TCP IP Orphaned Connection Denial of Service Vulnerability

Overview

» IDS/IPS Signatures

Security Sites

iPolicy Networks Security Advisory


Date Discovered:	09/08/2009
Severity:	High
Operating Systems Affected:	Microsoft Windows 2000 SP4 Microsoft Windows Server 2003 SP2 Windows Server 2003 x64 SP2 Windows Server 2003 SP2 for Itanium-based Windows Vista Windows Vista SP1 Windows Vista SP2 Windows Vista x64 Windows Vista x64 SP1 Windows Vista x64 SP2 Windows Server 2008 for 32-bit Windows Server 2008 for 32-bit SP2
Type:	Remote
Identifiers:	CVE-2009-1926

Synopsis

Microsoft Windows TCP/IP is prone to a denial of sercie vulnerability due to an error in the processing of specially crafted packets with a small or zero TCP receive window size.

Recommended Actions

Update the patches as guided by vendor at :
http://www.microsoft.com/technet/security/bulletin/ms09-048.mspx

Threat Analysis

The vulnerability is due to the Windows TCP/IP stack allowing connections to hang indefinitely in the FIN-WAIT-1 or FIN-WAIT-2 state under certain conditions. If an application closes a TCP connection with pending data to be sent and an attacker has set a small or zero TCP receive window size, the affected server will not be able to completely close the TCP connection.

An attacker could exploit the vulnerability by flooding a system with specially crafted packets causing the affected system to stop responding to new requests. The system would remain non-responsive even after the attacker stops sending malicious packets.

References

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1926

Write-up by: Aditya Chaturvedi