SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#498440

Multiple TCP/IP implementations may use statistically predictable initial sequence numbers

Overview

Attacks against TCP initial sequence number generation have been discussed for some time now. It has long been recognized that the ability to know or predict ISNs can lead to TCP connection hijacking or spoofing. What was not previously illustrated was just how predictable one commonly-used method of randomizing new connection ISNs is in some modern TCP/IP implementations.

I. Description

The CERT/CC has received a report from Guardent, Inc. concerning an observed statistical weakness in initial sequence number (ISN) generation for TCP connections. Guardent asserts in copyrighted research forwarded to us that incrementing the ISN by some series of pseudo-random amounts is insufficient to protect some TCP implementations from a practical ISN guessing attack in some real-world situations. Such attacks would not rely on data collected (sniffed) from a a victim site. These observations and statistical analyses provide empirical data which draw attention to the protocol analysis documented by Steve Bellovin (building on work pioneered by Robert Morris), culminating in RFC1948.

In RFC1948, Steve noted:

   The initial sequence numbers are intended to be more or less random.
   More precisely, RFC 793 specifies that the 32-bit counter be
   incremented by 1 in the low-order position about every 4
   microseconds.  Instead, Berkeley-derived kernels increment it by a
   constant every second, and by another constant for each new
   connection.  Thus, if you open a connection to a machine, you know to
   a very high degree of confidence what sequence number it will use for
   its next connection.  And therein lies the attack.


Some TCP/IP implementors chose instead to increment the ISNs using constrained random variables instead of constants. Guardent's research demonstrates that the algorithm implemented in some of these TCP/IP stacks is statistically weak and susceptible to attack.

We are currently soliciting feedback from the vendor community to help us understand the scope of this observed statistical weakness. Guardent's work has drawn attention to the fact that not all current TCP/IP stack implementations have implemented RFC1948 or provided an equivalent fix.

II. Impact

If the ISN of an existing connection can be determined within some practical range, a malicious agent may be able to close or hijack the connection. If the ISNs of future connections are targeted, an agent may be able to "complete" a TCP three-way handshake and spoof TCP packets delivered to a victim.

III. Solution

Deploy IPsec;

Implement the suggestions in RFC1948, namely the segmentation of the ISN space on a per-host, per-connection basis using cryptographic hashed secrets.

Systems Affected

VendorStatusDate NotifiedDate Updated
Apple Computer, Inc.Unknown12-Sep-2002
Berkeley Software Design, Inc.Unknown12-Sep-2002
Cisco Systems, Inc.Unknown12-Sep-2002
Data GeneralUnknown12-Sep-2002
FreeBSD, Inc.Vulnerable12-Sep-2002
FujitsuVulnerable22-Apr-2001
Hewlett-Packard CompanyVulnerable12-Sep-2002
IBM CorporationNot Vulnerable19-Apr-2001
Microsoft CorporationUnknown12-Sep-2002
NetBSDUnknown12-Sep-2002
NeXTUnknown12-Sep-2002
OpenBSDVulnerable19-Apr-2001
Red Hat, Inc.Unknown12-Sep-2002
SGIVulnerable20-Mar-2002
Sun Microsystems, Inc.Vulnerable12-Sep-2002

References

CA-1995-01
http://www.cert.org/advisories/CA-1995-01.html
ftp://research.att.com/dist/internet_security/117.ps.Z (Morris)
ftp://research.att.com/dist/internet_security/ipext.ps.Z (Bellovin)
ftp://ftp.isi.edu/in-notes/rfc1948.txt
Related URLs:
ftp://ftp.isi.edu/in-notes/rfc793.txt
ftp://ftp.isi.edu/in-notes/rfc1323.txt (obsoletes RFC1185)
ftp://ftp.isi.edu/in-notes/rfc1750.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0077
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0328
http://xforce.iss.net/static/139.php
http://www.usenix.com/publications/library/proceedings/security95/full_papers/joncheray.txt
http://www.guardent.com/pr2001-03-12-ips.html


Papers:


TCP session spoofing: "A Weakness in the 4.2BSD UNIX TCP/IP Software",
Morris, R., ComputingScience Technical Report No 117, ATT Bell
Laboratories, Murray Hill,New Jersey, 1985.


TCP session hijacking: "Security Problems in the TCP/IP Protocol
Suite", Bellovin, S., Computer Communications Review, April 1989.


TCP session desyncronization: “Simple Active Attack Against
TCP”, Joncheray, L., Proceedings, 5th USENIX UNIX Security
Symposium, June 1995.

Credit

The CERT/CC thanks the following individuals for their contributions to this advisory


Steve Bellovin, AT&T Labs
Tim Newsham, Guardent, Inc.
??? BindView
Niels Provohs (?)

This document was written by Jeffrey S. Havrilla

Other Information

Date Public:2001-03-12
Date First Published:2001-03-13
Date Last Updated:2007-08-02
CERT Advisory:CA-2001-09
CVE-ID(s):CVE-2001-0328
NVD-ID(s):CVE-2001-0328
US-CERT Technical Alerts: 
Metric:15.19
Document Revision:67

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2001 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader