CVE-2008-4609 Vulnerability in TCP/IP stack involves multiple vendors

A paper and demonstration were given showing a new Denial of Service
attack on TCP/IP stacks across many vendors. In general, this is a DoS
attack that can cause temporary or permanent DoS to a service or
permanent service to the OS. It could lead to remote code execution in
some OSs.

This vulnerability is also referred to as the "Outpost24 TCP State Table
Manipulation Denial of Service Vulnerability".

Vendor Information


* Microsoft has published security bulletin MS09-048 to address this


* VMware products are not vulnerable.


* Cisco has published a Security Advisory dealing with the Outpost24


* CheckPoint has released two SecureKnowledge entries


* Juniper Networks received the Sockstress tool and executed testing
on all our platforms. We have found no unexpected or adverse impact to
our equipment which is different from other types of TCP Denial of
Service (DOS). When the Sockstress DOS attack is removed, Juniper
systems recover normally. Given that Sockstress is not a new 'class' of
TCP attacks, existing Best Common Practices (BCPs) used to protect
Juniper products from TCP based DOS attacks are the best investment of
time. Juniper Security Advisory is PSN-2008-10-041 and can be found at
Access is via Entitled Disclosure. Please contact Juniper SIRT Team at for any questions on this or other feasible
vulnerabilities and risk to Juniper Network's products and services.


* We can report that the TCP stack in our Security Gateway products
are not affected by these vulnerabilities.

Red Hat

* Red Hat has published a knowledgebase article about the issue

Sun Microsystems


Wind River

* Wind River's VxWorks is vulnerable. Register users can access Wind
River's online support for patches, and more information by following
this link:
* User may also contact Wind River technical support for more


* We can report that the TCP stack in our Fortigate products are not
affected by these vulnerabilities.

Some of these will be followed up with individual security alerts. In
general, you should keep your systems up to date with the latest
patches. Should you notice any odd DoS attacks that follow these
symptoms, please let me know.