Product Support

Vulnerability Report - Malformed TCP options can push networking stack to use 100% of CPM

 
Unisys ID: UIS-2021-7
Status: Published
CVE-ID: CVE-2021-45445
Affected Product: MCP TCP/IP
Affected Version: 59.1, 60.0, 62.0
Impact: HIGH
CVSS v3.1 Base Score: 7.5
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H  v3 Calculator
CVSS v2.0 Base Score: 7.8
CVSS v2.0 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C  v2 Calculator
Common Weakness Enumeration (CWE):  CWE-835
Common Platform Enumeration (CPE):  cpe:2.3:o:clearpath_mcp:tcpip
Source: Client Reported
Keyword(s): TCP/IP
Vulnerability Description:
A crafted, malformed TCP packet can cause the networking NP worker stack to go into an infinite loop, causing 100% CPM utilization.
System Configuration:
Normal networking configuration.
Impact of Exploiting Vulnerability:
The networking input stack (for example, TCPIP/ACADIA/NP/N, where N is the network processor number) becomes stalled in an infinite loop. The stack name is TCPIP/ACADIA/NP/N in newer/v3 platforms, and TCPIP/~/DYNSRV/N in older/v2 platforms.
Remediation Description:
Upgrade to version TCP-IP-SW-059.1A.55, TCP-IP-SW-060.0a.26, or TCP-IP-SW-062.0a.3.
Workaround Information:
None available.
References:
PLE 19322912
Additional Vendor Comment:
 
 
 

Disclaimer:

Unisys Corporation provides the information in this Security Vulnerability Report “AS IS.” No warranties of any nature are extended by or for the information. Unisys disclaims any financial or other responsibility that may result from your use of the information, including direct, indirect, special, or consequential damages.


Paper copies are not controlled and may be out of date; reference the Product Support Web site for current data.