Microsoft, Cisco Finally Patch TCP DoS Flaw

Trailrunner7 writes "Today vendors are finally releasing patches for the TCP vulnerabilities first publicized nearly a year ago that affect a huge range of networking products, including any device running a version of Cisco's IOS software, and a number of Microsoft server and desktop operating systems. Both Microsoft and Cisco released fixes for the vulnerabilities today. The Microsoft Patch Tuesday release included the fix for the TCP flaw, which affects Windows Server 2003 and 2008, as well as Windows Vista, both the 32-bit and 64-bit editions, and Windows 2000 SP4, for which no fix is coming. The TCP flaws were identified several years ago and were made public last year by two researchers at Outpost24, Jack C. Louis and Robert E. Lee. Louis, who has since died, developed a tool called Sockstress that tested for the flaw and was able to maintain extremely long-term TCP connections with remote machines using very little bandwidth."

very, very old vulnerability

[neko the frog]

I mean, Robert E. Lee has been dead for *decades*.

Re:

[palegray.net]

It must have taken an army [wikipedia.org] of coders to fix these flaws.

Re:

[UncleTogie]

It must have taken an army of coders to fix these flaws.

It was easy. They had confederates!

Hey things take time.

[palegray.net]

Just think of all the meetings that had to be convened, coffee brewed, dinners expensed discussing the potential impact of these flaws, input from the legal department on the cost of fixing the bug versus potential liability including agreement to the shrinkwrap license that absolves MS of any liability unless a judge someday says otherwise, reading the tea leaves, God the list goes on and on.

I'm proud of them for releasing this fix in such a timely fashion.

Re:Hey things take time.

[thePowerOfGrayskull]

Alternatively, just think of what would have happened if either of those giants had released a patch for something as fundamental as the TCP stack that introduced a new bug or worse hole; then automatically pushed it to millions of users. A year might be excessive, but considering the size of their userbases... I can understand it.

Re:

[ThePhilips]

Yes, absolutely. TCP is so complicated that only few engineers know precisely how it works and can patch the flaw. And probably it also lacks test tools. OMG. I'm so happy that it took them only a year.

/sarcams

WTF. Get real. TCP is studied and implemented as a lab assignment now in pretty much every university by all who in any way relate to network programming. Test tools and analyzers are abundant (both hardware and software) and can simulate pretty much any kind of load. There are even commercial

Re:Hey things take time.

[Anonymous Coward]

WTF. Get real. TCP is studied and implemented as a lab assignment now ...

Your point that TCP programming is practiced in abundance is well taken, but my experience has taught me that anything related to network programming in general, and TCP/IP implementations in particular (particularly where interoperability between your product and TCP stacks you've never seen before is concerned) is astoundingly difficult, and that anyone who believes that they've got all the bases covered, that they've foreseen everything that could go wrong, and that they're in the clear because their tests indicates that all their stuff is RFC-compliant will be the first to get their asses kicked hard after they release their product.

Re:

[ThePhilips]

True. (Wouldn't lie - I personally implemented in past only about 50% of TCP.)

Nevertheless, it's pretty well known fact that MS took their implementation of TCP from BSD which apparently doesn't have the problem. More than that they took fresh implementation from FreeBSD relatively recently for 2003 Server.

Cisco IIRC also uses FreeBSD TCP implementation.

In other words, I still fail to see the problem: likewise they could have lifted the solution for the problem from the very same source where from

Re:

[anss123]

Nevertheless, it's pretty well known fact that MS took their implementation of TCP from BSD which apparently doesn't have the problem. More than that they took fresh implementation from FreeBSD relatively recently for 2003 Server.

Um, no. They took a streams BSD stack for Windows NT 3.1, but they didn't like streams for some reason and implemented their own a sockets based stack for NT3.5. See: http://www.kuro5hin.org/?op=displaystory;sid=2001/6/19/05641/7357 [kuro5hin.org]

Re:

[MarkKB]

STREAMS was always meant to be a temporary solution - it was slow and clunky, but it served as a stopgap while Microsoft worked on their own TCP stack.

Incidentally, when they ported STREAMS, they also ported the command line tools ("ftp", ect)that came with them, which were themselves ports of BSD's command line tools. Since the programs worked, they saw no reason to replace them.

Of course, when the tech press discovered they were ports (via disassembly, IIRC), they went crazy about it, as tech press does.

Re:

[shutdown -p now]

Nevertheless, it's pretty well known fact that MS took their implementation of TCP from BSD which apparently doesn't have the problem. More than that they took fresh implementation from FreeBSD relatively recently for 2003 Server.

It's also fairly well known that TCP/IP stack was rewritten from scratch in Vista/Win2008, with no BSD code left. So this doesn't seem to be relevant.

Re:

[ClosedSource]

How comprehensive are these TCP "lab assignments" and are students allowed only RFCs as a reference?

Re:

[ThePhilips]

Sometimes they are quite comprehensive BTW as they are used further for internal research. But only sometimes.

As for RFCs, in my experience few students actually read them. TCP implementation is scattered over many STDs/RFCs and gathering them together is a pain. Most prefer to cheat using some TCP book.

What you say is a valid concern. But my point was different: no way there is a technical reason for one year delay for the fix in so well known piece of software as the TCP stack. (Which in MS's case

Re:

[ClosedSource]

Well, your point seemed to be that TCP was trivial.

We don't know all the details but it seems to me that there is no reason why MS and CISCO would take a year fixing it other than a technical reason.

Re:

[rliden]

If the fix was so easy then the death of Jack Louis wouldn't have hampered the patch process. TFA mentions that even though he was in good contact with others and kept good notes his death caused a big slowdown in finishing the research and patch.

It's always easy to find other peoples bugs and go on about how easy it would be to fix it. It only gets hard when you're coding the bugfix and the obvious solutions aren't fixing the problem.

Re:

[thePowerOfGrayskull]

"M$". I see what you did there. That was very clever. And original, too.

Re:

[jhol13]

Yes, than God it does not affect Linux!
https://www.cert.fi/haavoittuvuudet/2008/tcp-vulnerabilities.html [www.cert.fi]

Oops ... well, at least Linux fixed it promptly!

http://kbase.redhat.com/faq/docs/DOC-18730 [redhat.com]
"Due to upstream's decision not to release updates, Red Hat do not plan to release updates to resolve these issues"

Oops ... well, anyway Windows suck!

Re:

[palegray.net]

Heh, RedHat isn't Linux. They're a vendor, and a completely corporate one at that. This is why I've always stuck with Debian, for the record.

Re:

[cowbutt]

Um, you know what Red Hat mean when they say 'upstream', right? That means no distribution will have the fix unless they develop one themselves, since Linus isn't including one.

Re:

[palegray.net]

That's exactly my point. Other distributions (also "not Linux") fixed the problem.

Re:

[cowbutt]

Are you quite sure Debian supplied a kernel fix? Only searching debian.org for CVE-2008-4609 doesn't find anything relevant.

Re:

[palegray.net]

Debian's kernels are fixed. I upgraded my Lenny systems recently to patch against the issue.

Re:

[cowbutt]

Where is it documented that Debian's kernels are fixed? Have you got a link?

Re:

[palegray.net]

I'm not going to do all your research for you. About five seconds of Googling yields this Ubuntu page: Ubuntu Security Notice USN-819-1 [ubuntu.com]. Debian's notices shouldn't be that hard to find, either. Of course, you can always just try the proof of concept code on an updated Debian system if you seriously doubt the maintainers.

Re:

[cowbutt]

USN-819-1 references CVE-2009-2692 not CVE-2008-4609 (i.e. the issue we're talking about here). The details don't match CVE-2008-4609 either. Searching Debian's security announcement list for CVE-2008-4609 finds nothing.

Debian (and by extension, Ubuntu) do a fine job of producing distributions and keeping them pretty secure. But you've not substantiated your claim that they've implemented their own kernel fix for CVE-2008-4609.

Re:

[palegray.net]

Yeah, I did grab the wrong USN page. I cross-referenced the recent local privilege escalation issue by mistake.

Re:

[palegray.net]

Until I can determine otherwise, I've got to retract my statement that this is fixed in Debian. I can't find any noise on any lists about this particular CVE with respect to Debian. I'll keep watching it, though.

Better Late than never?

[Monkeedude1212]

I was afraid they weren't going to patch these kinds of flaws in Vista to push Windows 7. ...

What do you mean some people still prefer XP over Vista? ...

What do you mean XP isn't being patched?

Re:Better Late than never?

[Anonymous Coward]

From the MS bulletin:

Non-Affected Software
Operating System
Windows XP Service Pack 2 and Windows XP Service Pack 3*
Windows XP Professional x64 Edition Service Pack 2*

Re:

[Monkeedude1212]

My mistake, you may now mod me "-1 RTFA"

Re:

[bertoelcon]

You must be new here, by not RTFA you get "+1 normal /. reader".

Re:

[SEWilco]

My mistake, you may now mod me "-1 RTFA"

First, code a patch for "-1 RTFA".

Re:

[sharkey]

http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx [microsoft.com]

Today, they have XP listed as affected with the same impact as Win 2003 (DoS), just with a "low" rating and no patch. Windows 7 and Windows 2008 R2 are the only non-affected software.

Re:

[dkleinsc]

Well, for Windows 7 you'll just have to use the SMB packet of death [slashdot.org] instead. Which is really too bad: usually Microsoft has a much better track record on backwards compatibility.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

Did you read Cisco's list [nether.net] of vulnerable hardware? It certainly takes a long time to test all of your currently supported hardware, test and release updates for all of them, many of which have multiple supported trains of software support that the fix needs to be rolled in to.

It was a joint release date

[Anonymous Coward]

Today was a joint release date. That is to say: Everyone agreed that nobody would release their fix(es) until everyone was ready.
This was done to ensure that an attacker did not reverse engineer one company's fix, and use the flaw to wreck havoc on another company's products.
 

And "Everyone" in this case includes more vendors than just Microsoft & Cisco. The firm I work for released our fix(es) for this issue today.
 

Instead of someone disclosing a security problem one month before the vendor's next scheduled patch date [slashdot.org], wouldn't you prefer that a major remote flaw affecting hundreds of companys' products be hidden until most of them were ready to be patched?

Re:

[Anonymous Coward]

No, because I know that people who are willing to exploit the flaw already know how it works. For a start, you had to tell everyone in all the affected companies how it worked so they could fix it. And they told their sub contractors, who told some guy in India, who put in on his blog.

I'd rather reward those that fixed it fast, or told me how to work around it. And if they don't, or can't, I'd rather know about it so I can do something myself.

Put it this way, if I found out that most major manufacturers

Re:

[Arainach]

Two reasons:

(1) Because companies have discovered that it's far better for the PC ecosystem to release patches in a coordinated system (such as "Patch Tuesday") that corporations, etc. can plan for than to release everything ASAP

(2) Because regression bugs happen, and it's important to tests hotfixes thoroughly, particularly when they affect core functionality like, say, TCP/IP networking.

what's the point of IOS?

[RelliK]

Obviously at the time IOS was designed, everyone would write their own special-purpose operating system for embedded devices. These days, wouldn't it make more sense to just scrap it and switch to Linux? Lots of other manufacturers are doing it (Linksys, Netgear, D-Link, etc.). This would certainly prevent this kind of embarassment.

Re:

[Anonymous Coward]

Cisco has done this with newer platforms and code trains. Their ASA platform is based upon linux..

I think they have seen the light, but like a massive oil tanker things take time to change.

Re:

[mat128]

Obviously at the time IOS was designed, everyone would write their own special-purpose operating system for embedded devices. These days, wouldn't it make more sense to just scrap it and switch to Linux? Lots of other manufacturers are doing it (Linksys, Netgear, D-Link, etc.). This would certainly prevent this kind of embarassment.

you have no idea how big and dedicated the Cisco IOS is!

Re:

[Paralizer]

Can you explain why Linux would be better suited for this?

Re:

[xZgf6xHx2uhoAj9D]

It's not about better suited; it's about well suited. As long as it's good enough, why not take advantage of the free maintenance all the Linux hackers do for you?

Re:

[mckinleyn]

Lol. Because Linux hackers are (to a corporation) incomprehensible and unreliable. They have no contract that's broken if they choose NOT to help. History (linux people fix their software pretty much always) != reliability.

Re:

[xZgf6xHx2uhoAj9D]

So what? Is x Linux hackers + y CISCO employees working on some code worse than y CISCO employees working on some code? If the Linux hackers don't do what you want them to do, fine, fork the code in the worst place. You're no worse off than you were just working on your own.

Re:what's the point of IOS?

[gad_zuki!]

First off, a lot of these embedded OSs are real time OSs. Linux vanilla isnt.

So lets say your company standardized on dd-wrt, which is popular and a solid product, but look at the recent security issue:

http://routerip/cgi-bin/;command_to_execute [routerip]

Thats right, the command goes right there and it runs as root. Thats a nightmare level security issue that CS101 students should be ashamed of, let alone from true hackers.

So imagine if linksys standardized on dd-wrt. Just clicking on http://192.168.1.1/cgi-bin/;rm-r [192.168.1.1] would destroy your router. That link could be be put everywhere on the web and would result in mass chaos.

I think a lot of companies know the quality from even the most popular OSS projects can be highly uneven and hackers are just that: hackers. They hack things together. Good design and security testing is usually an afterthought.

Re:

[Anonymous Coward]

As if 'good design and security testing' always happens at large corporations like Cisco... right. That kind of stuff gets undercut all the time. They take the option of just waiting for the bugs to be found and patch them after the fact.

Re:

[L4t3r4lu5]

Just clicking on http://192.168.1.1/cgi-bin/;rm-r [192.168.1.1] [192.168.1.1] would destroy your router.

I don't believ

Re:what's the point of IOS?

[Nethead]

Juniper maybe? Of course if you think routers are from Linksys, Netgear, D-Link, etc. then we're not talking the same type of router.

Re:

[Anonymous Coward]

Mind you, JUNOS is based on FreeBSD, not Linux.

Re:

[falzbro]

Cisco IOS-XR, which is not vulnerable, has a Linux kernel.

Re:

[the linux geek]

Actually, I believe its QNX, not Linux.

Re:

[falzbro]

Whoops, I guess I was thinking IOS-XE [cisco.com], which is vulnerable.

Re:

[Empty Threats]

Cisco also sells a prominent line of layer-3 switches (almost routers) based on Linux, running "NX-OS." The interface is similar to classic IOS.

(IOS-XR, however, is QNX.)

Re:

[Locke2005]

Linksys is owned by Cisco. Linksys makes devices that do most of what the Cisco boxes do at a fraction of the cost. If they were to switch the Cisco routers to Linux, they would effectively be telling their customers "there is no benefit to buying our high-end boxes over a Linksys router". Actually, the reason they are sticking with IOS is that people have payed and continue to pay thousands of dollars to get Cisco CCNA certification [cisco.com]. Switching to Linux would render all that training obsolete, and mean that

Re:what's the point of IOS?

[longfalcon]

are you kidding?

Linksys was acquired by cisco.
there is about as much difference between Linksys and cisco routers as there is between a weekend yacht and a freighter.

IOS was designed to be an enterprise embedded solution, not for some Joe Bloggs out there who needs to hook up two computers to his cable connection.

Re:what's the point of IOS?

[jcnnghm]

Too bad there isn't a -1 Wrong moderation. A high end Cisco router, and a Linksys consumer router are so fundamentally different that your assertion is laughable on its face. Perhaps the reason they are sticking with IOS is because their hardware and software is purpose built to shift orders of magnitudes more packets per second than LInksys Linux routers would ever be capable of? Watch out for the corporate conspiracy black helicopters though.

Re:

[abigor]

No, you are completely wrong. You clearly have no experience whatsoever with Cisco hardware and have no idea what you're talking about.

Re:

[L4t3r4lu5]

I know that my Cisco router is much better than my home D-Link router. The Cisco one:

- Is twice the size
- Requires storing in a wall mounted rack
-Cost two orders of magnitude more
- Has more fans

For all the noise it makes, it bloody well best be more efficient than my home router.

Re:

[dopodot]

"IOS" has been rewritten and released half a dozen times, as NX-OS (which is Linux based), IOS-XR, IOS-XE (also Linux based), Modular IOS, and another major one in the pipeline. They all offer the same basic CLI interface that CCNA holders would be familiar with and instantly able to use.

Re:

[jonnyt886]

I'd say IOS isn't just the software that runs their routers and so on, IOS is behind a product portfolio and provides Cisco with a vendor lock-in strategy (for want of a better phrase)...

Firstly, IOS is the operating system but on top of that, they can sell IOS as an individual product (even if it only comes bundled with other ones, it's good material for the marketing department) and they also have the numerous Cisco certifications that revolve around (or heavily involve) the usage of IOS.

Secondly, the loc

Re:

[dopodot]

Cisco's moving towards Linux. That post is 2 years old, and they've not announced anything hinting that anything BSD will be coming out. I have a feeling they're willing to deal with the GPL (Linux) just so they don't have to adopt BSD years after Juniper did, which could be a little embarassing.

Realistic impact?

[ACMENEWSLLC]

This is something the press would be screaming end of the Internet if they got their hands on it.

What's the reality? Is this easy to exploit and is the Internet going to come crashing down?

Re:

[afidel]

It's like a SYN flood for most products (possible resource exhaustion) though all unpatched Vista derivatives (Vista, Server 2008, Win7, Server 2008 R2) have remote code vulnerabilities. Basically if you are upatched and someone wants to they can fill up the TCP memory on anything of yours that talks to the internet and knock that service or device offline while requiring very little resources on their part.

Windows 2000 (W2K) SP4...

[antdude]

http://www.microsoft.com/technet/security/bulletin/ms09-048.mspx [microsoft.com] mentioned no updates for Windows 2000 SP4 because it requires a major change in operating system (OS). If no fixes, then what will stop it? Hardware routers and/or software firewalls for those who still use it?

TCP/IP Filtering stalls this bug in Windows 2000

[Anonymous Coward]

See subject-line, & this quote from the pages @ MS on how to "mitigate" this type of attack (easily done really):

http://www.microsoft.com/technet/security/Bulletin/MS09-048.mspx [microsoft.com]

"To help protect from network-based attempts to exploit this vulnerability, enable advanced TCP/IP filtering on systems that support this feature"

I cover how to do that (& really, EVERYONE should on Windows 2000/XP/Server 2003, because it acts as another "layer" of defense, for "layered security" above & beyond std. firew

Re:

[fbwhrdpmtajg]

Just schedule a reboot, hopefully you are transitioning away from it for critical systems since all security fixes for it will stop in 10 months anyway.

Re:

[paganizer]

1st off, I can't duplicate it for Win2k. I'm using Windows 2000 Advanced Server as my testing machine, but that really shouldn't be an issue.
2nd off, the release says the worst possible thing that can happen to Win2k is a DoS; the intense hatred microsoft has for people still using Win2k makes me think that they are possible telling an untruth.
3rd off, I'd be sort of suspicious when the same thing applies to Win2k3 also; they aren't making money from windows 2003 these days, only the operating systems that

DoS flaw, really?

[miffo.swe]

In Microsofts case i read the bulletin as it allows remote code execution in w2k8 and Vista. Thats very unpleasant considering it happens in the TCP/IP level and not higher up. Im no hacker but from what i can understand this exploit allows a hacker to own ANY affected system directly over the internet as long as any port on that target is accessible. I really hope im reading this wrong.

A firewall wont help at all in that case and critical is a very moderate rating indeed. Im very glad we havent upgraded to

windows 2003 patch

[lakshman6]

so when can we expect a windows 2003 patch to come? anyone know the date?

Re:cotton bots, sand bots, rice bots

[Nethead]

Kill all humans!