Experts Warn of Critical TCP Flaw

Serious Internet security warnings are rushing in from a variety of sources, indicating that the Internet’s underpinnings could come under attack and that conditions are ripe for a worm attack as well.

The most recent security alert came from the United Kingdom, where the government warned of a critical vulnerability in the Transmission Control Protocol (TCP), a core network protocol that connects computers and is widely used by vendors, including Cisco, which has offered patches and advice on the vulnerability.

Cisco also issued this week a separate security advisory on vulnerabilities in its 12.x Internetwork Operating System (IOS) software, used broadly on Cisco routers and switches.

Experts with the SANS (SysAdmin, Audit, Network, Security) Institute, which last week released yet another advisory on the availability of exploits targeting the latest Windows flaws, urged all Cisco router and switch administrators to check their IOS versions and patch if needed because the Cisco networking gear is so popular.

“When it rains it pours,” said a SANS daily security update, referring to the TCP vulnerability and Cisco issues.

Underlying Protocol and Danger

Officials with the United Kingdom’s National Infrastructure Security Coordination Center (NISCC) said in an advisory that the TCP vulnerability could allow a denial-of-service (DoS) attack that would abruptly end TCP sessions, which are basically communications on the network.

The UK security experts said the Border Gateway Protocol (BGP) is most likely to be affected by the vulnerability because it relies on a persistent TCP session between BGP peers.

While the NISCC advisory said the overall impact on the BGP protocol probably will be limited based on the likelihood of attack — no exploits have yet been reported — the vulnerability could affect other application protocols, such as Domain Name System (DNS) and Secure Sockets Layer (SSL), in the case of zone transfers and e-commerce transactions.

The researchers said data injections may be possible but added that such an exploit would be problematic. In addition, in the case of SSL, it may be difficult to guess the source IP address, according to NISCC.

More Skeptical Than Scared

Independent security expert and co-author of Stealing the Network RyanRussell said although the TCP vulnerability has been a focus of security researchers, there have been enough mitigating factors in the past that it was not an urgent danger.

“There’s been talk about this for a number of years,” Russell told TechNewsWorld. “I think it’s a good sign. This protocol has been around 20 years, and now we’re seeing the fine-tuning. I think overall, the protocol holds up quite well. Cisco is putting out a set of updates, and others are doing the same. That means that there’s something you can tweak that mitigates the problem.”

In terms of worm warnings from security companies and groups such as VeriSign and the SANS Institute, Russell said they appear to be pure speculation.

“I don’t think there’s any particular worry. There’s enough to worry about that’s quite likely,” he noted, referring to the latest set of vulnerabilities patched by Microsoft earlier this month.

Process Good, Patch Release Bad

SANS Institute research director Allan Paller agreed that the TCP vulnerability has been sufficiently mitigated, thanks in large part to a fast, “heroic” response from the U.S. Department of Homeland Security and its British equivalent, which worked with vendors such as Cisco to close the Internet’s main arteries to attack.

“‘The sky is not falling’ is my bottom line,” Paller told TechNewsWorld. “The types of attacks that are able to be done are not dissimilar from denial-of-service attacks that can be done in other ways. If you can hit the fat pipes, it could cause a really big problem, but they have protected them.”

“This time it worked really well,” Paller added. “They basically got the U.S. CERT in operation, and it did exactly what you would hope and what you would have wanted it to do.”

While Paller said the series of vulnerability and virus warnings in the last week did not equate to pending doom, the security researcher did raise concern over Microsoft’s monthly series of patches released last week.

“The biggest new problem by far was the breathtaking amount of vulnerabilities from Microsoft,” Paller said. “The reason is that they are easy to exploit. It can be done with automated tools, and fewer than 30 percent of Microsoft systems are patched, meaning there are millions of already-infected machines that can be used in future attacks. It’s really a breathtaking number of new bad things.”

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

CRM Buyer Channels