Exploit found for Net flaw, but risks remote

23/04/2004 Written by Michael Kanellos, CNET News.com

Mali­cious code has been unearthed that can exploit a widely reported flaw in a pop­u­lar Net pro­to­col and pos­si­bly dis­rupt data trans­mis­sions, but experts say the risk of real world prob­lems remains fairly low.

Security-​software maker Syman­tec said Thurs­day that it had con­firmed that soft­ware now exists that can take advan­tage of the TCP, or Trans­mis­sion Con­trol Pro­to­col, vul­ner­a­bil­ity and that the soft­ware has been released publicly.Syman­tec did not cre­ate the exploit­ing soft­ware, but it has con­firmed it could work.


The vul­ner­a­bil­ity pri­mar­ily affects routers and other devices that han­dle traf­fic on the Inter­net. Dis­cov­ered by Paul Wat­son, a secu­rity spe­cial­ist for indus­try automa­tion com­pany Rock­well Automa­tion, the weak­ness could allow a knowl­edge­able attacker to shut down con­nec­tions between routers – if left unchecked.

Britain’s national emer­gency response team, the National Infra­struc­ture Secu­rity Co-​ordination Cen­tre, brought atten­tion to the issue Tues­day when it released an advi­sory about the issue based on Watson’s research, an advi­sory that trig­gered a spate of alarmist news reports.

Wat­son said Wednes­day that the reports were over­stated – a fix exists and most large Inter­net ser­vice providers and other com­pa­nies have already taken reme­dial actions.

“The actual threat to the Inter­net is really small right now,” Wat­son said Wednes­day at the CanSecWest 2004 con­fer­ence in Van­cou­ver, British Colum­bia. “You could have iso­lated attacks against small net­works, but they would most likely be able to recover quickly.”

Syman­tec agreed with his assess­ment.

“At this time, Syman­tec has seen no evi­dence of sys­tems being widely impacted by this exploit,” Vin­cent Weafer, senior direc­tor, Syman­tec Secu­rity Response, said in a state­ment. “Inter­net ser­vice providers are aware of the TCP flaw, and fixes have been made avail­able for some time by mul­ti­ple ven­dors. As a result, Syman­tec does not feel that this exploit will have an imme­di­ate impact on Inter­net activ­ity, dis­rupt Inter­net traf­fic or cause sys­tem out­ages.”

The vul­ner­a­bil­ity allows for what’s known as a reset attack. Many net­work appli­ances and soft­ware pro­grams rely on a con­tin­u­ous stream of data from a sin­gle source – called a ses­sion – and pre­ma­turely end­ing the ses­sion can cause a wide vari­ety of prob­lems for devices.

For years, these attacks were con­sid­ered unlikely because they were thought to require the attacker to guess the iden­ti­fier of the next data packet in a ses­sion. The odds on that are about one in 4.3 bil­lion.

Wat­son dis­cov­ered a method that brings the odds to closer to one suc­cess in 260,000 attempts. An attacker armed with a typ­i­cal broad­band con­nec­tion could send all 260,000 pos­si­ble attacks in less than 15 sec­onds. Wat­son said Web sites that have routers that share infor­ma­tion on the most effi­cient paths through the Inter­net – using the Bor­der Gate­way Pro­to­col, or BGP – are most vul­ner­a­ble to the attacks.


Share this content: