CVE-2008-4609

Description

The TCP implementation in (1) Linux, (2) platforms based on BSD Unix, (3) Microsoft Windows, (4) Cisco products, and probably other operating systems allows remote attackers to cause a denial of service (connection queue exhaustion) via multiple vectors that manipulate information in the TCP state table, as demonstrated by sockstress.

Related CPE's

ociscoios12.0\(16\)sc3*******

ociscoios12.2\(3.4\)bp*******

ociscoios11.2xa*******

ociscoios12.4\(2\)t2*******

ociscoios12.3ym*******

ociscoios11.3\(11b\)*******

olinuxlinux_kernel2.3.19*******

ociscoios12.0\(21\)s7*******

obsdibsd_os1.1*******

ociscoios12.1\(2\)e1*******

References

[dailydave] 20081002 TCP Resource Exhaustion DoS Attack Speculation

Broken Link

http://www.outpost24.com/news/news-2008-10-02.html

Broken Link

20081017 Cisco Response to Outpost24 TCP State Table Manipulation Denial of Service Vulnerabilities

Broken Link

http://blog.robertlee.name/2008/10/conjecture-speculation.html

Broken Link

https://www.cert.fi/haavoittuvuudet/2008/tcp-vulnerabilities.html

Broken Link

http://insecure.org/stf/tcp-dos-attack-explained.html

Broken Link

http://searchsecurity.techtarget.com.au/articles/27154-TCP-is-fundamentally-borked

Broken Link

20090908 TCP State Manipulation Denial of Service Vulnerabilities in Multiple Cisco Products

Broken Link

http://www.cpni.gov.uk/Docs/tn-03-09-security-assessment-TCP.pdf

Broken Link

TA09-251A

Third Party AdvisoryUS Government Resource

HPSBMI02473

Third Party Advisory

http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html

Third Party Advisory

MDVSA-2013:150

Broken Link

oval:org.mitre.oval:def:6340

Broken Link

MS09-048

PatchThird Party Advisory

CvssV3 impact

Could not find any metrics

CvssV2 impact

Version

2.0

VectorString

AV:N/AC:M/Au:N/C:N/I:N/A:C

AccessVector

NETWORK

AccessComplexity

MEDIUM

Authentication

NONE

ConfidentialityImpact

NONE

IntegrityImpact

NONE

AvailabilityImpact

COMPLETE

BaseScore

7.099999904632568

Created by Yello
About Severity.io