Update Protection against Multiple Vendor ICMP Source Quench Denial of Service Vulnerabilities
| Check Point Reference: | CPAI-2005-357 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | Secunia Advisory: SA14904 | |
| Industry Reference(s): | CVE-2004-0791 | |
| Protection Provided by: |
Security Gateway
|
|
| Who is Vulnerable? Microsoft Windows 2000 (all versions)
Microsoft Windows 98
Microsoft Windows 98 SE
Microsoft Windows ME
Microsoft Windows XP (all versions)
Microsoft Windows XP 64-bit Edition (Itanium)
Microsoft Windows XP 64-Bit Edition Version 2000 (Itanium)
Microsoft Windows Server 2003 (Base)
Cisco Systems Carrier Voice Gateways MGX 8250 Series
Cisco Systems Carrier Voice Gateways MGX 8850 Series
Cisco Systems Catalyst Content Services Switch 6608
Cisco Systems Catalyst Content Services Switch 6624
Cisco Systems Catalyst Content Services Switch 11000
Cisco Systems Catalyst Content Services Switch 11500
Cisco Systems Content Switching Module 11000
Cisco Systems Content Switching Module 11500
Cisco Systems Global Site Selector any
Cisco Systems IP Phone 7940
Cisco Systems IP Phone 7960
Cisco Systems IP Phone 7970
Cisco Systems Multilayer Switches MDS 9000 Series
Sun Microsystems Solaris 10.0_x86
Sun Microsystems Solaris 7.0
Sun Microsystems Solaris 10.0
Sun Microsystems Solaris 7.0_x86
Sun Microsystems Solaris 8.0
Sun Microsystems Solaris 8.0_x86
Sun Microsystems Solaris 9.0
Sun Microsystems Solaris 9.0_x86
| ||
| Vulnerability Description The Internet Control Message Protocol (ICMP) is part of the Internet Protocol suite. ICMP facilitates error, control, and informational message exchange between network devices. For instance, ICMP may be used to test network connectivity between two hosts. |
||
|
Vulnerability Details There exists a vulnerability in multiple vendor's TCP/IP and Internet Control Message Protocol (ICMP) implementations. A spoofed ICMP Source Quench message can reduce the efficiency of the TCP/IP stack of the target system. A remote attacker can exploit this vulnerability to degrade the network performance of the target system. In order for an attack to be executed, an existing TCP session between two peers is required. The attacker then has the option of attacking either one of the two connected hosts or any router on the network path between the two hosts. Upon receiving the malicious packet from the attacker, the vulnerable host or router should cut down the rate at which it sends out the data to the host specified in the malicious packet. The vulnerable host or router's performance is degraded during the processing of the spoofed ICMP message. A relatively significant delay is inserted between the two TCP segments immediately following the reception of the ICMP message. If no further spoofed packets are received, the vulnerable host or router will recover the transfer rate to the normal state. The attack becomes noticeable only after a large number of such ICMP messages are received and processed by the vulnerable system. The attack only affects one existing TCP session specified by the IP addresses and ports in the malicious packet. |
Protection Overview
This protection will detect and block attempts to exploit this vulnerability.
In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, Protection tab and select the version of your choice.
To configure the defense, select your product from the list below and follow the related protection steps.