Search
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

De la Théorie à la pratique











Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Vigil@nce: TCP, Firewalls, TCP Split Handshake

April 2011 by Vigil@nce

This bulletin was written by Vigil@nce : http://vigilance.fr/

SYNTHESIS OF THE VULNERABILITY

An attacker owing a malicious server can use a special TCP initialization sequence, in order to force the firewall to open a TCP session to the client.

- Severity: 1/4
- Creation date: 21/04/2011

IMPACTED PRODUCTS

- Cisco ASA Software
- Cisco IOS
- Cisco PIX Software
- Cisco Router
- Fortinet FortiGate
- NetScreen Firewall
- NetScreen ScreenOS
- Protocol TCP

DESCRIPTION OF THE VULNERABILITY

A TCP session initialization sequence starts with:
- the client sends a packet with the SYN flag
- the server answers a SYN-ACK
- the client answers an ACK

The RFC 793 describes it in four steps (page 27, "simultaneous-open handshake"):
- the client sends a packet with the SYN flag
- the server answers an ACK
- the server sends a SYN
- the client answers an ACK

Linux, Windows and MacOS incorrectly implement the "simultaneous-open handshake":
- the Linux/Windows/MacOS client sends a packet with the SYN flag
- the server answers an ACK (can be ignored by the client)
- the server sends a SYN
- the Linux/Windows/MacOS client answers a SYN-ACK (instead of an ACK alone) When the server answers a ACK, a firewall on the path just saw : a SYN, then a SYN-ACK and then an ACK. Some firewalls interpret these three exchanges as a connection from the server to the client.

An attacker owing a malicious server can therefore use a special TCP initialization sequence, in order to force the firewall to open a TCP session to the client. It can be noted that the firewall has an invalid internal state, but this session was initiated by the client.

ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN

http://vigilance.fr/vulnerability/T...




See previous articles

    

See next articles