Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

TCP sequence number approximation-based denial of service

0

0

Article ID: KB15562 KB Last Updated: 04 Sep 2015Version: 2.0
Summary:

JTAC and SIRT are receiving several "PCI non-compliance" reports on the vulnerability CVE-2004-0230: TCP Sequence Number Approximation-Based Denial of Service.  This KB article comprises an official response from Juniper Networks.

Symptoms:

The synopsis of CVE-2004-0230 and US-CERT TA04-111A state:

Most implementations of the Border Gateway Protocol (BGP) rely on the Transmission Control Protocol (TCP) to maintain persistent unauthenticated network sessions. There is a vulnerability in TCP which allows remote attackers to terminate network sessions. Sustained exploitation of this vulnerability could lead to a denial of service condition; in the case of BGP systems, portions of the Internet community may be affected. Routing operations would recover quickly after such attacks ended.

However, solutions are outside the scope of RFC standards.

Solution:

2014-07-09 UPDATE: This information has been superceded by JSA10638.  Please refer to JSA10638 for the latest information.

CVE-2004-0230 is a characteristic of the TCP protocol. The vulnerability is built into the TCP protocol. Changes to the protocol are required to build resilience into the protocol. This specific attack vector was first released in a white paper entitled, "Slipping In The window: TCP Reset Attacks," by Paul Watson. Paul presented this work at the 2004 CanSecWest conference, one year after his observation of a BGP Attack Tree paper. Paul complied to responsible disclosure principles and worked with the UK's National CERT (NISCC the the time, which is now CPNI).  UK's National CERT released this as a security adisory the same day as Paul's presentation (for a copy of the advisory, see http://packetstormsecurity.org:80/0404-advisories/246929.html). At the time of the disclosure, no feasible fix to the TCP protocol existed. The IETF's TCP Maintenance Working Group has been working on feasible fixes, but at this time there is no fix to the TCP protocol. There is an Internet Draft, but at this time there is no stated time when the draft will be moved forward to an RFC and "draft standard."

Consequently, Juniper is not in a position to modify our TCP stacks. Why?

As a general engineering principle, Juniper Networks does not include features or functions which are not in the IETF's Standards Track. The changes that would add resilience to the TCP vulnerability in CVE-2004-0203 are part of an IETF Internet Draft, thus do not meet Juniper Networks' guidelines for modification of the TCP stack.

Back in 2004, Juniper Networks released the following advisory relating to mitigating the risks from CVS-2004-0230: http://www.juniper.net/support/security/alerts/niscc-236929.txt.  While originally authored for NetScreen firewalls, the recommendations and BCPs are generally applicable to most products implementing the TCP/IP protocol.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search