Security Advisories

November 30, 2009 - Blue Coat ProxySG Advisory on Sockstress TCP Attacks (CVE-2008-4609)

Security Advisories ID:    SA41
Version:    8.0
Status:    Published
Published date:    12/02/2009
Updated:    01/17/2012
 

Advisory Status

Final

Advisory Severity

High, CVSS v2 base score: 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C)

Summary

In September of 2008, Outpost24 demonstrated Sockstress, a proof of concept tool that exploited multiple well known vulnerabilities in the design of TCP.  The tool uses multiple techniques to cause resource exhaustion and a resulting denial of service on the target system.  When ProxySG is targeted, system resources will gradually deplete and ProxySG will stop responding to new requests.  ProxySG must be restarted to resume normal operation.

Affected Products

All versions of ProxySG prior to 6.1 are vulnerable.

Details

An attack against ProxySG results in complete resource exhaustion. Existing requests that have been processed prior to the start of the attack will experience performance degradation and ProxySG will refuse any new connections.  Proxy SG must be restarted to restore functionality.  In some circumstances, configuration data on ProxySG 4.x appliances will be corrupted after restart.

Policies on ProxySG 5.x and later can be configured to reduce the effect of an attack.  If configured to fail open, at the point of extreme resource exhaustion, all policies will be bypassed to allow traffic to continue to flow.  ProxySG can also be configured to silently drop or explicitly deny requests when the user limit is reached.

Detection of an attack is nearly impossible.  Traffic generated as a result of such an attack is difficult to distinguish from valid protocol exchanges.  ProxySG can support tens of thousands of connections and it is common to find many legitimate connections from a single source. In addition, attackers often randomize their source addresses to avoid detection. 

Modifications have been made to ProxySG to detect and terminate connections that are not legitimate.  The techniques used are effective against Sockstress but may not be effective against other variations of the Sockstress exploits.

Workarounds

No workarounds are available.

Patches

ProxySG 6.1 - a fix is available in 6.1.1.1.  The fix is available to customers with a valid BlueTouch login from bto.bluecoat.com/download/product/5351

ProxySG 5.5 - a fix is available in 5.5.3.1.  The fix is available to customers with a valid BlueTouch login from https://bto.bluecoat.com/download/product/41

ProxySG 5.4 - a fix is available in 5.4.3.7.  The fix is available to customers with a valid BlueTouch login from https://bto.bluecoat.com/download/product/17

ProxySG 5.3 - please upgrade to a later version.

ProxySG 4.3 - a fix is available in 4.3.4.1.  The fix is available to customers with a valid BlueTouch login from https://bto.bluecoat.com/download/product/13 . 

For information on how to upgrade SGOS on your ProxySG, please see KB3608.

Advisory History

2012-01-17 Notification that no fix will be made available for 5.3.  Changed status to final.

2011-03-10 Updated patch information for SGOS 4.3.x code branch

2010-11-04 Notification of a patch release fix for 4.3.

2010-09-29 Notification of a fix released for 6.1, update of advisory text, addition of CVSS score, change of severity to High, repaired link to upgrade article.

2010-07-07 Notification of a fix released for 5.5

2010-04-13 Notification of a fix released for 5.4

2009-12-02 Status update

2009-11-30 Initial public release


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question