-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NetGear RP114 TCP SYN Flooding Denial of Service

scip AG Vulnerability (12/12/2005)

I. INTRODUCTION

NetGear is a popular manufacturer for network devices. Especially their
SOHO and appliance boxes are widely in private use. One of the user
products is RP114, a hub device with additional routing, packet and
simple content filtering functionality.

More Information are available at the official NetGear web site:

    http://www.netgear.com

II. DESCRIPTION

Marc Ruef found an old fashioned denial of service flaw in this device.
By starting a transit TCP SYN flooding the routing between the internal
and the external interface is not possible anymore. An attacker can use
this to prevent legitimate users from accessing connected networks (e.g.
the WAN/Internet). Other devices by NetGear (e.g. routers and wlan
access points) may be also affected.

III. EXPLOITATION

Running TCP SYN flooding is very simple and can be realized by a large
variety of public attack tools. But it is also possible to initialize
such an attack my misusing a port scanning utility. Starting a scan with
nmap by Fyodor with the following command is able to reproduce the
denial of service:

   nmap -PS80 192.168.0.0/24

It does not matter how many target ports or hosts are defined. It is
just important to open approx. more than 740 persistant and half-open
connections. It is also required to scan something on the other
interface of the device than the attacker is connected to (e.g. scanning
an external host by sitting on the internal interface and vice versa).

IV. IMPACT

After a successfull attack no further routing between the networks is
possible anymore. This makes it impossible for legitimate users to
connect to the Internet or another network segment. During this time
direct connections to the affected device remains possible (e.g.
connection to the web interface or ping).

Just a reboot of the device can restore the productive status
immediately. Or you have to wait approx. 2 minutes for the device to
flush all half-open connections and return to full operational status.

V. DETECTION

The detection of this attack is not possible on the device itself. But
further security devices (e.g. dedicated firewalls or intrusion
detection systems) are able to detect this kind of classical attack.

VI. WORKAROUND

Do not plug the RP114 in not-trusted networks where the inter-connection
requires a high availability. In this case move to more professional
hardware that is able to handle a large amount of persistant connections
adequately.

VII. VENDOR RESPONSE

No response from NetGear came back. Due the fact the affected device
RP114 is not listed on the web site anymore and the last firmware is
dated back to 2002, no firmware update could be expected.

VIII. SOURCES

scip AG Vulnerability Database (german)
http://www.scip.ch/cgi-bin/smss/showadvf.pl

scip monthly Security Summary (german)
http://www.scip.ch/publikationen/smss/

computec.ch document data base (german)
http://www.computec.ch/download.php?list.7 (Denial of Service)
http://www.computec.ch/download.php?list.8 (Firewalling)
http://www.computec.ch/download.php?list.11 (Networking)

IX. DISCLOSURE TIMELINE

11/23/05 Marc Ruef verifies the for a long time suspected flaw
11/24/05 Inform the vendor by sending an email to
pressrelations-at-netgear.com
12/12/05 Public advisory

X. CREDITS

The vulnerability was discovered and analyzed by Marc Ruef at scip AG,
Switzerland.

    Marc Ruef, scip AG
    maru-at-scip.ch
    http://www.scip.ch

A1. BIBLIOGRAPHY

See VIII. for some useful web ressources.

A2. LEGAL NOTICES

Copyright (c) 2005 by scip AG, Switzerland.

Permission is granted for the re-distribution of this alert. It may not
be edited in any way without permission of scip AG.

The information in the advisory is believed to be accurate at the time
of publishing. There are no warranties with regard to this information.
Neither the author nor the publisher accepts any liability for any
direct, indirect or consequential loss or damage from use of or reliance
on this advisory.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
Comment: http://www.scip.ch

iQA/AwUBQ508Dhe5hzJzqVMhEQLEagCfWfWq7GDfBBKu64QwoXTnt43aF84AoJwS
T4IiiG+jatHKlgo9aguvrwyn
=59cT
-----END PGP SIGNATURE-----