Microsoft, Cisco Finally Patch TCP DoS Flaw 114
Trailrunner7 writes "Today vendors are finally releasing patches for the TCP vulnerabilities first publicized nearly a year ago that affect a huge range of networking products, including any device running a version of Cisco's IOS software, and a number of Microsoft server and desktop operating systems. Both Microsoft and Cisco released fixes for the vulnerabilities today. The Microsoft Patch Tuesday release included the fix for the TCP flaw, which affects Windows Server 2003 and 2008, as well as Windows Vista, both the 32-bit and 64-bit editions, and Windows 2000 SP4, for which no fix is coming. The TCP flaws were identified several years ago and were made public last year by two researchers at Outpost24, Jack C. Louis and Robert E. Lee. Louis, who has since died, developed a tool called Sockstress that tested for the flaw and was able to maintain extremely long-term TCP connections with remote machines using very little bandwidth."
Re:Better Late than never? (Score:4, Informative)
From the MS bulletin:
Non-Affected Software
Operating System
Windows XP Service Pack 2 and Windows XP Service Pack 3*
Windows XP Professional x64 Edition Service Pack 2*
Re:what's the point of IOS? (Score:1, Informative)
Cisco has done this with newer platforms and code trains. Their ASA platform is based upon linux..
I think they have seen the light, but like a massive oil tanker things take time to change.
Re:what's the point of IOS? (Score:4, Informative)
Juniper maybe? Of course if you think routers are from Linksys, Netgear, D-Link, etc. then we're not talking the same type of router.
Re:i reall want an objective (Score:2, Informative)
Did you read Cisco's list [nether.net] of vulnerable hardware? It certainly takes a long time to test all of your currently supported hardware, test and release updates for all of them, many of which have multiple supported trains of software support that the fix needs to be rolled in to.
Re:what's the point of IOS? (Score:2, Informative)
Mind you, JUNOS is based on FreeBSD, not Linux.
Re:what's the point of IOS? (Score:3, Informative)
Re:what's the point of IOS? (Score:3, Informative)
Re:what's the point of IOS? (Score:5, Informative)
First off, a lot of these embedded OSs are real time OSs. Linux vanilla isnt.
So lets say your company standardized on dd-wrt, which is popular and a solid product, but look at the recent security issue:
http://routerip/cgi-bin/;command_to_execute [routerip]
Thats right, the command goes right there and it runs as root. Thats a nightmare level security issue that CS101 students should be ashamed of, let alone from true hackers.
So imagine if linksys standardized on dd-wrt. Just clicking on http://192.168.1.1/cgi-bin/;rm-r [192.168.1.1] would destroy your router. That link could be be put everywhere on the web and would result in mass chaos.
I think a lot of companies know the quality from even the most popular OSS projects can be highly uneven and hackers are just that: hackers. They hack things together. Good design and security testing is usually an afterthought.
Re:what's the point of IOS? (Score:4, Informative)
Too bad there isn't a -1 Wrong moderation. A high end Cisco router, and a Linksys consumer router are so fundamentally different that your assertion is laughable on its face. Perhaps the reason they are sticking with IOS is because their hardware and software is purpose built to shift orders of magnitudes more packets per second than LInksys Linux routers would ever be capable of? Watch out for the corporate conspiracy black helicopters though.
Re:what's the point of IOS? (Score:3, Informative)
No, you are completely wrong. You clearly have no experience whatsoever with Cisco hardware and have no idea what you're talking about.
It was a joint release date (Score:4, Informative)
Today was a joint release date. That is to say: Everyone agreed that nobody would release their fix(es) until everyone was ready.
This was done to ensure that an attacker did not reverse engineer one company's fix, and use the flaw to wreck havoc on another company's products.
And "Everyone" in this case includes more vendors than just Microsoft & Cisco. The firm I work for released our fix(es) for this issue today.
Instead of someone disclosing a security problem one month before the vendor's next scheduled patch date [slashdot.org], wouldn't you prefer that a major remote flaw affecting hundreds of companys' products be hidden until most of them were ready to be patched?
Re:what's the point of IOS? (Score:1, Informative)
As if 'good design and security testing' always happens at large corporations like Cisco... right. That kind of stuff gets undercut all the time. They take the option of just waiting for the bugs to be found and patch them after the fact.
TCP/IP Filtering stalls this bug in Windows 2000 (Score:2, Informative)
See subject-line, & this quote from the pages @ MS on how to "mitigate" this type of attack (easily done really):
http://www.microsoft.com/technet/security/Bulletin/MS09-048.mspx [microsoft.com]
"To help protect from network-based attempts to exploit this vulnerability, enable advanced TCP/IP filtering on systems that support this feature"
I cover how to do that (& really, EVERYONE should on Windows 2000/XP/Server 2003, because it acts as another "layer" of defense, for "layered security" above & beyond std. firewalling, because it uses ipfltdrv.sys, which acts PERFECTLY FINE alongside all other defenses)
I cover a LOT of this here, & IP FILTERING'S VERY EASY TO SETUP (you may want to refer to the IANA ports list though, for YOUR particular needs, it does help):
-----
HOW TO SECURE Windows 2000/XP/Server 2003 & even VISTA, plus, make it "Fun-to-Do", via CIS Tool Guidance (& beyond):
http://www.tcmagazine.com/forums/index.php?s=33555fc937017deab726a927c1c4a7fd&showtopic=2662 [tcmagazine.com]
(You MAY want to look @ points #3 - #5 there, they cover IP Filtering, IPSec, & more... specifically in regards to this, & protecting yourself vs. it, on Windows 2000... it SHOULD work, according to MS, & it is JUST GOOD "LAYERED SECURITY" anyhow!)
-----
Now, the IP FILTERING (ipfltdrv.sys) works PERFECTLY FINE alongside ipnat.sys (firewall driver), & ipsec.sys (IP Security Policies) too... all of them, alongside TCP FILTERING, work fine "all @ once"/"concurrently"... + of course, alongside tcpip.sys, the base IP driver)
The 3 other drivers work @ DIFFERENT LAYERS of the IP stack around tcpip.sys, making them function PRETTY MUCH like a "Zone Defense"/"Greek Phalanx", so if you take 1 down? The others are STILL IN THE WAY... it's neat - too bad MS did away with that w/ VISTA onwards now using the single layer (& thus, single "lock" only) WFP + NDIS6, which even the folks @ ROOTKIT.COM are stating is "much easier to unhook & bypass" vs. the older model whose architecture I just laid out...))
APK
P.S.=> Enjoy, that OUGHT to help you Windows 2000 folks out there, vs. this "bug"... do I think MS could fix it? Sure, but it'd "hurt business"... replace RDR20.DLL with MSWSOCK.DLL (for LSP/Layered Service Providers), the latter being what XP/Server 2003/VISTA onwards use, & it could be fixed imo... but, "that's business" for you! apk
Re:Hey things take time. (Score:3, Informative)
Nevertheless, it's pretty well known fact that MS took their implementation of TCP from BSD which apparently doesn't have the problem. More than that they took fresh implementation from FreeBSD relatively recently for 2003 Server.
Um, no. They took a streams BSD stack for Windows NT 3.1, but they didn't like streams for some reason and implemented their own a sockets based stack for NT3.5. See: http://www.kuro5hin.org/?op=displaystory;sid=2001/6/19/05641/7357 [kuro5hin.org]
Re:Hey things take time. (Score:3, Informative)