CVE-2005-1184
published 2005-05-02CVE-2005-1184: The TCP/IP stack in multiple operating systems allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the correct…
PriorityP426medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
37.00%
98.3th percentile
The TCP/IP stack in multiple operating systems allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the correct sequence number but the wrong Acknowledgement number, which generates a large number of "keep alive" packets. NOTE: some followups indicate that this issue could not be replicated.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_nt | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The exploit uses libpcap in promiscuous mode to sniff an established TCP connection and then injects raw spoofed TCP packets; detect raw socket creation combined with promiscuous interface activity from unexpected processes. ↗
- ·Replicability of this vulnerability is disputed; some follow-up reports indicate the issue could not be reproduced. ↗
- ·The exploit requires an already-established TCP session to be observable (sniffed) by the attacker; it is not a blind attack — the attacker must be on-path or able to capture traffic to obtain valid sequence numbers. ↗
- ·The exploit tool uses a configurable packet injection count (StormCount) and a libpcap filter; a count of 0 means unlimited injections, making the DoS duration attacker-controlled. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://seclists.org/lists/fulldisclosure/2005/Apr/0358.htmlhttp://seclists.org/lists/fulldisclosure/2005/Apr/0383.htmlhttp://seclists.org/lists/fulldisclosure/2005/Apr/0385.htmlhttp://www.securityfocus.com/bid/13215https://exchange.xforce.ibmcloud.com/vulnerabilities/40502http://seclists.org/lists/fulldisclosure/2005/Apr/0358.htmlhttp://seclists.org/lists/fulldisclosure/2005/Apr/0383.htmlhttp://seclists.org/lists/fulldisclosure/2005/Apr/0385.htmlhttp://www.securityfocus.com/bid/13215https://exchange.xforce.ibmcloud.com/vulnerabilities/40502
2005-05-02
Published