SA131 : TCP Session Hijacking in Operating Systems Supporting RFC 5961

SUMMARY

Blue Coat products that include a vulnerable version of an operating system that supports RFC 5961 are susceptible to a TCP session hijacking vulnerability. A remote, off-path attacker can infer the sequence numbers of an existing TCP connection, and either reset the connection or inject arbitrary data.

AFFECTED PRODUCTS

The following products are vulnerable:

Content Analysis System (CAS)

CVE |Affected Version(s)|Remediation
CVE-2016-5696 | 2.1 and later | Not vulnerable, fixed in 2.1.1.1
1.3 | Upgrade to 1.3.7.3.

Mail Threat Defense (MTD)

CVE |Affected Version(s)|Remediation
CVE-2016-5696 | 1.1 | Not available at this time

Malware Analysis Appliance (MAA)

CVE |Affected Version(s)|Remediation
CVE-2016-5696 | 4.2 | Upgrade to 4.2.11.

Management Center (MC)

CVE |Affected Version(s)|Remediation
CVE-2016-5696 | 1.8 and later | Not vulnerable, fixed in 1.8.1.1
1.7 | Upgrade to 1.7.2.1.
1.6 | Upgrade to later release with fixes.
1.5 | Upgrade to later release with fixes.

Norman Shark Industrial Control System Protection (ICSP)

CVE |Affected Version(s)|Remediation
CVE-2016-5696 | 5.4 and later | Not vulnerable, fixed in 5.4.1
5.3 | Upgrade to later release with fixes.

Norman Shark Network Protection (NNP)

CVE |Affected Version(s)|Remediation
CVE-2016-5696 | 5.3 | A fix will not be provided.

Norman Shark SCADA Protection (NSP)

CVE |Affected Version(s)|Remediation
CVE-2016-5696 | 5.3 | A fix will not be provided. Customers who use NSP for USB cleaning can switch to a version of ICSP with fixes.

PacketShaper (PS) S-Series

CVE |Affected Version(s)|Remediation
CVE-2016-5696 | 11.7 and later | Not vulnerable, fixed in 11.7.1.1
11.6 | Upgrade to 11.6.2.1.
11.2, 11.3, 11.4, 11.5 | Upgrade to later release with fixes.

PolicyCenter (PC) S-Series

CVE |Affected Version(s)|Remediation
CVE-2016-5696 | 1.1 | Upgrade to 1.1.3.1.

Reporter

CVE |Affected Version(s)|Remediation
CVE-2016-5696 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1.
10.1 | Upgrade to 10.1.5.1.
9.5 | Not vulnerable
9.4 | Not vulnerable

Security Analytics

CVE |Affected Version(s)|Remediation
CVE-2016-5696 | 7.3 and later | Not vulnerable, fixed in 7.3.1.
7.2 | Upgrade to 7.2.2.
7.1 | Not vulnerable
6.6 | Not vulnerable

SSL Visibility (SSLV)

CVE |Affected Version(s)|Remediation
CVE-2016-5696 | 3.11 and later | Not vulnerable, fixed in 3.11.1.1
3.10 | Not available at this time
3.9 | Upgrade to 3.9.7.1.
3.8.4FC | Upgrade to later release with fixes.

The following products have a vulnerable version of an operating system that supports RFC 5961, but are not vulnerable to known vectors of attack:

Advanced Secure Gateway (ASG)

CVE |Affected Version(s)|Remediation
CVE-2016-5696 | 6.7 and later | Not vulnerable, fixed in 6.7.2.1
6.6 | Upgrade to 6.6.5.4.

ADDITIONAL PRODUCT INFORMATION

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
Director
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
PacketShaper
PolicyCenter
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
X-Series XOS
Unified Agent
Web Isolation

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

ISSUES

CVE-2016-5696

Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) References| SecurityFocus: BID 91704 / NVD: CVE-2016-5696 Impact| Denial of service, unauthorized data modification Description | A side channel flaw in TCP packet handling allows a remote attacker to send spoofed packets and hijack a TCP connection. The attacker can reset the connection or inject arbitrary data.

This Security Advisory addresses TCP session hijacking vulnerabilities in operating systems that support RFC 5961 - Improving TCP’s Robustness to Blind In-Window Attacks. RFC 5961 provides defenses against the following blind in-window attacks that affect the original TCP protocol specified in RFC 793 - Transmission Control Protocol:

• Blind reset attack using TCP reset (RST) packets - a remote, off-path attacker can use spoofed RST packets to reset an existing TCP connection.
• Blind reset attack using TCP synchronize (SYN) packets - a remote, off-path attacker can use spoofed SYN packets to reset an existing TCP connection.
• Blind data injection attack - a remote, off-path attacker can use spoofed data packets to inject arbitrary data into an existing TCP connection.

According to RFC 793, TCP hosts that receive one of the packets above only need to verify that the packet’s sequence number is within the target’s receive window. An attacker can successfully perform these attacks if they can guess sequence numbers within the target’s receive window. RFC 5961 tightens the sequence number checks as follows:

1. If the packet’s sequence number matches exactly the next expected sequence number, the target TCP host accepts the packet.
2. If the packet’s sequence number does not match the next expected sequence number, but is within the target’s receive window, the target TCP host responds with a challenge acknowledgement (ACK) packet. The challenge ACK packet forces the sender to resend the packet with the exact sequence number expected by the target. If the original packet is spoofed, the off-path attacker never receives the challenge ACK packet and the attack cannot proceed.

RFC 5961 specifies a challenge ACK throttling mechanism to control the rate of outgoing challenge ACK packets and prevent them from consuming the target host’s CPU and bandwidth resources. The throttling mechanism uses a global, system-wide counter to control the rate of challenge ACK packets among all existing network connections on the system. The counter is configurable, but uses a well-known default value N.

Security researchers have discovered that the global challenge ACK counter exposes a side channel for inferring TCP sequence numbers and hijacking existing TCP connections:

1. The attacker sends a spoofed packet to the target. If the packet’s sequence number is within the target’s receive window, the target responds with a challenge ACK packet and decrements the global challenge ACK counter from N to N-1.
2. The attacker establishes a direct TCP connection to the target and sends N non-spoofed packets with in-window sequence numbers. If the attacker receives N-1 challenge ACK packets in response, the sequence number of the spoofed packet in step 1 was within the target’s received window. If the attacker receives N challege ACK packets, the spoofed packet’s sequence number was not in the target’s receive window.

After guessing the TCP connection’s sequence numbers, the attacker can reset the connection or inject arbitrary data.

REFERENCES

Off-Path TCP Exploits: Global Rate Limit Considered Dangerous - <http://www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf&gt;
RFC 5961 - Improving TCP’s Robustness to Blind In-Window Attacks - <https://tools.ietf.org/html/rfc5961&gt;
RFC 793 - Transmission Control Protocol - <https://tools.ietf.org/html/rfc793&gt;

REVISION

2020-04-23 A fix will not be provided in Industrial Control System Protection (ICSP) 5.3. Please upgrade to a later release with the vulnerability fixes. Advisory status changed to Closed.
2019-10-02 Web Isolation is not vulnerable.
2019-09-21 SA 8.0 is not vulnerable. ICSP 5.4 is not vulnerable because a fix is available in 5.4.1.
2018-08-03 Customers who use NSP for USB cleaning can switch to a version of Industrial Control System Protection (ICSP) with fixes.
2018-06-29 A fix for Norman Shark Network Protection (NNP) 5.3 and Norman Shark SCADA Protection (NSP) 5.3 will not be provided.
2018-04-22 PacketShaper S-Series 11.10 is not vulnerable.
2017-11-06 ASG 6.7 is not vulnerable because a fix is available in 6.7.2.1.
2017-08-02 SSLV 4.1 is not vulnerable.
2017-07-24 PacketShaper S-Series 11.9 is not vulnerable.
2017-07-20 MC 1.10 is not vulnerable.
2017-06-22 Security Analytics 7.3 is not vulnerable.
2017-06-05 PacketShaper S-Series 11.8 is not vulnerable.
2017-05-18 CAS 2.1 is not vulnerable.
2017-03-30 MC 1.9 is not vulnerable.
2017-03-29 A fix for ASG 6.6 is available in 6.6.5.4.
2017-03-08 MC 1.8 is not vulnerable. ProxySG 6.7 is not vulnerable. SSLV 4.0 is not vulnerable. A fix for PolicyCenter S-Series is available in 1.1.3.1. Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support.
2017-01-25 A fix for Security Analytics 7.2 is available in 7.2.2.
2017-01-24 A fix for CAS 1.3 is available in 1.3.7.3.
2017-01-13 A fix in SSLV 3.9 is available in 3.9.7.1.
2017-01-10 A fix for Reporter 10.1 is available in 10.1.5.1.
2016-12-19 A fix for MAA is available in 4.2.11.
2016-12-02 A fix is available in SSLV 3.11.1.1.
2016-12-02 PacketShaper S-Series 11.7 is not vulnerable.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-14 MC 1.7 is vulnerable and a fix for MC 1.7 is available in 1.7.2.1.
2016-11-11 SSLV 3.10 is vulnerable. A fix is not available at this time.
2016-11-04 A fix for PacketShaper S-Series is available in 11.6.2.1.
2016-09-14 initial public release
2016-09-15 ASG has a vulnerable version of an operating system that supports RFC 5961, but is not vulnerable to known vectors of attack.