Knowledge Search


×
 

TCP does not adequately validate segments before updating timestamp value (CERT/CC VU#637934)

  [JSA10349] Show Article Properties


Legacy Advisory Id:
PSN-2005-06-003
Product Affected:
All Juniper Networks M/T/J/E-series routers.
Problem:

Two techniques for increasing the performance of TCP are using TCP timestamps and using Protection Against Wrapped Sequence Numbers (PAWS), both of which are described in RFC 1323. When enabling both of these features, certain TCP implementations may be vulnerable to a denial of service (DoS) condition from attacks with packets using specially-crafted timestamp values.

Any TCP-based protocol or service running on a JUNOS- or JUNOSe-based platform is subject to this vulnerability.

Currently, both JUNOS- and JUNOSe-based platforms will use TCP timestamps if the connection peer requests them. Additionally, JUNOS- (but not JUNOSe-) based platforms will request the use of TCP timestamps when initiating a connection.

This issue is tracked internally as CQ/65716 for JUNOSe and PR/58335 for JUNOS software.

Solution:

Customers can mitigate the potential vulnerability associated with the use of TCP timestamps and the PAWS feature of TCP in both JUNOS and JUNOSe software as follows:

1) JUNOSe (E-series routers):

Starting with JUNOSe Release 6.1.2, a new configuration option allows you to disable negotiation of RFC 1323 PAWS functionality. The CLI command for the new, per-VR global configuration option is as follows:

    ERX(config)# [no] ip tcp paws-disable
2) JUNOS (M/T/J-series routers):

All JUNOS software Releases 6.4 and later built on or after June 2, 2005 contain modified code that provides expanded validation checks for TCP sequence numbers. In addition, two new hidden configuration statements have been introduced to control the use of RFC 1323 TCP features. In Release 6.4 these statements are located at the [edit system] hierarchy level; in Releases 7.0 and later, they are located at the [edit system internet-options] hierarchy level.

    no-tcp-rfc1323-paws
This statement disables RFC 1323 PAWS TCP extensions. By default, they are enabled.

    set no-tcp-rfc1323
This statement disables RFC 1323 TCP extensions. By default, they are enabled. If this option is configured, the option that disables RFC 1323 PAWS TCP extensions must also be configured.

These configuration options are hidden and therefore you must type them in their entirety when adding them to the router's configuration.

Implementation:

Juniper Networks strongly recommends that customers take full advantage of all the security tools available in JUNOS and JUNOSe software, including the use of MD5 checksums and source address (SA) validation for TCP sessions.

For customers who require additional protection, Juniper Networks recommends installing a version of software that includes the changes to the TCP protocol. Contact the Juniper Networks Technical Assistance Center for availability and download information for JUNOSe software with the code changes. All JUNOS software Releases 6.4 and later built on or after June 2, 2005 include the modified code.

Related Links:
Risk Level:
Medium
Risk Assessment:
An attacker can interfere with router TCP sessions when RFC 1323 TCP Timestamps and PAWS extensions are negotiated for sessions without security protections such as MD5 authentication. Risk assessment ranges from low for Juniper Networks E-series routers to moderate for Juniper Networks M/T/J-series routers.