Two researchers in Sweden have found multiple flaws in the TCP stack that could lead to massive denial of service (DoS) attacks if exploited. At present there is no workaround and no patches available.
Robert E. Lee, Chief Security Officer for Outpost24, told ZDNet Asia's sister site CNET News: "the vendors we are in talks with seem to be taking the threat seriously."
The discovery follows a test using a port scanner called UnicornScan, which Lee and Senior Security Researcher Jack Louis created. The tool is used for vulnerability assessment and penetration testing at Outpost24. Lee told a Swedish podcast that when they could not get a port scan done soon enough, they decided to move the TCP stack into the program to make it more distributed. That was when Louis started noticing strange behavior.
"Jack found some anomalies in which machines would stop working in some very specific circumstances while being scanned," Lee told CNET News. One of the behaviors experience was packet loss where the packets just kept trying and trying and trying, creating, more or less, a denial of service (DoS) on that machine.
There does not appear to be just one vulnerability, but several, according to Robert Hansen who first wrote about this last Friday. Hansen says the potential for these vulnerabilities, as he understands it, if exploited, could result in great damage. And fixing it will require coordination with vendors of OSs, firewalls, and Web-enabled devices.
To exploit the flaws, to see if the TCP vulnerabilities were real, Lee and Louis created a program called "sockstress" which intentionally did some wrong things with the TCP/IP handshake process. The sockstress program was very effective in producing DoS attacks. The pair have no plans to release sockstress.
Lee said he does not plan to have a big, public disclosure press conference like Dan Kaminsky did with the DNS flaw this past summer. "We plan to work with vendors to ensure they understand the issues fully and have adequate solutions in place before publicly sharing details on the issues. Since there are multiple issues, we may be able to share information on individual issues as they are individually addressed."
Asked whether someone else could figure this out before the patches are out, Lee said "even though I think Jack Louis is exceptionally brilliant, Outpost24 doesn't have a monopoly on bug finding abilities. It is a matter of time before someone else independently figures it out".
This article was first published as a blog on CNET News.com.
Play video
There are currently no comments for this post.