Vulnerability Note VU#498440

Multiple TCP/IP implementations may use statistically predictable initial sequence numbers

Original Release date: 13 Mar 2001 | Last revised: 02 Aug 2007

Overview

Attacks against TCP initial sequence number generation have been discussed for some time now. It has long been recognized that the ability to know or predict ISNs can lead to TCP connection hijacking or spoofing. What was not previously illustrated was just how predictable one commonly-used method of randomizing new connection ISNs is in some modern TCP/IP implementations.

Description

The CERT/CC has received a report from Guardent, Inc. concerning an observed statistical weakness in initial sequence number (ISN) generation for TCP connections. Guardent asserts in copyrighted research forwarded to us that incrementing the ISN by some series of pseudo-random amounts is insufficient to protect some TCP implementations from a practical ISN guessing attack in some real-world situations. Such attacks would not rely on data collected (sniffed) from a a victim site. These observations and statistical analyses provide empirical data which draw attention to the protocol analysis documented by Steve Bellovin (building on work pioneered by Robert Morris), culminating in RFC1948.

In RFC1948, Steve noted:

   The initial sequence numbers are intended to be more or less random.
   More precisely, RFC 793 specifies that the 32-bit counter be
   incremented by 1 in the low-order position about every 4
   microseconds.  Instead, Berkeley-derived kernels increment it by a
   constant every second, and by another constant for each new
   connection.  Thus, if you open a connection to a machine, you know to
   a very high degree of confidence what sequence number it will use for
   its next connection.  And therein lies the attack.


Some TCP/IP implementors chose instead to increment the ISNs using constrained random variables instead of constants. Guardent's research demonstrates that the algorithm implemented in some of these TCP/IP stacks is statistically weak and susceptible to attack.

We are currently soliciting feedback from the vendor community to help us understand the scope of this observed statistical weakness. Guardent's work has drawn attention to the fact that not all current TCP/IP stack implementations have implemented RFC1948 or provided an equivalent fix.

Impact

If the ISN of an existing connection can be determined within some practical range, a malicious agent may be able to close or hijack the connection. If the ISNs of future connections are targeted, an agent may be able to "complete" a TCP three-way handshake and spoof TCP packets delivered to a victim.

Solution

Deploy IPsec;

Implement the suggestions in RFC1948, namely the segmentation of the ISN space on a per-host, per-connection basis using cryptographic hashed secrets.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
FreeBSD, Inc.Affected08 Mar 200112 Sep 2002
FujitsuAffected08 Mar 200122 Apr 2001
Hewlett-Packard CompanyAffected08 Mar 200112 Sep 2002
OpenBSDAffected08 Mar 200119 Apr 2001
SGIAffected-20 Mar 2002
Sun Microsystems, Inc.Affected08 Mar 200112 Sep 2002
IBM CorporationNot Affected08 Mar 200119 Apr 2001
Apple Computer, Inc.Unknown08 Mar 200112 Sep 2002
Berkeley Software Design, Inc.Unknown08 Mar 200112 Sep 2002
Cisco Systems, Inc.Unknown08 Mar 200112 Sep 2002
Data GeneralUnknown08 Mar 200112 Sep 2002
Microsoft CorporationUnknown08 Mar 200112 Sep 2002
NetBSDUnknown08 Mar 200112 Sep 2002
NeXTUnknown08 Mar 200112 Sep 2002
Red Hat, Inc.Unknown08 Mar 200112 Sep 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT/CC thanks the following individuals for their contributions to this advisory


Steve Bellovin, AT&T Labs
Tim Newsham, Guardent, Inc.
??? BindView
Niels Provohs (?)

This document was written by Jeffrey S. Havrilla

Other Information

  • CVE IDs: CVE-2001-0328
  • CERT Advisory: CA-2001-09
  • Date Public: 12 Mar 2001
  • Date First Published: 13 Mar 2001
  • Date Last Updated: 02 Aug 2007
  • Severity Metric: 15.19
  • Document Revision: 67

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.