Feeds

Microsoft, Cisco issue patches for newfangled DoS exploit

Relief for industry-wide TCP attack

Boost IT visibility and business value

Updated Microsoft and Cisco have issued updates that protect against a new class of attack that requires very little bandwidth and can leave servers and routers paralyzed even after a flood of malicious data has stopped.

The bug in the TCP, or transmission control protocol, was disclosed in October by security researchers Jack Louis and Robert E. Lee of Sweden-based Outpost24. It gave many security watchers pause because it provided attackers with a new way to launch potentially crippling attacks on a wide array of equipment used to route traffic over the internet.

"This is definitely momentum and other vendors, once they fully understand what has been talked about here, will come up with mitigation strategies of their own," Lee told The Register. "This really is good progress from both Microsoft and Cisco."

On Tuesday, Microsoft responded with MS09-048, a security advisory that fixes a variety of networking vulnerabilities in Windows operating systems, including those discovered by Louis and Lee. The update implements a new feature called memory pressure protection, which automatically drops existing TCP connections and SYN requests when attacks are detected.

The update from Microsoft came during the company's Patch Tuesday, in which it fixed a total of eight security vulnerabilities in various versions of its Windows operating system. In all, Microsoft issued five patches, which change the way Windows processes javascript, MP3 audio files and wireless signals. As always, the Sans Institute provides a helpful overview here.

Cisco issued it's own bulletin warning that multiple products are vulnerable to DoS, or denial-of-service attacks that can be especially disruptive.

"By manipulating the state of TCP connections, an attacker could force a system that is under attack to maintain TCP connections for long periods of time, or indefinitely in some cases," the bulletin stated. "With a sufficient number of open TCP connections, the attacker may be able to cause a system to consume internal buffer and memory resources, resulting in new TCP connections being denied access to a targeted port or an entire system."

Several other companies issued their own advisories concerning the vulnerability, according to this advisory from the Computer Emergency Response Team in Finland. Security firm Check Point Software said it was updating several security gateway products. Linux distributor Red Hat, meanwhile, stopped short of issuing a fix, but offered this workaround.

The industry wide advisories are designed to address a design flaw in a core internet protocol. Louis and Lee discovered it in 2005 and kept it secret last year. The researchers have provided few public details about how to exploit the bug to prevent it from being targeted in real-world attacks. Now that fixes are being released, he plans to write several blog posts in the coming weeks that for the first time will publicly reveal how attacks are carried out.

The vulnerability is unusual in that it causes a server or router to stop working with relatively modest amounts of malformed traffic. What's more, the disruption lasts even after the malicious assault has ended. In many cases, the only way to repair a disabled device is to restart it, a remedy that's not suitable in most data centers.

Not all industry players agree on the severity of the flaw. Researchers from router maker Juniper Networks said they "found no unexpected or adverse impact to our equipment which is different from other types of TCP Denial of Service." VMware and Clavister said none of their products are vulnerable, either.

Lee cautioned that many companies are wrong when they claim their products are unaffected by the new class of DoS vulnerabilities. In particular, he said Juniper's insistence that its products aren't vulnerable "means the guys at Juniper didn't get it." He went on to say: "I'm reasonably certain they're absolutely vulnerable."

Barry Greene, director of Juniper's security incident response team, took exception to that claim. He said his security team tested Juniper's entire product portfolio using Outpost24's own security tools and found no evidence any of it was vulnerable to the types of attacks described by Louis and Lee.

"The expectation is that when you're under attack, your system should recover when you remove the attack," Greene said. "Your system shouldn't crash when you're under attack. Our expectation is that we recover as we do from any other DoS attack of this type." ®

This article was updated to include comment from Juniper.

Gartner critical capabilities for enterprise endpoint backup

More from The Register

next story
Microsoft: We plan to CLEAN UP this here Windows Store town
Paid-for apps that provide free downloads? Really
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Hear ye, young cyber warriors of the realm: GCHQ wants you
Get involved, get a job and then never discuss work ever again
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
BYOD's dark side: Data protection
An endpoint data protection solution that adds value to the user and the organization so it can protect itself from data loss as well as leverage corporate data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?