Updated Microsoft and Cisco have issued updates that protect against a new class of attack that requires very little bandwidth and can leave servers and routers paralyzed even after a flood of malicious data has stopped.
The bug in the TCP, or transmission control protocol, was disclosed in October by security researchers Jack Louis and Robert E. Lee of Sweden-based Outpost24. It gave many security watchers pause because it provided attackers with a new way to launch potentially crippling attacks on a wide array of equipment used to route traffic over the internet.
"This is definitely momentum and other vendors, once they fully understand what has been talked about here, will come up with mitigation strategies of their own," Lee told The Register. "This really is good progress from both Microsoft and Cisco."
On Tuesday, Microsoft responded with MS09-048, a security advisory that fixes a variety of networking vulnerabilities in Windows operating systems, including those discovered by Louis and Lee. The update implements a new feature called memory pressure protection, which automatically drops existing TCP connections and SYN requests when attacks are detected.
Cisco issued it's own bulletin warning that multiple products are vulnerable to DoS, or denial-of-service attacks that can be especially disruptive.
"By manipulating the state of TCP connections, an attacker could force a system that is under attack to maintain TCP connections for long periods of time, or indefinitely in some cases," the bulletin stated. "With a sufficient number of open TCP connections, the attacker may be able to cause a system to consume internal buffer and memory resources, resulting in new TCP connections being denied access to a targeted port or an entire system."
Several other companies issued their own advisories concerning the vulnerability, according to this advisory from the Computer Emergency Response Team in Finland. Security firm Check Point Software said it was updating several security gateway products. Linux distributor Red Hat, meanwhile, stopped short of issuing a fix, but offered this workaround.
The industry wide advisories are designed to address a design flaw in a core internet protocol. Louis and Lee discovered it in 2005 and kept it secret last year. The researchers have provided few public details about how to exploit the bug to prevent it from being targeted in real-world attacks. Now that fixes are being released, he plans to write several blog posts in the coming weeks that for the first time will publicly reveal how attacks are carried out.
The vulnerability is unusual in that it causes a server or router to stop working with relatively modest amounts of malformed traffic. What's more, the disruption lasts even after the malicious assault has ended. In many cases, the only way to repair a disabled device is to restart it, a remedy that's not suitable in most data centers.
Not all industry players agree on the severity of the flaw. Researchers from router maker Juniper Networks said they "found no unexpected or adverse impact to our equipment which is different from other types of TCP Denial of Service." VMware and Clavister said none of their products are vulnerable, either.
Lee cautioned that many companies are wrong when they claim their products are unaffected by the new class of DoS vulnerabilities. In particular, he said Juniper's insistence that its products aren't vulnerable "means the guys at Juniper didn't get it." He went on to say: "I'm reasonably certain they're absolutely vulnerable."
Barry Greene, director of Juniper's security incident response team, took exception to that claim. He said his security team tested Juniper's entire product portfolio using Outpost24's own security tools and found no evidence any of it was vulnerable to the types of attacks described by Louis and Lee.
"The expectation is that when you're under attack, your system should recover when you remove the attack," Greene said. "Your system shouldn't crash when you're under attack. Our expectation is that we recover as we do from any other DoS attack of this type." ®
This article was updated to include comment from Juniper.