Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Device (Router/Bridge/Hub)  >   Cisco ONS Vendors:   Cisco
(Cisco Plans Fix for ONS) Multiple Vendor TCP Stack Implementations Let Remote Users Deny Service
SecurityTracker Alert ID:  1009894
SecurityTracker URL:
CVE Reference:   CVE-2004-0230   (Links to External Site)
Updated:  Apr 22 2004
Original Entry Date:  Apr 21 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): ONS 15327, 15454, 15454SDH, and 15600
Description:   A vulnerability was reported in several TCP stack implementations. A remote user may be able to cause denial of service conditions using a TCP reset attack. Cisco's Optical Network Switch series is vulnerable.

The UK National Infrastructure Security Co-Ordination Centre (NISCC) reported that some implementations of the Transmission Control Protocol (TCP) are particularly vulnerable to TCP reset attacks. A remote user can cause TCP sessions to terminate prematurely, causing denial of service conditions.

The specific impact on applications that use TCP depends on the mechanisms built into the application to address premature TCP session termination.

According to the report, NISCC considers the Border Gateway Protocol (BGP) to be one of the most affected applications, as it relies on a persistent TCP session between BGP peer entities. Premature termination of an underlying TCP session may require routing tables to be rebuilt and may cause "route flapping". In the case of BGP, using the TCP MD5 Signature Option and anti-spoofing measures can mitigate the vulnerability.

Other applications, such as Domain Name System (DNS) and (Secure Sockets Layer) SSL based applications may also be affected, but to a lesser degree, the report said.

A remote user can reportedly send a TCP packet with the RST (reset) flag set (or the SYN flag) with the appropriate spoofed source and destination IP addresses and TCP ports to cause the TCP session to be terminated. Ordinarily, the remote user may have the probability of 1 in 2^32 of guessing the correct sequence number, the report said. However, in actuality, a remote user may be able to guess an appropriate sequence number with much greater probability because many implementations will accept any sequence number within a certain window of the expected sequence number. The Associate Press reports that the proper number can be guessed within as few as four attempts, requiring only seconds to achieve.

The report credits Paul A. Watson for discovering a practical method for conducting TCP reset attacks (presented in "Slipping In The Window: TCP Reset Attacks" at the CanSecWest 2004 conference).

Cisco reports that Cisco ONS 15327, 15454, 15454SDH, and 15600 Optical Transport Platform devices are affected. Cisco has assigned Bug ID CSCed73026.

Impact:   A remote user can cause denial of service conditions.
Solution:   Cisco is developing a fixed version (4.14) for the ONS 15327, 15454, and 15454SDH, to be available on April 27, 2004. Cisco plans to issue additional fixed versions (4.62 and 2.25) for those platforms at an unspecified later date. Cisco also plans to issue a fixed version (5.0) for the ONS 15600 at an unspecified later date.
Vendor URL: (Links to External Site)
Cause:   State error

Message History:   This archive entry is a follow-up to the message listed below.
Apr 20 2004 Multiple Vendor TCP Stack Implementations Let Remote Users Deny Service

 Source Message Contents


Cisco issued an advisory reporting that several non-IOS based products are affected by the 
recently reported TCP vulnerability.

The following products are confirmed to be affected:

Catalyst 1200, 1900, 28xx, 29xx, 3000, 3900, 4000, 5000, 6000; see Bug ID CSCed32349.  No 
software availability date has been determined yet.

Catalyst 1900 and 2820; Fixed version 9.00.07 Available on 2004-Apr-27.

Cisco MDS 9000 Family; see Bug ID CSCed45453; A fix is available in version 1.3(3.8), 

WS-6624 analog station gateway module for the Catalyst 6500; see Bug ID CSCee22691; No 
software availability date has been determined yet.

Cisco Aironet Access Point 340, 350, 1200 Series (only VxWorks-based); see Bug ID 
CSCee22526; No software availability date has been determined yet. Customers are 
encouraged by Cisco to migrate to IOS.

Cisco PIX Firewall; see Bug ID CSCed91445; A fix will be available in versions,, and, with an availability estimate of: 2004-Apr-21

Cisco ONS 15327, 15454, 15454SDH and 15600 Optical Transport Platform; see Bug ID 
CSCed73026; A fix will be available in versions 4.62, 4.14, 2.25, to bevailable on 

Cisco reports that the following products are not vulnerable:

* Cisco VPN 3000 Series Concentrators

* Cisco Firewall Services Module for Cisco Catalyst 6500 Series and Cisco 7600 Series (FWSM)


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC