Vigil@nce: TCP, Firewalls, TCP Split Handshake
April 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker owing a malicious server can use a special TCP
initialization sequence, in order to force the firewall to open a
TCP session to the client.
– Severity: 1/4
– Creation date: 21/04/2011
IMPACTED PRODUCTS
– Cisco ASA Software
– Cisco IOS
– Cisco PIX Software
– Cisco Router
– Fortinet FortiGate
– NetScreen Firewall
– NetScreen ScreenOS
– Protocol TCP
DESCRIPTION OF THE VULNERABILITY
A TCP session initialization sequence starts with:
– the client sends a packet with the SYN flag
– the server answers a SYN-ACK
– the client answers an ACK
The RFC 793 describes it in four steps (page 27,
"simultaneous-open handshake"):
– the client sends a packet with the SYN flag
– the server answers an ACK
– the server sends a SYN
– the client answers an ACK
Linux, Windows and MacOS incorrectly implement the
"simultaneous-open handshake":
– the Linux/Windows/MacOS client sends a packet with the SYN flag
– the server answers an ACK (can be ignored by the client)
– the server sends a SYN
– the Linux/Windows/MacOS client answers a SYN-ACK (instead of an
ACK alone)
When the server answers a ACK, a firewall on the path just saw : a
SYN, then a SYN-ACK and then an ACK. Some firewalls interpret
these three exchanges as a connection from the server to the
client.
An attacker owing a malicious server can therefore use a special
TCP initialization sequence, in order to force the firewall to
open a TCP session to the client. It can be noted that the
firewall has an invalid internal state, but this session was
initiated by the client.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/TCP-Firewalls-TCP-Split-Handshake-10590