Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Security Best Practice: TCP Window Size Enforcement

Subscribe

Check Point Reference: SBP-2009-18
Date Published:
Severity:
Last Updated:
Source: Microsoft Security Bulletin MS09-048
Industry Reference(s): CVE-2008-4609
CVE-2009-1925
CVE-2009-1926
Protection Provided by: Security Gateway
  • R70
VPN-1
  • NGX R65
VSX
  • NGX R65
IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
Windows Server 2003 SP2
Windows Server 2003 x64 Edition SP2
Windows Server 2003 with SP2 (Itanium)
Windows Vista
Windows Vista SP1
Windows Vista SP2
Windows Vista x64 Edition
Windows Vista x64 Edition SP1
Windows Vista x64 Edition SP2
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for 32-bit Systems SP2
Windows Server 2008 for x64-based Systems
Windows Server 2008 for x64-based Systems SP2
Windows Server 2008 (Itanium)
Windows Server 2008 (Itanium) SP2
Vulnerability Description
Multiple vulnerabilities exist in TCP/IP processing in Microsoft Windows. TCP/IP is a set of networking protocols that are widely used on the Internet. TCP/IP provides communications across interconnected networks of computers that have diverse hardware architectures and that run various operating systems. A remote attacker could exploit these vulnerabilities by sending specially crafted TCP/IP packets to an affected system. Successfully exploitation of these vulnerabilities could allow the attacker to take complete control of the affected system or cause the affected system to become non-responsive.
Update/Patch Available
Apply patches:
Microsoft Security Bulletin MS09-048
Vulnerability Details
CVE-2008-4609 - This denial of service vulnerability is due to the Windows TCP/IP stack that fails to properly handle large numbers of established TCP connections.  If these established connections are abused by a remote system requesting data and setting the TCP receive window size to a small or a zero value, the denial-of-service condition can be amplified. An attacker could exploit the vulnerability by flooding a system with an excessive number of TCP connections and keeping them alive indefinitely, or by sending specially crafted packets with the TCP receive window size set to a very small value or zero.

CVE-2009-1925 - This remote code execution vulnerability is due to the Windows TCP/IP stack that fails to clean up state information correctly. This causes the TCP/IP stack to reference a field as a function pointer when it actually contains other information. An attacker could exploit this vulnerability by creating specially crafted network packets and sending them to a listening service on an affected system.

CVE-2009-1926 - This denial of service vulnerability is due to the Windows TCP/IP stack that allows connections to hang indefinitely in the FIN-WAIT-1 or FIN-WAIT-2 state under certain conditions. An attacker could exploit this vulnerability by flooding a system with specially crafted connections designed to keep the TCP connection state in the FIN-WAIT-1 or FIN-WAIT-2 state indefinitely.

Protection Overview
This protection will detect and block attempts to exploit these TCP vulnerabilities.

In order for the protection to be activated, update your Security Gateway/VPN-1 product to the latest IPS/SmartDefense update. For information on how to update IPS/SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

Please note that this is a critical performance protection and its activation may significantly decrease IPS throughput.

No update is required to address the CVE-2009-1925 vulnerability. Users are protected against this issue if the protection for blocking SYN attacks has been applied.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R70

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Network Security and select TCP.
2. In the right pane, double-click the TCP Window Size Enforcement protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

Note that administrators are able to edit the IP/IP Ranges that will be inspected by this defense. In order to do so, follow these steps:
1. Establish an SSH connection to the Management machine.
2. Enter the $FWDIR/conf directory (cd).
3. Edit the file “updates.def” using any text editor.
4. Search for “tcpstress_inspect_list”. Edit the tcpstress_inspect_list with the desired IP addresses. The tcpstress_inspect_list is a static list of IP's that are inspected by this defense. By default it is set to inspect all IP ranges from 0.0.0.0 to 255.255.255.255. This is the default code:
tcpstress_inspect_list = {<0.0.0.0, 255.255.255.255>};
If you wish to edit this list to protect two servers (IP: 1.2.3.4 and IP: 10.20.30.40), you will need to change the code as follows:
tcpstress_inspect_list = {<1.2.3.4> , <10.20.30.40>};
You can also include an IP Range. For example, to protect an IP Range from 1.1.1.1 to 3.3.3.3, you should edit the list as follows:
tcpstress_inspect_list = {<1.1.1.1 , 3.3.3.3>}; 
5. Once the editing is finished, save the list. This process has to be repeated after each IPS update.
6. Install Policy on the modified module.

For protection against the CVE-2009-1925 vulnerability:
1. In the IPS tab, click Protections > By Protocol > Network Security > TCP.
2. In the right pane, double-click the SYN Attack protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: TCP Enforcement Violation
Attack Information: Window size enforcement

VPN-1 NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Network Security > TCP > TCP Window Size Enforcement.
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.

Note that administrators are able to edit the IP/IP Ranges that will be inspected by this defense. In order to do so, follow these steps:
1. Establish an SSH connection to the Management machine.
2. Enter the $FWDIR/conf directory (cd).
3. Edit the file “updates.def” using any text editor.
4. Search for “tcpstress_inspect_list”. Edit the tcpstress_inspect_list with the desired IP addresses. The tcpstress_inspect_list is a static list of IP's that are inspected by this defense. By default it is set to inspect all IP ranges from 0.0.0.0 to 255.255.255.255. This is the default code:
tcpstress_inspect_list = {<0.0.0.0, 255.255.255.255>};
If you wish to edit this list to protect two servers (IP: 1.2.3.4 and IP: 10.20.30.40), you will need to change the code as follows:
tcpstress_inspect_list = {<1.2.3.4> , <10.20.30.40>};
You can also include an IP Range. For example, to protect an IP Range from 1.1.1.1 to 3.3.3.3, you should edit the list as follows:
tcpstress_inspect_list = {<1.1.1.1 , 3.3.3.3>}; 
5. Once the editing is finished, save the list. This process has to be repeated after each SmartDefense update.
6. Install Policy on the modified module.

For protection against the CVE-2009-1925 vulnerability:
1. In the SmartDefense tab, click Network Security > TCP > SYN Attack Configuration.
2. In the configuration pane, under Settings, check the "Activate SYN Attack protection" box.
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: TCP Enforcement Violation
Attack Information: Window size enforcement

VPN-1 VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Network Security > TCP > TCP Window Size Enforcement.
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.

Note that administrators are able to edit the IP/IP Ranges that will be inspected by this defense. In order to do so, follow these steps:
1. Establish an SSH connection to the Management machine.
2. Enter the $FWDIR/conf directory (cd).
3. Edit the file “updates.def” using any text editor.
4. Search for “tcpstress_inspect_list”. Edit the tcpstress_inspect_list with the desired IP addresses. The tcpstress_inspect_list is a static list of IP's that are inspected by this defense. By default it is set to inspect all IP ranges from 0.0.0.0 to 255.255.255.255. This is the default code:
tcpstress_inspect_list = {<0.0.0.0, 255.255.255.255>};
If you wish to edit this list to protect two servers (IP: 1.2.3.4 and IP: 10.20.30.40), you will need to change the code as follows:
tcpstress_inspect_list = {<1.2.3.4> , <10.20.30.40>};
You can also include an IP Range. For example, to protect an IP Range from 1.1.1.1 to 3.3.3.3, you should edit the list as follows:
tcpstress_inspect_list = {<1.1.1.1 , 3.3.3.3>}; 
5. Once the editing is finished, save the list. This process has to be repeated after each SmartDefense update.
6. Install Policy on the modified module.

For protection against the CVE-2009-1925 vulnerability:
1. In the SmartDefense tab, click Network Security > TCP > SYN Attack Configuration.
2. In the configuration pane, under Settings, check the "Activate SYN Attack protection" box.
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: TCP Enforcement Violation
Attack Information: Window size enforcement

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?

Protection for CVE-2009-4609:
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Network Intelligence > TCP, and select the Bad Header Length protection group.
3. Click TCP Window Error (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

Protection for CVE-2009-1926:

1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Network Intelligence > TCP, and select the Bad header length protection group.
3. Click TCP Window Error (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

In addition to enabling the protection above, increase the paranoia threshold:

1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Network Intelligence > TCP, and select the Bad header length protection group.
3. Click TCP Window Error (IPS-1 NGX R65 only).
4. Change the value of Paranoia level associated with TCP windows to 2 or 3.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

CVE-2009-4609
Alert Name: Header Length
Description: TCP Window Error

CVE-2009-1926
Alert Name: Header Length
Description: TCP Window Error