HCX is not vulnerable to the CISA Alert Code TA04-111A - Vulnerabilities in TCP (NIST CVE-2004-0230)

• HCX does not rely on persistent TCP connections with a large window size
• HCX does not initiate or terminate BGP routing connections
• If a scanner should report a problem it can be considered a false positive for the above reasons

Details:

A vulnerability was discovered in the Transmission Control Protocol (TCP) specification (RFC 873).  TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.

The vulnerability has several preconditions before an exploit is possible. The attack vector is only applicable to the sessions which are terminating on a device, and not to the sessions that are only passing through the device (for example, transit traffic). In addition, the attack vector does not directly compromise data integrity or confidentiality. This makes it a non-issue for most setups.

The advisory explains that systems affected are Systems that rely on persistent TCP connections. It also explains that BGP routing is a specific case where being able to trigger a reset is easier than expected as the end points can be easily determined and large window sizes are used. BGP routing is also significantly affected by having its connections terminated.

The following article from Linux Weekly News also puts the flaw into context and shows why it does not pose a significant threat: http://lwn.net/Articles/81560/