It doesn’t matter what business you are in, but #$*(‘ing with your customers by releasing advisories and threatening them to buy your product or services is just plain dumb. For those that are following the TCP-split-handshake epic #fail saga, I have to say, the vulnerability itself is a clever hack. By using double-SYN’s or simultaneous connections (which is incredibly rare and non-existent on most modern networks), one can trick firewalls and IPS’ in not tracking state. This is reminiscent of the original classic Insertion, Evasion and Denial of Service that covered lots of grounds in the pitfalls of deconstructing application state in real-time completely based on the packets that are flowing through.
If you follow the Cisco Security blog link above, here’s a price quote:
The Cisco PSIRT has made the bugs that were filed for investigation public, and based on the lack of evidence has closed them effective today
I can say one thing, in my five years of building, deploying and observing the IDP product line (while I was at Juniper), I’ve never seen the TCP:AUDIT:S2C-SIMUL-SYN attack object referenced in the original paper that talks about the technique for evading firewalls. That doesn’t mean they don’t exist, but most modern applications have very clear client/server roles. In routing protocols where the peer precedence is discovered implicitly, it’s possible for simultaneous connects to happen, but seriously?
While we empathize with all the vendors mentioned in the report, the fact that they don’t have any tools or evidence to reproduce the problem frankly sucks. To help with this, we’ve uploaded a pcap of this exploit [sic!] to pcapr.net. Simply use tcpreplay to play this packet capture through your product and verify yourself.
Kudos to Brian C. for modeling this traffic pattern with MuSL (Mu Scenario Language) and then generating the packets from it.
Download this pcap and use it as you please.