Security bugs shake nets

Router vendors and their ISP customers last week scurried to patch two security holes that could enable denial-of-service attacks and knock out Internet service to enterprise users.

The first is a vulnerability in the ubiquitous TCP protocol. Hackers could cause TCP sessions to end prematurely, creating a denial-of-service attack and disrupting communications between routers on the Internet by interrupting Border Gateway Protocol (BGP) sessions that use TCP, according to the U.K.’s National Infrastructure Security Co-Ordination Centre (NISCC).

The second is specific to Cisco routers. The vendor discovered a flaw in the way certain versions of its IOS software process SNMP network management traffic that could corrupt router memory and force the device to restart unexpectedly, disrupting service to enterprise and service provider customers.

The TCP vulnerability was discovered by Rockwell Automation information security specialist Paul Watson, who shared his findings at last week’s CanSec West conference in Vancouver in his presentation, “Slipping in the Window: TCP Re-Set Attacks.” The NISCC was the first to issue a public alert, followed hours later by the U.S. Department of Homeland Security with assistance from the CERT Coordination Center based at Carnegie-Mellon University.

Watson revealed a new twist on “classic attacks against TCP,” and one that primarily affects BGP routers. If the attacker can guess the packet sequence in the range known as the “window size,” he can spoof the port number and source address and put a packet on the wire that will be accepted by the receiver as a valid packet.

If it’s a reset packet, the spoofed packet can cause the session to be torn down.

To prevent this exploitation, ISPs and large enterprises using BGP routers were urged to make use of what’s called the MD5 hash – a cryptographic process for checking packet authenticity from the sender to the receiver.

Without proving details on its remedial action, MCI said it worked with its vendors and customers to ensure that its network remained secure. Last week, MCI’s network was operating normally, a spokeswoman said.

AT&T and Sprint did not comment by press time.

Among the router vendors, meanwhile, Cisco last week issued security advisories, software fixes and planned fixes, and workarounds on the TCP vulnerability for its IOS-based and non-IOS-based systems. Cisco said none of its customers reported any exploitations.

Juniper also said it was not aware of any customers having been affected by this vulnerability. The vendor said it modified its TCP protocol stack to reduce the likelihood of a successful attack.

Cisco customers, however, had to grapple with an IOS SNMP message handling vulnerability in addition to the TCP hole. According to a Cisco advisory, the SNMP breach affects routers and switches running IOS Versions 12.0 through 12.3.

Cisco said it patched the flaw and published information on updating IOS with new versions of the operating system.