is not that big a concern.

  4. Jeffrey September 16, 2009 at 9:27 pm #

    <<< You wouldn