Support Content Notification - Support Portal

SA142 : Invalid TCP Packet Generation DoS in SSL Visibility

Product/Component

SSL Visibility Appliance Software

0 more products

Notification Id

1402

Last Updated

04 May 2021

Initial Publication Date

07 April 2017

Status

CLOSED

Severity

MEDIUM

CVSS Base Score

CVSS v2: 5.0

WorkAround

Affected CVE

SUMMARY

The SSL Visibility appliance may, under certain circumstances, generate invalid TCP reset (RST) packets to remote SSL servers when terminating an intercepted SSL connection. Some SSL servers may ignore the invalid RST packet received and keep the TCP connection open. A malicious SSL client, under certain circumstances, can exploit this vulnerability to cause TCP connection pool exhaustion at the SSL server, resulting in denial of service. The SSL Visibility appliance is not impacted because it correctly releases its TCP connection state.

AFFECTED PRODUCTS

SSL Visibility (SSLV)
CVE	Affected Version(s)	Remediation
All CVEs	4.0 and later	Not vulnerable
	3.12	Not vulnerable, fixed in 3.12.1.1.
	3.11	Upgrade to 3.11.3.1.
	3.10	Upgrade to 3.10.4.1.
	3.9	Upgrade to later release with fixes.
	3.8.4FC	Upgrade to later release with fixes.

ISSUES

CVE-2016-10259
Severity / CVSSv2	Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
References	SecurityFocus: BID 97525 / NVD: CVE-2016-10259
Impact	Denial of service
Description	SSLV may, under certain circumstances, generate invalid TCP RST packets when terminating an intercepted SSL connection. Some SSL servers may fail to validate the invalid TCP RST packet, ignore it, and keep the TCP connection open. A malicious SSL client, under certain circumstances, can exploit this vulnerability to create a large number of open TCP connections on the SSL server and cause denial of service through TCP connection pool exhaustion. The SSL Visibility appliance is not impacted because it correctly releases its TCP connection state.

ACKNOWLEDGEMENTS

Thanks to the NTT-ME Corporation Security Team for reporting the vulnerability via JPCERT/CC.

REFERENCES

JPCERT/CC JVN#91438377 - https://jvn.jp/en/jp/JVN91438377/

REVISION

2018-02-23 SA status moved to Final.
2018-02-22 A fix for SSLV 3.10 is available in 3.10.4.1.
2017-11-15 SSLV 3.12 is not vulnerable because a fix is available in 3.12.1.1.
2017-08-02 SSLV 4.1 is not vulnerable.
2017-05-24 Added reference to JPCERT/CC JVN#91438377.
2017-04-07 initial public release