Knowledge Search


Denial of Service caused by stalled TCP sessions (FreeBSD-SA-05:15.tcp)

  [JSA10351] Show Article Properties

Legacy Advisory Id:
Product Affected:
All Juniper Networks M/T/J/E-series routers.
FreeBSD Security Advisory, FreeBSD-SA-05:15.tcp, describes two vulnerabilities of some TCP implementations which can expose them to attacks that stall TCP sessions, resulting in a denial-of-service (DoS) condition.

The first of these problems is described as "inadequate sequence number checking when using TCP timestamps". The risk of exposure to Juniper Networks products and the mitigation procedures associated with this problem are already described in JTAC Technical Bulletin PSN-2005-06-003.

The second problem described in the Security Advisory occurs when a TCP packet with the SYN flag set is accepted for established connections, allowing certain TCP options to be overwritten. An attacker with knowledge of the local and remote IP and port numbers associated with a connection can overwrite these TCP options and stall the TCP session. Any TCP-based protocol or service running on a JUNOS- or JUNOSe-based platform is subject to this vulnerability.

This second issue, overwriting TCP options when SYN flag set, is tracked internally as Defect 68800 for JUNOSe software and PR/61097 for JUNOS software.

Changes have been made in the JUNOSe and JUNOS software to mitigate the potential vulnerability with overwriting TCP options when the SYN flag is set.

In addition, Juniper Networks strongly recommends that customers take full advantage of all the security tools available in JUNOS and JUNOSe software, including the use of MD5 checksums and source address (SA) validation for TCP sessions.

For JUNOSe software (used on E-series routers), customers should contact the Juniper Networks Technical Assistance Center to get information about downloading software versions that contain the software changes.

All JUNOS software (for M/T/J-series routers) for Release 6.4 built on or after July 29, 2005 contains modified code that provides expanded TCP validation checks. All JUNOS software Releases 7.0 to 7.2 built on or after July 27, 2005 contain modified code that provides expanded TCP validation checks. All JUNOS software Releases 7.3 and later built on or after July 2, 2005 also contain the modified code.

Related Links:
Risk Level:
Risk Assessment:
An attacker can interfere with router TCP sessions by injecting TCP packets with the SYN flag set if sessions do not use security protections such as MD5 authentication. Risk assessment is moderate for Juniper Networks M/T/J/E-series routers.