Support Announcements
DGS-3630-28PC :: CVE-2004-0230 :: TCP using a large Window Size Evelvate to DDOS Mitigation Application Note

 

Overview

 

 

On March 15, 2022, D-Link became aware of the DGS-3630-28PC being affected by CVE-2004-0230 Vulnerability. 

CVE-2004-0230 discloses when using a large TCP Window Size; it is less challenging for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.

D-Link takes the issues of network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures.

 

Vulnerability Response:

 

          RFC5961 has further explanation of the vulnerability and mitigation methods that should be implemented: https://tools.ietf.org/search/rfc5961

          The CVE-2004-0230 vulnerability CVSS Score is 5.0, but the confidentiality impact is None. The effect of this is considered negligible, and for users/owners affected by this issue, the mitigation note below is the recommended way to resolve it.

 

1.      The following article from Linux Weekly News also puts the flaw into context and shows why it does not pose a significant threat: http://lwn.net/Articles/81560/ Red Hat has no plans for action regarding this issue.

2.      The DHS advisory explains that BGP routing is a specific case where triggering a reset is more accessible than expected, as the endpoints can be easily determined and large window sizes are used. Most BGP operators use MD5 signatures on their BGP sessions, using a shared secret between the two BGP peers. This effectively adds relatively strong authentication over the connection. It also mitigates this attack(CVE-2004-0230)

3.      The switch does not publish TCP source port information (It is a LAN switch, not a Gateway router)

 

Workaround solutions:

 

     Mitigation Note has specific recommendations for the DGS-3630-28PC.

        Reduce the TCP window size.

        BGP with MDP signature

  

 

Report Information:

 

          - Discovered by D-Link

                - NIST :: https://nvd.nist.gov/vuln/detail/CVE-2004-0230

 

 

 Affected Models

 

Model

Affected Version

 Region

Mitigation

Recommendation

 Last Updated

DGS-3630-28PC

All H/W Rev. & F/W Revsions

WorldWide

Please follow Applicaiton Note

Application Note

12/22/2023

 

 

 

 

Regarding the Security patch for your D-Link Devices

 

 

Firmware and software updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually, and we strongly recommend all users to install the relevant updates.

 

Please note that this device's beta software, beta firmware, or hot-fix release is still undergoing final testing before its official release. The beta software, beta firmware, or hot-fix is provided on an “as is” and “as available” basis, and the user assumes all risk and liability for use thereof. D-Link does not offer any express or implied warranties regarding the suitability or usability of the beta firmware. D-Link will not be liable for any direct, indirect, special, or consequential loss suffered by any party due to their use of the beta firmware.

 

As our products have different hardware revisions, please check this on your device before downloading the corresponding firmware update. The hardware revision information can usually be found on the underside of the product label next to the serial number. Alternatively, they can also be found on the device web configuration.