KB40346 - CVE-2004-0230 (TCP Sequence Number Approximation Based Denial of Service vulnerability)

This article provides information about CVE-2004-0230 (TCP Sequence Number Approximation Based Denial of Service vulnerability).

Per NVD, the issue is describes as:

TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP SYN or RST packet, especially in protocols that use long-lived connections, such as BGP.
 
Additional details and analysis of this vulnerability can be found in:  http://lwn.net/Articles/81560/

In order to perform a connection reset an attacker would need to know the following information:

• Connection information (IP address and ports)
• Sequence number within the window.

Since the Pulse Connect Secure and Pulse Policy Secure does not utilize BGP and the TCP connections are generally short-lived, this does significantly reduce the ability to trigger a connection reset.

This vulnerability does not impact Pulse One.

Workaround / Mitigation:

• Enable a stateful firewall to block SYN packets on existing sessions.  For information how to configure a stateful firewall to block SYN packets, please reach out to the firewall vendor.

Pulse Secure does not plan to take any actions for this issue.