How to Preserve the TCP URG Flag and Pointer
Resolution
Details
The implementation of the URG flag and pointer is not well-defined in the available RFCs, some operating systems are susceptible to attacks leveraging these fields in the TCP header. Palo Alto Networks firewall will, by default clear the URG flag and pointer. Shown below are several documents that identify a few of the security concerns associated with the TCP URG flag and pointer:
- http://www.gont.com.ar/drafts/tcp-security/draft-gont-tcp-security-00.txt (3.9. Urgent pointer)
- http://tools.ietf.org/html/draft-ietf-tcpm-urgent-data-07#appendix-A
- http://tools.ietf.org/html/draft-ietf-tcpm-tcp-security-02#section-3.5.4”
To change the firewall's behavior, such that it preserves the TCP URG flag and pointer, the CLI command is (from configuration mode):
# set deviceconfig setting tcp urgent-data oobinline
# commit
Verify after commit the field "Urgent data" has changed from 'clear' to 'oobinline'. See the image below:
The show command is (from operation mode):
> show running tcp state
The firewall will clear the TCP URG flag and pointer if the urgent-data option is set to "clear."
owner: ncampagna