Industry reels from IP flaw

The U.K.'s National Infrastructure Co-Ordination Centre (NISCC) has warned of a flaw in Internet Protocol (IP) that could allow significant attacks on a wide range of products, including routers and Internet software from Microsoft, Cisco Systems, IBM, Juniper Networks, and others.

While the flaw in ICMP, IP's control protocol, will be only moderately critical for some vendors' products, in others it could allow a denial-of-service attack with medium-term effects, effectively putting the system out of commission for a significant period of time while it is reset, the NISCC said in an advisory. In other products, attacks could merely slow down traffic or result in short-term denial-of-service.

Because the problems with ICMP have been circulating in the security community for some time, some products have already been modified to block the attacks; for example many Linux products mitigate or eliminate the problems, the NISCC said. The organization is publishing an updated list of affected vendors in a PDF version of the advisory.

"Most vendors include support for this protocol in their products and may be impacted to varying degrees," the agency said in its advisory. One of the ICMP vulnerabilities, termed a TCP blind connection-reset vulnerability, could mean significant problems for some implementations of the Border Gateway Protocol (BGP), one of the Internet's core protocols, according to the advisory. "BGP relies on a persistent TCP connection between BGP peers; resetting the connection can result in medium term unavailability due to the need to rebuild routing tables and route flapping," the NISCC said.

Cisco issued an advisory detailing which of its products are affected by the ICMP vulnerabilities and how to mitigate problems; affected products include Cisco Content Services Switch 11000 Series, Global Site Selector 4480, and various versions of IOS.

One of this week's Microsoft security patches, Security Bulletin MS05-019, updates Windows software for TCP/IP to fix the TCMP problems. IBM said its AIX operating system is affected and that it will give details in an advisory on its Web site. Juniper Networks said its M-series and T-series routers running certain releases of JUNOS software are affected and said it would make more information available on its site. Red Hat said its Enterprise Linux products are unaffected by two of the three TCMP vulnerabilities, and are only partly affected by the third.

The problems are described in a recent Internet-Draft paper by Fernando Gont, a member of the TCMP working group at the IETF (Internet Engineering Task Force), and include three types of potential attacks for slowing traffic or denial of service. The first could reset an established TCP connection using ICMP packets to simulate a hard error condition, the second could slow down traffic using forged ICMP packets, and the third could slow traffic using ICMP Source Quench packets.