Cisco Response
Additional Information
Revision History
Cisco Security Procedures
This is Cisco's response to research presented by Robert E. Lee and Jack Louis of Outpost24 who have announced several denial of service (DoS) vulnerabilities that involve the manipulation of TCP state table information. These vulnerabilities have been discussed on numerous websites and blogs, including a presentation delivered by Lee and Louis at the T2 conference in Helsinki, Finland on October 17, 2008.
Cisco PSIRT is aware of the vulnerabilities and is actively investigating what impact these vulnerabilities may have on Cisco products. PSIRT will disclose any security vulnerabilities discovered in compliance with Cisco's security vulnerability policy:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
PSIRT is working with Outpost24 and the Finnish Computer Emergency Response Team (CERT-FI) as part of the industry response to these vulnerabilities. An announcement from CERT-FI is available at the following link:
https://www.cert.fi/haavoittuvuudet/2008/tcp-vulnerabilities.html
Cisco PSIRT research indicates an attacker must complete a TCP three-way handshake to a device to successfully exploit the DoS vulnerabilities. This requirement makes spoofing the source of an attack more challenging. The TCP vulnerabilities that Outpost24 announced are an extension of well-known weaknesses in the TCP protocol.
It is possible to mitigate the risk of these vulnerabilities by allowing only trusted sources to access TCP-based services. This mitigation is particularly important for critical infrastructure devices. PSIRT recommends the implementation of infrastructure access control lists (IACLs) and control plane policing (CoPP) to protect core network functionality. For more information, reference the IACL documentation at the following links:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml#limitaccess
Information on CoPP can be found at the following links:
http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
|
Revision 1.0 |
2008-October-17 |
Initial public release. |
Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.
| Updated: Oct 17, 2008 | Document ID: 108167 |