TCP state manipulation vulnerabilities in IOS

Unanswered Question
Sep 10th, 2009


With the recent news about TCP state manipulation I have found out I have an older Internet facing router that is vulnerable to attack.

Its a c2621 running:

IOS (tm) C2600 Software (C2600-IS4-M), Version 12.3(26), RELEASE SOFTWARE (fc2)

The router only has 16mb of flash and 64mb of main (RAM) memory.

The the patched IOSs all require 32mb of flash memory and 128mb of RAM.

What can I do today to workaround this obvious problem??



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Thu, 09/10/2009 - 09:17


I am not sure that there is any attractive answer for your situation. It looks like if you want to get code that fixes the problem (generally the preferred solution) that you would have to upgrade the hardware.

As I understand the description of the problem, to execute the attack the bad guy must complete the three way handshake with the router. So probably your best workaround is to control very tightly what is allowed to establish TCP connection to the router. I would start with the access list on the public facing interface (you do have an access list on that interface?). Make sure that connection to the router on TCP based services are denied or if they need to be allowed make sure that you restrict the addresses that are allowed to make the connection. After you have controlled TCP access from outside you might want to make a similar effort to control access from inside.



pener1963 Thu, 09/10/2009 - 11:36

The only thing this router does is DNS. It answers queries (UDP) and does zone transfers (TCP) with certain allowed hosts. Everything else is blocked.

I think I am looking ok.


Richard Burts Fri, 09/11/2009 - 04:52


If everything else is blocked and if you are controlling who can do zone transfers, then I believe that you are ok.




This Discussion