Microsoft, Cisco Finally Patch TCP DoS Flaw

← Back to Stories (view on slashdot.org)

Microsoft, Cisco Finally Patch TCP DoS Flaw

Posted by kdawson on Tuesday September 8, 2009 @09:30AM from the who-needs-a-botnet dept.

Trailrunner7 writes "Today vendors are finally releasing patches for the TCP vulnerabilities first publicized nearly a year ago that affect a huge range of networking products, including any device running a version of Cisco's IOS software, and a number of Microsoft server and desktop operating systems. Both Microsoft and Cisco released fixes for the vulnerabilities today. The Microsoft Patch Tuesday release included the fix for the TCP flaw, which affects Windows Server 2003 and 2008, as well as Windows Vista, both the 32-bit and 64-bit editions, and Windows 2000 SP4, for which no fix is coming. The TCP flaws were identified several years ago and were made public last year by two researchers at Outpost24, Jack C. Louis and Robert E. Lee. Louis, who has since died, developed a tool called Sockstress that tested for the flaw and was able to maintain extremely long-term TCP connections with remote machines using very little bandwidth."

26 of 114 comments (clear)

very, very old vulnerability by neko+the+frog · 2009-09-08 09:36 · Score: 4, Funny

I mean, Robert E. Lee has been dead for *decades*.

--
-- the opinions stated above aren't those of my employer. in fact, they're probably not even my own. you know what, ju
1. Re:very, very old vulnerability by UncleTogie · 2009-09-08 10:38 · Score: 2, Funny
  
  It must have taken an army of coders to fix these flaws.
  It was easy. They had confederates!
  
  --
  Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
Hey things take time. by palegray.net · 2009-09-08 09:40 · Score: 4, Funny

Just think of all the meetings that had to be convened, coffee brewed, dinners expensed discussing the potential impact of these flaws, input from the legal department on the cost of fixing the bug versus potential liability including agreement to the shrinkwrap license that absolves MS of any liability unless a judge someday says otherwise, reading the tea leaves, God the list goes on and on.

I'm proud of them for releasing this fix in such a timely fashion.

--
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
1. Re:Hey things take time. by thePowerOfGrayskull · 2009-09-08 10:12 · Score: 5, Insightful
  
  Alternatively, just think of what would have happened if either of those giants had released a patch for something as fundamental as the TCP stack that introduced a new bug or worse hole; then automatically pushed it to millions of users. A year might be excessive, but considering the size of their userbases... I can understand it.
2. Re:Hey things take time. by ThePhilips · 2009-09-08 11:02 · Score: 3, Insightful
  
  Yes, absolutely. TCP is so complicated that only few engineers know precisely how it works and can patch the flaw. And probably it also lacks test tools. OMG. I'm so happy that it took them only a year.
  /sarcams
  WTF. Get real. TCP is studied and implemented as a lab assignment now in pretty much every university by all who in any way relate to network programming. Test tools and analyzers are abundant (both hardware and software) and can simulate pretty much any kind of load. There are even commercial companies selling (at size of MS and Cisco) for pennies ready suits of test cases for TCP.
  Longest way: rent an analyzer (2-4 weeks longest for it to get shipped to your office), buy a suit of test cases (0 days), run the tests (1-2 days, normally less), patch the hole (1-2 days), rerun the tests (1-2 days). IOW, if they really cared, they could have released a patch within 2-3 weeks. Heck, I have seen people implementing basic TCP quicker than that.
  This is simply another display of arrogance on part of big vendors. Nothing new here. Move on.
  
  --
  All hope abandon ye who enter here.
3. Re:Hey things take time. by Anonymous Coward · 2009-09-08 12:13 · Score: 5, Insightful
  
  WTF. Get real. TCP is studied and implemented as a lab assignment now ...
  Your point that TCP programming is practiced in abundance is well taken, but my experience has taught me that anything related to network programming in general, and TCP/IP implementations in particular (particularly where interoperability between your product and TCP stacks you've never seen before is concerned) is astoundingly difficult, and that anyone who believes that they've got all the bases covered, that they've foreseen everything that could go wrong, and that they're in the clear because their tests indicates that all their stuff is RFC-compliant will be the first to get their asses kicked hard after they release their product.
4. Re:Hey things take time. by anss123 · 2009-09-08 17:43 · Score: 2, Informative
  
  Nevertheless, it's pretty well known fact that MS took their implementation of TCP from BSD which apparently doesn't have the problem. More than that they took fresh implementation from FreeBSD relatively recently for 2003 Server.
  
  Um, no. They took a streams BSD stack for Windows NT 3.1, but they didn't like streams for some reason and implemented their own a sockets based stack for NT3.5. See: http://www.kuro5hin.org/?op=displaystory;sid=2001/6/19/05641/7357
5. Re:Hey things take time. by shutdown+-p+now · 2009-09-08 20:20 · Score: 2, Interesting
  
  Nevertheless, it's pretty well known fact that MS took their implementation of TCP from BSD which apparently doesn't have the problem. More than that they took fresh implementation from FreeBSD relatively recently for 2003 Server.
  It's also fairly well known that TCP/IP stack was rewritten from scratch in Vista/Win2008, with no BSD code left. So this doesn't seem to be relevant.
6. Re:Hey things take time. by palegray.net · 2009-09-10 05:29 · Score: 2, Informative
  
  I'm not going to do all your research for you. About five seconds of Googling yields this Ubuntu page: Ubuntu Security Notice USN-819-1. Debian's notices shouldn't be that hard to find, either. Of course, you can always just try the proof of concept code on an updated Debian system if you seriously doubt the maintainers.
  
  --
  512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
Re:Better Late than never? by Anonymous Coward · 2009-09-08 09:56 · Score: 4, Informative

From the MS bulletin:
Non-Affected Software
Operating System
Windows XP Service Pack 2 and Windows XP Service Pack 3*
Windows XP Professional x64 Edition Service Pack 2*
i reall want an objective by nimbius · 2009-09-08 10:00 · Score: 3, Insightful

and straightforward reason why these companies dont issue these patches sooner. "we dont have the resources" or "it just isnt hurting our bottom line yet" would be awesome to hear. i mean, if google can come out and do it then it says alot about the old guard if they cant.

--
Good people go to bed earlier.
1. Re:i reall want an objective by Anonymous Coward · 2009-09-08 10:27 · Score: 2, Informative
  
  Did you read Cisco's list of vulnerable hardware? It certainly takes a long time to test all of your currently supported hardware, test and release updates for all of them, many of which have multiple supported trains of software support that the fix needs to be rolled in to.
what's the point of IOS? by RelliK · 2009-09-08 10:02 · Score: 2, Insightful

Obviously at the time IOS was designed, everyone would write their own special-purpose operating system for embedded devices. These days, wouldn't it make more sense to just scrap it and switch to Linux? Lots of other manufacturers are doing it (Linksys, Netgear, D-Link, etc.). This would certainly prevent this kind of embarassment.

--
___
If you think big enough, you'll never have to do it.
1. Re:what's the point of IOS? by mat128 · 2009-09-08 10:13 · Score: 2, Funny
  
  Obviously at the time IOS was designed, everyone would write their own special-purpose operating system for embedded devices. These days, wouldn't it make more sense to just scrap it and switch to Linux? Lots of other manufacturers are doing it (Linksys, Netgear, D-Link, etc.). This would certainly prevent this kind of embarassment.
  you have no idea how big and dedicated the Cisco IOS is!
2. Re:what's the point of IOS? by Nethead · 2009-09-08 10:23 · Score: 3, Informative
  
  Juniper maybe? Of course if you think routers are from Linksys, Netgear, D-Link, etc. then we're not talking the same type of router.
  
  --
  -- I have a private email server in my basement.
3. Re:what's the point of IOS? by Anonymous Coward · 2009-09-08 10:36 · Score: 2, Informative
  
  Mind you, JUNOS is based on FreeBSD, not Linux.
4. Re:what's the point of IOS? by xZgf6xHx2uhoAj9D · 2009-09-08 10:38 · Score: 2, Informative
  
  It's not about better suited; it's about well suited. As long as it's good enough, why not take advantage of the free maintenance all the Linux hackers do for you?
5. Re:what's the point of IOS? by the+linux+geek · 2009-09-08 10:46 · Score: 2, Informative
  
  Actually, I believe its QNX, not Linux.
6. Re:what's the point of IOS? by longfalcon · 2009-09-08 11:03 · Score: 4, Insightful
  
  are you kidding?
  Linksys was acquired by cisco.
  there is about as much difference between Linksys and cisco routers as there is between a weekend yacht and a freighter.
  IOS was designed to be an enterprise embedded solution, not for some Joe Bloggs out there who needs to hook up two computers to his cable connection.
7. Re:what's the point of IOS? by gad_zuki! · 2009-09-08 11:07 · Score: 5, Informative
  
  First off, a lot of these embedded OSs are real time OSs. Linux vanilla isnt.
  So lets say your company standardized on dd-wrt, which is popular and a solid product, but look at the recent security issue:
  http://routerip/cgi-bin/;command_to_execute
  Thats right, the command goes right there and it runs as root. Thats a nightmare level security issue that CS101 students should be ashamed of, let alone from true hackers.
  So imagine if linksys standardized on dd-wrt. Just clicking on http://192.168.1.1/cgi-bin/;rm-r would destroy your router. That link could be be put everywhere on the web and would result in mass chaos.
  I think a lot of companies know the quality from even the most popular OSS projects can be highly uneven and hackers are just that: hackers. They hack things together. Good design and security testing is usually an afterthought.
8. Re:what's the point of IOS? by jcnnghm · 2009-09-08 11:13 · Score: 3, Informative
  
  Too bad there isn't a -1 Wrong moderation. A high end Cisco router, and a Linksys consumer router are so fundamentally different that your assertion is laughable on its face. Perhaps the reason they are sticking with IOS is because their hardware and software is purpose built to shift orders of magnitudes more packets per second than LInksys Linux routers would ever be capable of? Watch out for the corporate conspiracy black helicopters though.
  
  --
  You don't make the poor richer by making the rich poorer. - Winston Churchill
9. Re:what's the point of IOS? by abigor · 2009-09-08 11:34 · Score: 2, Informative
  
  No, you are completely wrong. You clearly have no experience whatsoever with Cisco hardware and have no idea what you're talking about.
Windows 2000 (W2K) SP4... by antdude · 2009-09-08 10:27 · Score: 3, Interesting

http://www.microsoft.com/technet/security/bulletin/ms09-048.mspx mentioned no updates for Windows 2000 SP4 because it requires a major change in operating system (OS). If no fixes, then what will stop it? Hardware routers and/or software firewalls for those who still use it?

--
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Re:Better Late than never? by bertoelcon · 2009-09-08 11:27 · Score: 2, Funny

You must be new here, by not RTFA you get "+1 normal /. reader".

--
Anything can be found funny, from a certain point of view.
It was a joint release date by Anonymous Coward · 2009-09-08 11:41 · Score: 4, Informative

Today was a joint release date. That is to say: Everyone agreed that nobody would release their fix(es) until everyone was ready.
This was done to ensure that an attacker did not reverse engineer one company's fix, and use the flaw to wreck havoc on another company's products.

And "Everyone" in this case includes more vendors than just Microsoft & Cisco. The firm I work for released our fix(es) for this issue today.

Instead of someone disclosing a security problem one month before the vendor's next scheduled patch date, wouldn't you prefer that a major remote flaw affecting hundreds of companys' products be hidden until most of them were ready to be patched?
TCP/IP Filtering stalls this bug in Windows 2000 by Anonymous Coward · 2009-09-08 13:17 · Score: 2, Informative

See subject-line, & this quote from the pages @ MS on how to "mitigate" this type of attack (easily done really):
http://www.microsoft.com/technet/security/Bulletin/MS09-048.mspx
"To help protect from network-based attempts to exploit this vulnerability, enable advanced TCP/IP filtering on systems that support this feature"
I cover how to do that (& really, EVERYONE should on Windows 2000/XP/Server 2003, because it acts as another "layer" of defense, for "layered security" above & beyond std. firewalling, because it uses ipfltdrv.sys, which acts PERFECTLY FINE alongside all other defenses)
I cover a LOT of this here, & IP FILTERING'S VERY EASY TO SETUP (you may want to refer to the IANA ports list though, for YOUR particular needs, it does help):
-----
HOW TO SECURE Windows 2000/XP/Server 2003 & even VISTA, plus, make it "Fun-to-Do", via CIS Tool Guidance (& beyond):
http://www.tcmagazine.com/forums/index.php?s=33555fc937017deab726a927c1c4a7fd&showtopic=2662
(You MAY want to look @ points #3 - #5 there, they cover IP Filtering, IPSec, & more... specifically in regards to this, & protecting yourself vs. it, on Windows 2000... it SHOULD work, according to MS, & it is JUST GOOD "LAYERED SECURITY" anyhow!)
-----
Now, the IP FILTERING (ipfltdrv.sys) works PERFECTLY FINE alongside ipnat.sys (firewall driver), & ipsec.sys (IP Security Policies) too... all of them, alongside TCP FILTERING, work fine "all @ once"/"concurrently"... + of course, alongside tcpip.sys, the base IP driver)
The 3 other drivers work @ DIFFERENT LAYERS of the IP stack around tcpip.sys, making them function PRETTY MUCH like a "Zone Defense"/"Greek Phalanx", so if you take 1 down? The others are STILL IN THE WAY... it's neat - too bad MS did away with that w/ VISTA onwards now using the single layer (& thus, single "lock" only) WFP + NDIS6, which even the folks @ ROOTKIT.COM are stating is "much easier to unhook & bypass" vs. the older model whose architecture I just laid out...))
APK
P.S.=> Enjoy, that OUGHT to help you Windows 2000 folks out there, vs. this "bug"... do I think MS could fix it? Sure, but it'd "hurt business"... replace RDR20.DLL with MSWSOCK.DLL (for LSP/Layered Service Providers), the latter being what XP/Server 2003/VISTA onwards use, & it could be fixed imo... but, "that's business" for you! apk