admin
24-04-2004, 03:44 PM
******admin sẽ cố gắng dịch toàn bộ bài sang tiếng Việt******
Theo thông tin từ cisco.com
http://www.cisco.com/en/US/products/products_security_advisory09186a008021bc62.shtml
tất cả các sản phẩm Cisco chạy Cisco IOS có thể gặp lỗi nghiêm trọng này.
Tóm tắt về lỗi:
Một lỗi trong đặc tả TCP (RFC793) có thể được khai thác cho phép hacker có thể reset các kết nối TCP trong một khoảng thời gian ngắn hơn trước đây. Tùy thuộc vào ứng dụng, một người dùng sẽ phải lập lại thao tác (ví dụ như telnet hay ssh). Tùy thuộc vào protocol bị tấn công, một cuộc tấn công thành công có thể có nhiều hậu quả bên cạnh việc ngắt các kết nối TCP này. Kiểu tấn công này chỉ áp dụng vào các phiên làm việc kết nối trực tiếp vào thiết bị (chẳng hạn như router, switch, máy tính..) mà không ảnh hưởng đến các phiên làm việc đi qua thiết bị.
Tất cả các sản phẩm Cisco có TCP đều bị lỗi này.
Chi tiết về lỗi:
TCP is the transport layer protocol designed to provide connection-oriented reliable delivery of a data stream. To accomplish this, TCP uses a mixture of flags to indicate state and sequence numbers to identify the order in which the packets are to be reassembled. TCP also provides a number, called an acknowledgement number, that is used to indicate the sequence number of the next packet expected. The packets are reassembled by the receiving TCP implementation only if their sequence numbers fall within a range of the acknowledgement number (called a "window"). The acknowledgement number is not used in a packet with the reset (RST) flag set because a reset does not expect a packet in return. The full specification of the TCP protocol can be found at http://www.ietf.org/rfc/rfc0793.txt .
According to the RFC793 specification, it is possible to reset an established TCP connection by sending a packet with the RST or synchronize (SYN) flag set. In order for this to occur, the 4-tuple must be known or guessed (source and destination IP address and ports) together with a sequence number. However, the sequence number does not have to be an exact match; it is sufficient to fall within the advertised window. This significantly decreases the effort required by an adversary: the larger the window, the easier it is to reset the connection. While source and destination IP addresses may be relatively easy to determine, the source TCP port must be guessed. The destination TCP port is usually known for all standard services (for example, 23 for Telnet, 80 for HTTP). Cisco IOS software uses predictable ephemeral ports for known services with a predictable increment (the next port which will be used for a subsequent connection). These values, while constant for a particular Cisco IOS software version and protocol, can vary from one release to another.
Here is an example of a normal termination of a TCP session:
Host(1) Host(2)
| |
| |
| ACK ack=1001, window=5000 |
|<----------------------------|
| |
Host(1) is
closing the session
| RST seq=1001 |
|---------------------------->|
| |
Host(2) is
closing the session
In addition, the following scenario is also permitted:
Host(1) Host(2)
| |
| |
| ACK ack=1001, window=5000 |
|<----------------------------|
| |
Host(1) is
closing the session
| RST seq=4321 |
|---------------------------->|
| |
Host(2) is
closing the session
Note how, in the second example, the RST packet was able to terminate the session although the sequence number was not the next expected one (which is 1001). It was sufficient for the sequence number to fall within the advertised "window". In this example, Host(2) was accepting sequence numbers from 1001 to 6001 and 4321 is clearly within the acceptable range.
As a general rule, all protocols where a TCP connection stays established for longer than one minute should be considered exposed.
Ảnh hưởng;
The impact will be different for each specific protocol. While in the majority of cases a TCP connection will be automatically re-established, in some specific protocols a second order of consequences may have a larger impact than tearing down the connection itself.
Border Gateway Protocol (BGP)
The Cisco PSIRT has identified BGP as the protocol which has the greatest potential for impact. Both external and internal (eBGP and iBGP) sessions are equally vulnerable. If an adversary tears down a BGP session between two routers, then all routes which were advertised between these two peers will be withdrawn. This would occur immediately for the router which has been attacked and after the next update/keepalive packet is sent by the other router. The BGP peering session itself will be re-established within a minute after the attack. Depending upon the exact routing configuration, withdrawal of the routes may have any of the following consequences:
No adverse effects at all if an appropriate static route(s) has(have) been defined on both sides of the affected session.
The traffic will be rerouted along other paths. This may cause some congestion along these paths.
A portion of the network will be completely isolated and unreachable.
If a BGP peering session is broken a few times within a short time interval, then BGP route dampening may be invoked. Dampening means that affected routes will be withdrawn from the Internet routing table for some period of time. By default that time is 45 minutes. During that time, all of the traffic whose route was advertised over the attacked BGP session will either be rerouted or a portion of the network will be unreachable. Route dampening is not enabled by default.
Cisco IOS Firewall Feature Set
It is possible to terminate an established TCP-based connection even if both endpoints are not vulnerable to this attack.
Software Versions and Fixes
Each row of the table describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix and the anticipated date of availability for each are listed in the Rebuild, Interim, and Maintenance columns. In some cases, no rebuild of a particular release is planned; this is marked with the label "Not scheduled." A device running any release in the given train that is earlier than the release in a specific column (less than the earliest fixed release) is known to be vulnerable, and it should be upgraded at least to the indicated release or a later version (greater than the earliest fixed release label).
Để fix lỗi, các bạn có thể nâng cấp IOS của bạn lên version mới nhất. Trong trường hợp các bạn thành viên của diễn đàn VnPro cần giúp đỡ để fix lỗi này, vui lòng liên lạc admin@vnpro.org
Thân mến,
Theo thông tin từ cisco.com
http://www.cisco.com/en/US/products/products_security_advisory09186a008021bc62.shtml
tất cả các sản phẩm Cisco chạy Cisco IOS có thể gặp lỗi nghiêm trọng này.
Tóm tắt về lỗi:
Một lỗi trong đặc tả TCP (RFC793) có thể được khai thác cho phép hacker có thể reset các kết nối TCP trong một khoảng thời gian ngắn hơn trước đây. Tùy thuộc vào ứng dụng, một người dùng sẽ phải lập lại thao tác (ví dụ như telnet hay ssh). Tùy thuộc vào protocol bị tấn công, một cuộc tấn công thành công có thể có nhiều hậu quả bên cạnh việc ngắt các kết nối TCP này. Kiểu tấn công này chỉ áp dụng vào các phiên làm việc kết nối trực tiếp vào thiết bị (chẳng hạn như router, switch, máy tính..) mà không ảnh hưởng đến các phiên làm việc đi qua thiết bị.
Tất cả các sản phẩm Cisco có TCP đều bị lỗi này.
Chi tiết về lỗi:
TCP is the transport layer protocol designed to provide connection-oriented reliable delivery of a data stream. To accomplish this, TCP uses a mixture of flags to indicate state and sequence numbers to identify the order in which the packets are to be reassembled. TCP also provides a number, called an acknowledgement number, that is used to indicate the sequence number of the next packet expected. The packets are reassembled by the receiving TCP implementation only if their sequence numbers fall within a range of the acknowledgement number (called a "window"). The acknowledgement number is not used in a packet with the reset (RST) flag set because a reset does not expect a packet in return. The full specification of the TCP protocol can be found at http://www.ietf.org/rfc/rfc0793.txt .
According to the RFC793 specification, it is possible to reset an established TCP connection by sending a packet with the RST or synchronize (SYN) flag set. In order for this to occur, the 4-tuple must be known or guessed (source and destination IP address and ports) together with a sequence number. However, the sequence number does not have to be an exact match; it is sufficient to fall within the advertised window. This significantly decreases the effort required by an adversary: the larger the window, the easier it is to reset the connection. While source and destination IP addresses may be relatively easy to determine, the source TCP port must be guessed. The destination TCP port is usually known for all standard services (for example, 23 for Telnet, 80 for HTTP). Cisco IOS software uses predictable ephemeral ports for known services with a predictable increment (the next port which will be used for a subsequent connection). These values, while constant for a particular Cisco IOS software version and protocol, can vary from one release to another.
Here is an example of a normal termination of a TCP session:
Host(1) Host(2)
| |
| |
| ACK ack=1001, window=5000 |
|<----------------------------|
| |
Host(1) is
closing the session
| RST seq=1001 |
|---------------------------->|
| |
Host(2) is
closing the session
In addition, the following scenario is also permitted:
Host(1) Host(2)
| |
| |
| ACK ack=1001, window=5000 |
|<----------------------------|
| |
Host(1) is
closing the session
| RST seq=4321 |
|---------------------------->|
| |
Host(2) is
closing the session
Note how, in the second example, the RST packet was able to terminate the session although the sequence number was not the next expected one (which is 1001). It was sufficient for the sequence number to fall within the advertised "window". In this example, Host(2) was accepting sequence numbers from 1001 to 6001 and 4321 is clearly within the acceptable range.
As a general rule, all protocols where a TCP connection stays established for longer than one minute should be considered exposed.
Ảnh hưởng;
The impact will be different for each specific protocol. While in the majority of cases a TCP connection will be automatically re-established, in some specific protocols a second order of consequences may have a larger impact than tearing down the connection itself.
Border Gateway Protocol (BGP)
The Cisco PSIRT has identified BGP as the protocol which has the greatest potential for impact. Both external and internal (eBGP and iBGP) sessions are equally vulnerable. If an adversary tears down a BGP session between two routers, then all routes which were advertised between these two peers will be withdrawn. This would occur immediately for the router which has been attacked and after the next update/keepalive packet is sent by the other router. The BGP peering session itself will be re-established within a minute after the attack. Depending upon the exact routing configuration, withdrawal of the routes may have any of the following consequences:
No adverse effects at all if an appropriate static route(s) has(have) been defined on both sides of the affected session.
The traffic will be rerouted along other paths. This may cause some congestion along these paths.
A portion of the network will be completely isolated and unreachable.
If a BGP peering session is broken a few times within a short time interval, then BGP route dampening may be invoked. Dampening means that affected routes will be withdrawn from the Internet routing table for some period of time. By default that time is 45 minutes. During that time, all of the traffic whose route was advertised over the attacked BGP session will either be rerouted or a portion of the network will be unreachable. Route dampening is not enabled by default.
Cisco IOS Firewall Feature Set
It is possible to terminate an established TCP-based connection even if both endpoints are not vulnerable to this attack.
Software Versions and Fixes
Each row of the table describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix and the anticipated date of availability for each are listed in the Rebuild, Interim, and Maintenance columns. In some cases, no rebuild of a particular release is planned; this is marked with the label "Not scheduled." A device running any release in the given train that is earlier than the release in a specific column (less than the earliest fixed release) is known to be vulnerable, and it should be upgraded at least to the indicated release or a later version (greater than the earliest fixed release label).
Để fix lỗi, các bạn có thể nâng cấp IOS của bạn lên version mới nhất. Trong trường hợp các bạn thành viên của diễn đàn VnPro cần giúp đỡ để fix lỗi này, vui lòng liên lạc admin@vnpro.org
Thân mến,