Transmission Control Protocol – Intelligent Systems Monitoring

Cisco Nexus 9000 Series Fabric Switches ACI Mode Multi-Pod and Multi-Site TCP Denial of Service Vulnerability

August 24, 2021August 24, 2021 Cisco Leave a comment

A vulnerability in the Multi-Pod or Multi-Site network configurations for Cisco Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode could allow an unauthenticated, remote attacker to unexpectedly restart the device, resulting in a denial of service (DoS) condition.

This vulnerability exists because TCP traffic sent to a specific port on an affected device is not properly sanitized. An attacker could exploit this vulnerability by sending crafted TCP data to a specific port that is listening on a public-facing IP address for the Multi-Pod or Multi-Site configuration. A successful exploit could allow the attacker to cause the device to restart unexpectedly, resulting in a DoS condition.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-n9kaci-tcp-dos-YXukt6gM

This advisory is part of the August 2021 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: August 2021 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication.

Security Impact Rating: High

CVE: CVE-2021-1586

No Related Posts

SDWAN doesn’t support “MSS Clamping” in PPPoE Internet Service (Before version 11.3.1), that causes some external web pages can’t be loaded

June 15, 2021June 15, 2021 Citrix Leave a comment

This is because SDWAN PPPoE link doesn’t support MSS Clamping before version 11.3.1

What is MSS Clamping?

1. In a PPPoE link, additional 8 bytes PPPoE header will be inserted into frames. That may cause total length of frams exceed MTU 1500. Hence, we need to fragment those TCP packets if payload length is 1460.

2. However, in most cases, DF bit is set in packet. Don’t allow fragmentation. Then, PPPoE router should reply ICMP “Fragmentation Required” message to original client/server. Then client/server should send the packet in a smaller data.

3. However, the ICMP message may be dropped by firewall. In such cases, a better solution is PPPoE router modifies the MSS value in a TCP connection to fit PPPoE link’s MTU. That is called MSS Clamping.

No Related Posts

[SDWAN] SDWAN doesn’t support “MSS Clamping” in PPPoE Internet Service (Before version 11.3.1), that causes some external web pages can’t be loaded

May 24, 2021May 24, 2021 Citrix Leave a comment

This is because SDWAN PPPoE link doesn’t support MSS Clamping before version 11.3.1

No Related Posts

TCP Profiles on NetScaler

March 2, 2021March 3, 2021 Citrix Leave a comment

TCP configurations for a NetScaler appliance can be specified in an entity called a TCP profile, which is a collection of TCP settings. The TCP profile can then be associated with services or virtual servers that want to use these TCP configurations.

Built-in TCP Profiles

For convenience of configuration, the NetScaler provides some built-in TCP profiles. For a list of built-in profiles, refer to Citrix Documentation – Built-in TCP Profiles.

For a list of options that are available for a TCP profile, refer to Citrix Documentation – ns tcpProfile.

Note: These values can have serious impacts on network performance. Use these values carefully when adjusting them manually in existing profiles, or when creating new profiles.

To specify service or virtual server level TCP configurations

Command line interface

Configure the TCP profile:

set ns tcpProfile <profile-name>
Bind the TCP profile to the service or virtual server.

To bind the TCP profile to the service:

set service <name>

For example:

> set service service1 -tcpProfileName profile1

Configuration utility

Configure the TCP profile.

Navigate to System >Profiles > TCP Profiles, and create the TCP profile.
Bind the TCP profile to the service or virtual server.

Navigate to Traffic Management > Load Balancing > Services/Virtual Servers, and create the TCP profile, which should be bound to the service or virtual server.

No Related Posts

How to Pass the Client's Source Port to the Backend Server When Accessed Through NetScaler

November 25, 2020November 25, 2020 Citrix Leave a comment

To achieve this, we would have to disable the Use Proxy Port option.

To configure the Use Proxy Port setting on a service by using the configuration utility:

Navigate to Traffic Management> Load Balancing > Services, and open a service.
In Advanced Settings, select Traffic Settings, and unselect Use Proxy Port.

To configure the Use Proxy Port setting on a service by using the CLI:

At the command prompt, type:

set service svc -useproxyport NO

The Use Proxy Port option works only when the Use Source IP/ Use Client IP option is enabled on the Service/Service Group respectively.

Also, this option is enabled by default for TCP-based service types, such as TCP, HTTP, and SSL,

This will allow the backend server to see client IP and source port from which the client tries to connect.

No Related Posts

Cisco IP Phone TCP Packet Flood Denial of Service Vulnerability

November 4, 2020November 4, 2020 Cisco Leave a comment

A vulnerability in the TCP packet processing functionality of Cisco IP Phones could allow an unauthenticated, remote attacker to cause the phone to stop responding to incoming calls, drop connected calls, or unexpectedly reload.

The vulnerability is due to insufficient TCP ingress packet rate limiting. An attacker could exploit this vulnerability by sending a high and sustained rate of crafted TCP traffic to the targeted device. A successful exploit could allow the attacker to impact operations of the phone or cause the phone to reload, leading to a denial of service (DoS) condition.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phone-flood-dos-YnU9EXOv

Security Impact Rating: High

CVE: CVE-2020-3574

No Related Posts

Cisco Firepower Threat Defense Software TCP Intercept Bypass Vulnerability

October 20, 2020October 20, 2020 Cisco Leave a comment

A vulnerability in the TCP Intercept functionality of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass configured Access Control Policies (including Geolocation) and Service Polices on an affected system.

The vulnerability exists because TCP Intercept is invoked when the embryonic connection limit is reached, which can cause the underlying detection engine to process the packet incorrectly. An attacker could exploit this vulnerability by sending a crafted stream of traffic that matches a policy on which TCP Intercept is configured. A successful exploit could allow the attacker to match on an incorrect policy, which could allow the traffic to be forwarded when it should be dropped. In addition, the traffic could incorrectly be dropped.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tcp-intercept-bypass-xG9M3PbY

Security Impact Rating: Medium

CVE: CVE-2020-3565

No Related Posts

Microsoft October 2020 Patch Tuesday fixes 87 vulnerabilities

October 12, 2020October 12, 2020 PCIS Support Team Leave a comment

Fixes for 21 remote code execution (RCE) vulnerabilities included for products like Excel, Outlook, the Windows Graphics component, and the Windows TCP/IP stack.

No Related Posts

Error:”Cannot connect to server” “Can't assign requested address”

August 6, 2020August 6, 2020 Citrix Leave a comment

1: None ADC issue

Confirmed in client packets and NetScaler nstrace, there is no TCP connection founded for launch failed desktop session. Client did not try to establish any TCP connection for desktop launch failed scenario. Only successful ICA connection recorded and matched with customer’s test results.

2: Client DNS resolution failured from CDF trace in receiver.

A hostname is being given of HDX-dektop.server to connect to. The Client, however, is translating this to the ip address of 0.0.0.2. The Implication here is that this is a secured environment that has a proxy setting in place to redirect many undesired addresses to 0.0.0.2.

CDF Log:

37525,0,2020/08/05 17:51:22:57588,11944,7864,-1,HPC_ICA_ENG,SslASock_Api.c,467,SslASock_Connect(),1,Information,”SSL Relay host name:HDX-dektop.server resolved to: 10.204.182.11″,”” （working scenario）

130535,0,2020/08/05 17:51:33:46960,13344,13428,-1,HPC_ICA_ENG,SslASock_Api.c,467,SslASock_Connect(),1,Information,”SSL Relay host name: HDX-dektop.server resolved to: 0.0.0.2″,“” （NOT working scenario）

Mailings from our servers and containing some text blocked

Cisco StarOS IPv6 Denial of Service Vulnerability

August 4, 2020August 4, 2020 Cisco Leave a comment

A vulnerability in the IPv6 implementation of Cisco StarOS could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

The vulnerability is due to insufficient validation of incoming IPv6 traffic. An attacker could exploit this vulnerability by sending a crafted IPv6 packet to an affected device with the goal of reaching the vulnerable section of the input buffer. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

This vulnerability is specific to IPv6 traffic. IPv4 traffic is not affected.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asr5k-ipv6-dos-ce3zhF8m

Security Impact Rating: Medium

CVE: CVE-2020-3500

No Related Posts

Tag: Transmission Control Protocol

Cisco Nexus 9000 Series Fabric Switches ACI Mode Multi-Pod and Multi-Site TCP Denial of Service Vulnerability

Related:

SDWAN doesn’t support “MSS Clamping” in PPPoE Internet Service (Before version 11.3.1), that causes some external web pages can’t be loaded

Related:

[SDWAN] SDWAN doesn’t support “MSS Clamping” in PPPoE Internet Service (Before version 11.3.1), that causes some external web pages can’t be loaded

Related:

TCP Profiles on NetScaler

Built-in TCP Profiles

To specify service or virtual server level TCP configurations

Command line interface

Configuration utility

Related:

How to Pass the Client's Source Port to the Backend Server When Accessed Through NetScaler

Related:

Cisco IP Phone TCP Packet Flood Denial of Service Vulnerability

Related:

Cisco Firepower Threat Defense Software TCP Intercept Bypass Vulnerability

Related:

Microsoft October 2020 Patch Tuesday fixes 87 vulnerabilities

Related:

Error:”Cannot connect to server” “Can't assign requested address”

Related:

Cisco StarOS IPv6 Denial of Service Vulnerability

Related:

Links