Security Alert: Multiple OS IP Fragmentation Memory Exhaustion Vulnerability

Severity: High

Analysis: (iDEFENSE US) Remote exploitation of a new IP fragmentation attack present in multiple operating systems (such as Microsoft Corp.s Windows, Linux and Cisco Systems, Inc.s Cisco IOS) can result in a system running out of memory, allowing a denial of service (DoS).

Many types of fragmented network packets created (e.g., TCP-IP, UDP, ICMP, etc.) will work when sent to a remote host. For each attack, two packets are sent; the initial packet having data that indicates an offset of 0, and a second packet having an offset of 64800. This causes the target system to allocate a portion of memory for the remaining packets that will complete the original un-fragmented packet. For each attack, the target system will allocate 64 kilobytes of memory, which is held in reserve (typically for between 15 and 255 seconds).

If attackers can send a sufficient number of packets, they can cause memory (on the order of gigabytes) to be allocated. Since this attack utilizes a single packets fragments and no actual TCP-IP connection is required, it can be spoofed. For example, attackers can exploit this vulnerability via a SYN connection packet or UDP packet, which is stateless.

Sites that suspect they are under attack due to abnormally high CPU and memory usage should run packet sniffers configured to look for fragmented packets. Observing a large number of fragmented packets with no corresponding connections is an indication of an attack. Depending on the target systems configuration, attackers with access to several hundred kilobits of bandwidth can consume several hundred megabytes, possibly gigabytes, of memory.

Detection: Most operating systems capable of handling fragmented packets are vulnerable, depending on the specific design and configuration of timeouts used. Windows 2000, XP and 2003 are reportedly vulnerable. Almost all forms of Unix, Linux, BSD and Mac OS X are reportedly vulnerable. Cisco IOS and other network device operating systems are reportedly vulnerable.

Packet sniffers, such as TCPDUMP, can be used to detect exploitation if large amounts of fragmented packets are present on a network:

tcpdump -nn -v ip[6]&32!=0

Recovery: Power cycling the router is required to resume normal operation.

Workaround: Disable the web-based administrative interface on the Cisco 675 router.

Vendor Fix: iDEFENSE is unaware of any vendor updates. These are likely to take some time in any event as they require modification to packet handling structures and algorithms used to process them.

iDefense provides security intelligence to governments and Fortune 1000 organizations, and provides this daily threat alert to eWEEK.com

Check out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis. Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: