ID CVE-2004-0230
Summary TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP. <a href="https://cwe.mitre.org/data/definitions/331.html">CWE-331: Insufficient Entropy</a>
References
Vulnerable Configurations
  • cpe:2.3:o:oracle:solaris:10:*:*:*:*:*:*:*
    cpe:2.3:o:oracle:solaris:10:*:*:*:*:*:*:*
  • cpe:2.3:o:oracle:solaris:11:*:*:*:*:*:*:*
    cpe:2.3:o:oracle:solaris:11:*:*:*:*:*:*:*
  • cpe:2.3:a:openpgp:openpgp:2.6.2:*:*:*:*:*:*:*
    cpe:2.3:a:openpgp:openpgp:2.6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mcafee:network_data_loss_prevention:*:*:*:*:*:*:*:*
    cpe:2.3:a:mcafee:network_data_loss_prevention:*:*:*:*:*:*:*:*
  • cpe:2.3:a:mcafee:network_data_loss_prevention:9.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:mcafee:network_data_loss_prevention:9.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:mcafee:network_data_loss_prevention:9.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:mcafee:network_data_loss_prevention:9.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mcafee:network_data_loss_prevention:9.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:mcafee:network_data_loss_prevention:9.2.2:*:*:*:*:*:*:*
  • cpe:2.3:o:netbsd:netbsd:1.5:*:*:*:*:*:*:*
    cpe:2.3:o:netbsd:netbsd:1.5:*:*:*:*:*:*:*
  • cpe:2.3:o:netbsd:netbsd:1.5.1:*:*:*:*:*:*:*
    cpe:2.3:o:netbsd:netbsd:1.5.1:*:*:*:*:*:*:*
  • cpe:2.3:o:netbsd:netbsd:1.5.2:*:*:*:*:*:*:*
    cpe:2.3:o:netbsd:netbsd:1.5.2:*:*:*:*:*:*:*
  • cpe:2.3:o:netbsd:netbsd:1.5.3:*:*:*:*:*:*:*
    cpe:2.3:o:netbsd:netbsd:1.5.3:*:*:*:*:*:*:*
  • cpe:2.3:o:netbsd:netbsd:1.6:*:*:*:*:*:*:*
    cpe:2.3:o:netbsd:netbsd:1.6:*:*:*:*:*:*:*
  • cpe:2.3:o:netbsd:netbsd:1.6.1:*:*:*:*:*:*:*
    cpe:2.3:o:netbsd:netbsd:1.6.1:*:*:*:*:*:*:*
  • cpe:2.3:o:netbsd:netbsd:1.6.2:*:*:*:*:*:*:*
    cpe:2.3:o:netbsd:netbsd:1.6.2:*:*:*:*:*:*:*
  • cpe:2.3:o:netbsd:netbsd:2.0:*:*:*:*:*:*:*
    cpe:2.3:o:netbsd:netbsd:2.0:*:*:*:*:*:*:*
  • cpe:2.3:o:xinuos:openserver:5.0.6:*:*:*:*:*:*:*
    cpe:2.3:o:xinuos:openserver:5.0.6:*:*:*:*:*:*:*
  • cpe:2.3:o:xinuos:openserver:5.0.7:*:*:*:*:*:*:*
    cpe:2.3:o:xinuos:openserver:5.0.7:*:*:*:*:*:*:*
  • cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*
    cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*
  • cpe:2.3:o:xinuos:unixware:7.1.1:*:*:*:*:*:*:*
    cpe:2.3:o:xinuos:unixware:7.1.1:*:*:*:*:*:*:*
  • cpe:2.3:o:xinuos:unixware:7.1.3:*:*:*:*:*:*:*
    cpe:2.3:o:xinuos:unixware:7.1.3:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 19-10-2018 - 15:30)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:N/A:P
oval via4
  • accepted 2013-09-02T04:05:45.550-04:00
    class vulnerability
    contributors
    • name Matthew Burton
      organization The MITRE Corporation
    • name John Hoyland
      organization Centennial Software
    • name Sudhir Gandhe
      organization Telos
    • name Shane Shaffer
      organization G2, Inc.
    • name Dragos Prisaca
      organization G2, Inc.
    description TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.
    family windows
    id oval:org.mitre.oval:def:2689
    status accepted
    submitted 2005-08-18T04:00:00.000-04:00
    title Server 2003 Large Window Size TCP RST Denial of Service
    version 38
  • accepted 2011-05-09T04:01:29.162-04:00
    class vulnerability
    contributors
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Shane Shaffer
      organization G2, Inc.
    definition_extensions
    • comment Microsoft Windows XP SP1 (32-bit) is installed
      oval oval:org.mitre.oval:def:1
    • comment Microsoft Windows XP SP2 or later is installed
      oval oval:org.mitre.oval:def:521
    • comment Microsoft Windows XP SP1 (64-bit) is installed
      oval oval:org.mitre.oval:def:480
    • comment Microsoft Windows Server 2003 (x86) Gold is installed
      oval oval:org.mitre.oval:def:165
    • comment Microsoft Windows Server 2003 SP1 (x86) is installed
      oval oval:org.mitre.oval:def:565
    description TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.
    family windows
    id oval:org.mitre.oval:def:270
    status accepted
    submitted 2006-10-11T05:29:41
    title TCP Connection Reset Vulnerability
    version 39
  • accepted 2011-05-16T04:02:48.829-04:00
    class vulnerability
    contributors
    • name Matthew Burton
      organization The MITRE Corporation
    • name John Hoyland
      organization Centennial Software
    • name Dragos Prisaca
      organization Gideon Technologies, Inc.
    • name Brendan Miles
      organization The MITRE Corporation
    • name Sudhir Gandhe
      organization Telos
    • name Shane Shaffer
      organization G2, Inc.
    description TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.
    family windows
    id oval:org.mitre.oval:def:3508
    status accepted
    submitted 2005-08-18T04:00:00.000-04:00
    title WinXP Large Window Size TCP RST Denial of Service
    version 39
  • accepted 2011-05-16T04:03:04.644-04:00
    class vulnerability
    contributors
    • name Matthew Burton
      organization The MITRE Corporation
    • name John Hoyland
      organization Centennial Software
    • name Sudhir Gandhe
      organization Telos
    • name Shane Shaffer
      organization G2, Inc.
    description TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.
    family windows
    id oval:org.mitre.oval:def:4791
    status accepted
    submitted 2005-04-22T12:00:00.000-04:00
    title Win2k Large Window Size TCP RST Denial of Service
    version 36
  • accepted 2008-09-08T04:00:38.111-04:00
    class vulnerability
    contributors
    name Yuzheng Zhou
    organization Hewlett-Packard
    description TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.
    family ios
    id oval:org.mitre.oval:def:5711
    status accepted
    submitted 2008-05-26T11:06:36.000-04:00
    title Cisco Systems Spoofed TCP Reset and SYN Denial of Service Vulnerability
    version 3
refmap via4
bid 10183
bugtraq 20040425 Perl code exploting TCP not checking RST ACK.
cert TA04-111A
cert-vn VU#415294
cisco 20040420 TCP Vulnerabilities in Multiple IOS-Based Cisco Products
confirm
hp
  • HPSBST02161
  • SSRT061264
  • SSRT4696
misc http://www.uniras.gov.uk/vuls/2004/236929/index.htm
ms
  • MS05-019
  • MS06-064
netbsd NetBSD-SA2004-006
osvdb 4030
sco
  • SCOSA-2005.14
  • SCOSA-2005.3
  • SCOSA-2005.9
secunia
  • 11440
  • 11458
  • 22341
sgi 20040403-01-A
vupen ADV-2006-3983
xf tcp-rst-dos(15886)
statements via4
contributor Mark J Cox
lastmodified 2006-08-16
organization Red Hat
statement The DHS advisory is a good source of background information about the issue: http://www.us-cert.gov/cas/techalerts/TA04-111A.html It is important to note that the issue described is a known function of TCP. In order to perform a connection reset an attacker would need to know the source and destination ip address and ports as well as being able to guess the sequence number within the window. These requirements seriously reduce the ability to trigger a connection reset on normal TCP connections. The DHS advisory explains that BGP routing is a specific case where being able to trigger a reset is easier than expected as the end points can be easily determined and large window sizes are used. BGP routing is also signficantly affected by having it’s connections terminated. The major BGP peers have recently switched to requiring md5 signatures which mitigates against this attack. The following article from Linux Weekly News also puts the flaw into context and shows why it does not pose a significant threat: http://lwn.net/Articles/81560/ Red Hat does not have any plans for action regarding this issue.
Last major update 19-10-2018 - 15:30
Published 18-08-2004 - 04:00
Back to Top