A malicious client could perform a DoS attack by flooding a connection with requests and basically never reading responses on the TCP connection. Depending on h2 worker dimensioning, it was possible to block those with relatively few connections.
Tag: TCP
ASA-2019-00506 – Wind River VxWorks: TCP Urgent Pointer = 0 leads to integer underflow
A specially crafted TCP-segment with the URG-flag set may cause overflow of the buffer passed to recv(), recvfrom() or recvmsg() socket routines. With a prerequisite that the system uses TCP sockets, an attacker can either hijack an existing TCP session and inject bad TCP segments, or establish a new TCP session on any TCP port the victim system listens to. The impact of the vulnerability is a buffer overflow of up to a full TCP receive-windows (by default 10k-64k depending on the version). The buffer overflow happens in the task calling recv()/recvfrom()/recvmsg(). Applications that pass a buffer equal to or larger than a full TCP window are not susceptible to this attack. Applications passing a stack-allocated variable as buffer are the easiest to exploit. The most likely outcome is a crash of the application reading from the affected socket. In the worst-case scenario, this vulnerability can potentially lead to RCE.
ASA-2019-00501 – Wind River VxWorks: TCP Urgent Pointer state confusion during connect() to a remote host
A specially crafted response to the connection attempt, where also the FIN- and URG-flags are set is sent as a response. This may put the victim into an inconsistent state, which make it possible to send yet another segment that trigger a buffer overflow. A prerequisite is that the system uses TCP sockets and the attacker can trigger the target to establish a new TCP connection that the attacker highjacks the traffic of. The impact of the vulnerability is a buffer overflow of up to a full TCP receive-windows (by default 10k-64k depending on the version). The buffer overflow happens in the task calling recv()/recvfrom()/recvmsg(). Applications that pass a buffer equal to or larger than a full TCP window are not susceptible to this attack. Applications passing a stack-allocated variable as buffer are the easiest to exploit. The most likely outcome is a crash of the application reading from the affected socket. In the worst-case scenario, this vulnerability can potentially lead to RCE.
ASA-2019-00500 – Wind River VxWorks: TCP Urgent Pointer state confusion caused by malformed TCP AO option
A series of specially crafted TCP-segments where the last step is a TCP-segment with the URG-flag set may cause overflow of the buffer passed to recv(), recvfrom() or recvmsg() socket routines. A prerequisite is that the system uses TCP sockets and listens to at least one TCP port. The impact of the vulnerability is a buffer overflow of up to a full TCP receive-windows (by default 10k-64k depending on version). The buffer overflow happens in the task calling recv()/recvfrom()/recvmsg(). Applications that pass a buffer equal to or larger than a full TCP window are not susceptible to this attack. Applications passing a stack-allocated variable as buffer are the easiest to exploit. The most likely outcome is a crash of the application reading from the affected socket. In the worst-case scenario, this vulnerability can potentially lead to RCE.
ASA-2019-00498 – Wind River VxWorks: Denial of Service (DoS) of TCP connection via malformed TCP options
A specially crafted packet containing illegal TCP-options can result in the victim not just dropping the TCP-segment but also drop the TCP-session. This vulnerability affects established TCP sessions. An attacker who can figure out the source and destination TCP port and IP addresses of a session can inject invalid TCP segments into the flow, causing the TCP session to be reset. An application will see this as an ECONNRESET error message when using the socket after such an attack. The most likely outcome is a crash of the application reading from the affected socket.
ASA-2019-00368 – FreeBSD: Resource exhaustion in non-default RACK TCP stack
While processing acknowledgements, the RACK code uses several linked lists to maintain state entries. A malicious attacker can cause the lists to grow unbounded. This can cause an expensive list traversal on every packet being processed, leading to resource exhaustion and a denial of service. An attacker with the ability to send specially crafted TCP traffic to a victim system can degrade network performance and/or consume excessive CPU by exploiting the inefficiency of traversing the potentially very large RACK linked lists with relatively small bandwidth cost.
ASA-2019-00367 – Linux kernel: Excessive resource consumption for TCP connections with low MSS allows remote denial of service
An excessive resource consumption flaw was found in the way the Linux kernel's networking subsystem processed TCP segments. If the Maximum Segment Size (MSS) of a TCP connection was set to low values, such as 48 bytes, it can leave as little as 8 bytes for the user data, which significantly increases the Linux kernel's resource (CPU, Memory, and Bandwidth) utilization. A remote attacker could use this flaw to cause a denial of service (DoS) by repeatedly sending network traffic on a TCP connection with low TCP MSS.
ASA-2019-00366 – Linux kernel: Excessive resource consumption while processing SACK blocks allows remote denial of service
An excessive resource consumption flaw was found in the way the Linux kernel's networking subsystem processed TCP Selective Acknowledgment (SACK) segments. While processing SACK segments, the Linux kernel's socket buffer (SKB) data structure becomes fragmented, which leads to increased resource utilization to traverse and process these fragments as further SACK segments are received on the same TCP connection. A remote attacker could use this flaw to cause a denial of service (DoS) by sending a crafted sequence of SACK segments on a TCP connection.