Blue Coat ProxySG Advisory on Sockstress TCP Attacks (CVE-2008-4609)
In September of 2008, Outpost24 demonstrated Sockstress, a proof of concept tool that exploited multiple well known vulnerabilities in the design of TCP. The tool uses multiple techniques to cause resource exhaustion and a resulting denial of service on the target system. When ProxySG is targeted, system resources will gradually deplete and ProxySG will stop responding to new requests. ProxySG must be restarted to resume normal operation.
All versions of ProxySG prior to 6.1 are vulnerable.
An attack against ProxySG results in complete resource exhaustion. Existing requests that have been processed prior to the start of the attack will experience performance degradation and ProxySG will refuse any new connections. Proxy SG must be restarted to restore functionality. In some circumstances, configuration data on ProxySG 4.x appliances will be corrupted after restart.
Policies on ProxySG 5.x and later can be configured to reduce the effect of an attack. If configured to fail open, at the point of extreme resource exhaustion, all policies will be bypassed to allow traffic to continue to flow. ProxySG can also be configured to silently drop or explicitly deny requests when the user limit is reached.
Detection of an attack is nearly impossible. Traffic generated as a result of such an attack is difficult to distinguish from valid protocol exchanges. ProxySG can support tens of thousands of connections and it is common to find many legitimate connections from a single source. In addition, attackers often randomize their source addresses to avoid detection.
Modifications have been made to ProxySG to detect and terminate connections that are not legitimate. The techniques used are effective against Sockstress but may not be effective against other variations of the Sockstress exploits.
No workarounds are available.
ProxySG 6.1 - a fix is available in 18.104.22.168. The fix is available to customers with a valid BlueTouch login from bto.bluecoat.com/download/product/5351
ProxySG 5.5 - a fix is available in 22.214.171.124. The fix is available to customers with a valid BlueTouch login from https://bto.bluecoat.com/download/product/41
ProxySG 5.4 - a fix is available in 126.96.36.199. The fix is available to customers with a valid BlueTouch login from https://bto.bluecoat.com/download/product/17
ProxySG 5.3 - please upgrade to a later version.
ProxySG 4.3 - a fix is available in 188.8.131.52. The fix is available to customers with a valid BlueTouch login from https://bto.bluecoat.com/download/product/13 .
For information on how to upgrade SGOS on your ProxySG, please see KB3608.
National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail
CERT-FI advisory: https://www.cert.fi/haavoittuvuudet/2008/tcp-vulnerabilities.html
CERT advisory: www.kb.cert.org/vuls/id/723308
2012-01-17 Notification that no fix will be made available for 5.3. Changed status to final.
2011-03-10 Updated patch information for SGOS 4.3.x code branch
2010-11-04 Notification of a patch release fix for 4.3.
2010-09-29 Notification of a fix released for 6.1, update of advisory text, addition of CVSS score, change of severity to High, repaired link to upgrade article.
2010-07-07 Notification of a fix released for 5.5
2010-04-13 Notification of a fix released for 5.4
2009-12-02 Status update
2009-11-30 Initial public release