Reset Search
 

 

Article

KB40346 - CVE-2004-0230 (TCP Sequence Number Approximation Based Denial of Service vulnerability)

« Go Back

Information

 
Last Modified Date10/19/2016 11:17 PM
Synopsis
This article provides information about CVE-2004-0230 (TCP Sequence Number Approximation Based Denial of Service vulnerability).
Problem or Goal
Per NVD, the issue is describes as:

TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP SYN or RST packet, especially in protocols that use long-lived connections, such as BGP.
 
Additional details and analysis of this vulnerability can be found in:  http://lwn.net/Articles/81560/
Cause
Solution

In order to perform a connection reset an attacker would need to know the following information:

  • Connection information (IP address and ports)
  • Sequence number within the window.

Since the Pulse Connect Secure and Pulse Policy Secure does not utilize BGP and the TCP connections are generally short-lived, this does significantly reduce the ability to trigger a connection reset.

This vulnerability does not impact Pulse One.


Workaround / Mitigation:

  • Enable a stateful firewall to block SYN packets on existing sessions.  For information how to configure a stateful firewall to block SYN packets, please reach out to the firewall vendor.

Pulse Secure does not plan to take any actions for this issue.
Related Links
Attachment 1 
Created ByK. Kitajima

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255