This bulletin was written by Vigil@nce : http://vigilance.fr/

SYNTHESIS OF THE VULNERABILITY

An attacker owing a malicious server can use a special TCP initialization sequence, in order to force the firewall to open a TCP session to the client.

 Severity: 1/4
 Creation date: 21/04/2011

IMPACTED PRODUCTS

 Cisco ASA Software
 Cisco IOS
 Cisco PIX Software
 Cisco Router
 Fortinet FortiGate
 NetScreen Firewall
 NetScreen ScreenOS
 Protocol TCP

DESCRIPTION OF THE VULNERABILITY

A TCP session initialization sequence starts with:
 the client sends a packet with the SYN flag
 the server answers a SYN-ACK
 the client answers an ACK

The RFC 793 describes it in four steps (page 27, "simultaneous-open handshake"):
 the client sends a packet with the SYN flag
 the server answers an ACK
 the server sends a SYN
 the client answers an ACK

Linux, Windows and MacOS incorrectly implement the "simultaneous-open handshake":
 the Linux/Windows/MacOS client sends a packet with the SYN flag
 the server answers an ACK (can be ignored by the client)
 the server sends a SYN
 the Linux/Windows/MacOS client answers a SYN-ACK (instead of an ACK alone) When the server answers a ACK, a firewall on the path just saw : a SYN, then a SYN-ACK and then an ACK. Some firewalls interpret these three exchanges as a connection from the server to the client.

An attacker owing a malicious server can therefore use a special TCP initialization sequence, in order to force the firewall to open a TCP session to the client. It can be noted that the firewall has an invalid internal state, but this session was initiated by the client.

ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN

http://vigilance.fr/vulnerability/T...