Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Networking Stack (TCP/IP)  >   TCP/IP Stack Implementation Vendors:   SGI (Silicon Graphics)
(SGI Issues Fix) Multiple Vendor TCP Stack Implementations Let Remote Users Deny Service
SecurityTracker Alert ID:  1011452
SecurityTracker URL:
CVE Reference:   CVE-2004-0230   (Links to External Site)
Date:  Sep 29 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in several TCP stack implementations. A remote user may be able to cause denial of service conditions using a TCP reset attack. Multiple vendors are affected.

The UK National Infrastructure Security Co-Ordination Centre (NISCC) reported that some implementations of the Transmission Control Protocol (TCP) are particularly vulnerable to TCP reset attacks. A remote user can cause TCP sessions to terminate prematurely, causing denial of service conditions.

The specific impact on applications that use TCP depends on the mechanisms built into the application to address premature TCP session termination.

According to the report, NISCC considers the Border Gateway Protocol (BGP) to be one of the most affected applications, as it relies on a persistent TCP session between BGP peer entities. Premature termination of an underlying TCP session may require routing tables to be rebuilt and may cause "route flapping". In the case of BGP, using the TCP MD5 Signature Option and anti-spoofing measures can mitigate the vulnerability.

Other applications, such as Domain Name System (DNS) and (Secure Sockets Layer) SSL based applications may also be affected, but to a lesser degree, the report said.

A remote user can reportedly send a TCP packet with the RST (reset) flag set (or the SYN flag) with the appropriate spoofed source and destination IP addresses and TCP ports to cause the TCP session to be terminated. Ordinarily, the remote user may have the probability of 1 in 2^32 of guessing the correct sequence number, the report said. However, in actuality, a remote user may be able to guess an appropriate sequence number with much greater probability because many implementations will accept any sequence number within a certain window of the expected sequence number. The Associate Press reports that the proper number can be guessed within as few as four attempts, requiring only seconds to achieve.

The report credits Paul A. Watson for discovering a practical method for conducting TCP reset attacks (presented in "Slipping In The Window: TCP Reset Attacks" at the CanSecWest 2004 conference).

The report indicates that the following vendors are affected [this is not an inclusive list]:

- Cray Inc. is vulnerable on their UNICOS, UNICOS/mk and UNICOS/mp systems

- Check Point is affected, but has issued a protection mechanism in the latest release for VPN-1/FireWall-1 (R55 HFA-03) that can protect both the firewall device and hosts located behind the firewall.

- Internet Initiative Japan, Inc (IIJ) is affected.

- InterNiche NicheStack and NicheLite are affected.

- Juniper Networks products are affected.

- Cisco products are affected, including IOS and non-IOS based devices.

Other vendors are assessing the impact of this flaw.

The NISCC Vulnerability Advisory 236929 is available at:

Impact:   A remote user can cause denial of service on the target TCP session. The specific impact depends on the specific vendor implementation.
Solution:   The vendor has issued the following patches:

IRIX 6.5.22: 5738
IRIX 6.5.23: 5737
IRIX 6.5.24: 5728
IRIX 6.5.25: 5729

The patches are available at:

Vendor URL: (Links to External Site)
Cause:   State error
Underlying OS:  UNIX (SGI/IRIX)
Underlying OS Comments:  IRIX 6.5.25 and prior versions

Message History:   This archive entry is a follow-up to the message listed below.
Apr 20 2004 Multiple Vendor TCP Stack Implementations Let Remote Users Deny Service

 Source Message Contents

Subject:  [wiretap] bsd.a kernel networking vulnerabilities



                          SGI Security Advisory

Title:      bsd.a kernel networking vulnerabilities
Number:     20040905-01-P
Date:       September 28, 2004
Reference:  SGI BUG 910841, CVE CAN-2004-0171
Reference:  SGI BUG 913122, CVE CAN-1999-0667
Reference:  SGI BUG 913287, CVE CAN-2004-0230
Reference:  SGI BUG 913386, CVE CVE-1999-0074
Reference:  SGI BUG 916973, CVE CAN-2004-0139
Fixed in:   Patches 5728 5729 5737 & 5738

SGI provides this information freely to the SGI user community for its
consideration, interpretation, implementation and use.   SGI recommends
that this information be acted upon as soon as possible.

SGI provides the information in this Security Advisory on an "AS-IS"
basis only, and disclaims all warranties with respect thereto, express,
implied or otherwise, including, without limitation, any warranty of
merchantability or fitness for a particular purpose.  In no event shall
SGI be liable for any loss of profits, loss of business, loss of data or

for any indirect, special, exemplary, incidental or consequential
of any kind arising from your use of, failure to use or improper use of
any of the instructions or information in this Security Advisory.

- -----------------------
- --- Issue Specifics ---
- -----------------------

It has been reported thru various channels that there are several
vulnerabilities affecting bsd.a kernel networking.

The bugs addressed by these patches are:

* 910841 no limit on TCP reassembly queue size

* 913122 IRIX can accept bogus ARP update

* 913287 Improve handling of RST/SYN packets

* 913386 ephemeral port selection should be more randomized

* 916973 t_unbind changes t_bind's behavior

There are several non-security fixes included in the patch.

SGI has investigated the issue and recommends the following steps for
resolving this issue.  It is HIGHLY RECOMMENDED that these measures
be implemented on ALL vulnerable SGI systems.

- --------------
- --- Impact ---
- --------------
To determine the version of IRIX you are running, execute the following

  # /bin/uname -R

That will return a result similar to the following:

  # 6.5 6.5.19f

The first number ("6.5") is the release name, the second ("6.5.16f" in
case) is the extended release name.  The extended release name is the
"version" we refer to throughout this document.

- ----------------
- --- Solution ---
- ----------------

SGI has provided a series of patches for these vulnerabilities and
recommends that all affected operating systems install the
appropriate patch.

OS Version     Vulnerable?     Patch #      Other Actions
- ----------     -----------     -------      -------------
IRIX 3.x         unknown                        Note 1
IRIX 4.x         unknown                        Note 1
IRIX 5.x         unknown                        Note 1
IRIX 6.0.x       unknown                        Note 1
IRIX 6.1         unknown                        Note 1
IRIX 6.2         unknown                        Note 1
IRIX 6.3         unknown                        Note 1
IRIX 6.4         unknown                        Note 1
IRIX 6.5         unknown                        Note 2
IRIX 6.5.1       unknown                        Note 2
IRIX 6.5.2       unknown                        Note 2
IRIX 6.5.3       unknown                        Note 2
IRIX 6.5.4       unknown                        Note 2
IRIX 6.5.5       unknown                        Note 2
IRIX 6.5.6       unknown                        Note 2
IRIX 6.5.7       unknown                        Note 2
IRIX 6.5.8       unknown                        Note 2
IRIX 6.5.9       unknown                        Note 2
IRIX 6.5.10      unknown                        Note 2
IRIX 6.5.11      unknown                        Note 2
IRIX 6.5.12      unknown                        Note 2
IRIX 6.5.13      unknown                        Note 2
IRIX 6.5.14      unknown                        Note 2
IRIX 6.5.15      unknown                        Note 2
IRIX 6.5.16      unknown                        Note 2
IRIX 6.5.17m     unknown                        Note 2
IRIX 6.5.17f     unknown                        Note 2
IRIX 6.5.18m     unknown                        Note 2 & 3
IRIX 6.5.18f     unknown                        Note 2 & 3
IRIX 6.5.19m     unknown                        Note 2 & 3
IRIX 6.5.19f     unknown                        Note 2 & 3
IRIX 6.5.20m     unknown                        Note 2 & 3
IRIX 6.5.20f     unknown                        Note 2 & 3
IRIX 6.5.21m     unknown                        Notes 2 & 3
IRIX 6.5.21f     unknown                        Notes 2 & 3
IRIX 6.5.22      yes              5738          Notes 2 & 3
IRIX 6.5.23      yes              5737          Notes 2 & 3
IRIX 6.5.24      yes              5728          Notes 2 & 3
IRIX 6.5.25      yes              5729          Notes 2 & 3

     1) This version of the IRIX operating has been retired. Upgrade to
        an actively supported IRIX operating system.  See for more information.

     2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact
        your SGI Support Provider or URL:

     3) Install the required patch(es) based on your operating release.

                ##### Patch File Checksums ####

The actual patch will be a tar file containing the following files:
Filename:                 README.patch.5728
Algorithm #1 (sum -r):    35186 9 README.patch.5728
Algorithm #2 (sum):       13588 9 README.patch.5728
MD5 checksum:             283FF7F48211DE12A5F701CF63D294B0

Filename:                 patchSG0005728
Algorithm #1 (sum -r):    35786 3 patchSG0005728
Algorithm #2 (sum):       28432 3 patchSG0005728
MD5 checksum:             BD7D37EF3E7A533170D2B5C21FB9953A

Filename:                 patchSG0005728.eoe_sw
Algorithm #1 (sum -r):    13196 6051 patchSG0005728.eoe_sw
Algorithm #2 (sum):       14725 6051 patchSG0005728.eoe_sw
MD5 checksum:             565CAE6A954F429CD4C2A5532F8D466B

Filename:                 patchSG0005728.idb
Algorithm #1 (sum -r):    35935 13 patchSG0005728.idb
Algorithm #2 (sum):       6797 13 patchSG0005728.idb
MD5 checksum:             7C0105CA77139F0E614F7E5505F84495

Filename:                 README.patch.5729
Algorithm #1 (sum -r):    59517 8 README.patch.5729
Algorithm #2 (sum):       39107 8 README.patch.5729
MD5 checksum:             5B079FFE7C41D3AB8FDEDDC19DFEEADD

Filename:                 patchSG0005729
Algorithm #1 (sum -r):    22880 2 patchSG0005729
Algorithm #2 (sum):       57807 2 patchSG0005729
MD5 checksum:             E262646659E28A93193C6F4BA71CDBEE

Filename:                 patchSG0005729.eoe_sw
Algorithm #1 (sum -r):    40147 4498 patchSG0005729.eoe_sw
Algorithm #2 (sum):       56533 4498 patchSG0005729.eoe_sw
MD5 checksum:             3C4CAA38798B6ECF6A27D8F2A7B8179F

Filename:                 patchSG0005729.idb
Algorithm #1 (sum -r):    40084 11 patchSG0005729.idb
Algorithm #2 (sum):       44547 11 patchSG0005729.idb
MD5 checksum:             BA25A75A6B768611640AD4B81F0097B3

Filename:                 README.patch.5737
Algorithm #1 (sum -r):    33924 10 README.patch.5737
Algorithm #2 (sum):       35712 10 README.patch.5737
MD5 checksum:             8E7F5B9E6543C36993DA3BAE88F86161

Filename:                 patchSG0005737
Algorithm #1 (sum -r):    05158 4 patchSG0005737
Algorithm #2 (sum):       57426 4 patchSG0005737
MD5 checksum:             1452B04343D0565A3B7AE4C541E7EEE0

Filename:                 patchSG0005737.eoe_sw
Algorithm #1 (sum -r):    58680 6081 patchSG0005737.eoe_sw
Algorithm #2 (sum):       37111 6081 patchSG0005737.eoe_sw
MD5 checksum:             0ABFEC7A2ABE56C5A4620B2C274A303C

Filename:                 patchSG0005737.idb
Algorithm #1 (sum -r):    50788 13 patchSG0005737.idb
Algorithm #2 (sum):       38116 13 patchSG0005737.idb
MD5 checksum:             D42D48C2568C83171E9314CC81C998BC

Filename:                 README.patch.5738
Algorithm #1 (sum -r):    34257 9 README.patch.5738
Algorithm #2 (sum):       28325 9 README.patch.5738
MD5 checksum:             0BEF17F275BF3624EF05EF90FCD83233

Filename:                 patchSG0005738
Algorithm #1 (sum -r):    54456 4 patchSG0005738
Algorithm #2 (sum):       56616 4 patchSG0005738
MD5 checksum:             FBBE94737D658F28115B9B0265AFAF30

Filename:                 patchSG0005738.eoe_sw
Algorithm #1 (sum -r):    36099 12655 patchSG0005738.eoe_sw
Algorithm #2 (sum):       548 12655 patchSG0005738.eoe_sw
MD5 checksum:             7EE0C37FDE320B0B1602E7E792A741EF

Filename:                 patchSG0005738.idb
Algorithm #1 (sum -r):    08133 32 patchSG0005738.idb
Algorithm #2 (sum):       4380 32 patchSG0005738.idb
MD5 checksum:             6FF1955330B98978174A0132BD54B050

- -------------
- --- Links ---
- -------------
Patches are available via the web, anonymous FTP and from your SGI
service/support provider.

SGI Security Advisories can be found at: and

SGI Security Patches can be found at: and

SGI patches for IRIX can be found at the following patch servers: and

SGI freeware updates for IRIX can be found at:

SGI fixes for SGI open sourced code can be found on:

SGI patches and RPMs for Linux can be found at: or

SGI patches for Windows NT or 2000 can be found at:

IRIX 5.2-6.4 Recommended/Required Patch Sets can be found at: and

IRIX 6.5 Maintenance Release Streams can be found at:

IRIX 6.5 Software Update CDs can be obtained from:

The primary SGI anonymous FTP site for security advisories and patches
is (  Security advisories and patches
are located under the URL

For security and patch management reasons, (mirrors security FTP repository) lags behind and does not
do a real-time update.

- -----------------------------------------
- --- SGI Security Information/Contacts ---
- -----------------------------------------

If there are questions about this document, email can be sent to


SGI provides security information and patches for use by the entire SGI
community.  This information is freely available to any person needing
the information and is available via anonymous FTP and the Web.

The primary SGI anonymous FTP site for security advisories and patches
is (  Security advisories and patches
are located under the URL

The SGI Security Headquarters Web page is accessible at the URL:

For issues with the patches on the FTP sites, email can be sent to

For assistance obtaining or working with security patches, please
contact your SGI support provider.


SGI provides a free security mailing list service called wiretap and
encourages interested parties to self-subscribe to receive (via email)
all SGI Security Advisories when they are released. Subscribing to the
mailing list can be done via the Web
or by sending email to SGI as outlined below.

% mail
subscribe wiretap <YourEmailAddress>

In the example above, <YourEmailAddress> is the email address that you
wish the mailing list information sent to.  The word end must be on a
separate line to indicate the end of the body of the message. The
control-d (^d) is used to indicate to the mail program that you are
finished composing the mail message.


SGI provides a comprehensive customer World Wide Web site. This site is
located at .


If there are general security questions on SGI systems, email can be
sent to

For reporting *NEW* SGI security issues, email can be sent to or contact your SGI support provider.
A  support contract is not required for submitting a security report.


      This information is provided freely to all interested parties
      and may be redistributed provided that it is not altered in any
      way, SGI is appropriately credited and the document retains and
      includes its valid PGP signature.

Version: 2.6.2

    Copyright 2003, Silicon Graphics, Inc. All Rights Reserved.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC