Vulnerability Note VU#498440
Multiple TCP/IP implementations may use statistically predictable initial sequence numbers
Attacks against TCP initial sequence number generation have been discussed for some time now. It has long been recognized that the ability to know or predict ISNs can lead to TCP connection hijacking or spoofing. What was not previously illustrated was just how predictable one commonly-used method of randomizing new connection ISNs is in some modern TCP/IP implementations.
The CERT/CC has received a report from Guardent, Inc. concerning an observed statistical weakness in initial sequence number (ISN) generation for TCP connections. Guardent asserts in copyrighted research forwarded to us that incrementing the ISN by some series of pseudo-random amounts is insufficient to protect some TCP implementations from a practical ISN guessing attack in some real-world situations. Such attacks would not rely on data collected (sniffed) from a a victim site. These observations and statistical analyses provide empirical data which draw attention to the protocol analysis documented by Steve Bellovin (building on work pioneered by Robert Morris), culminating in RFC1948.
In RFC1948, Steve noted:
If the ISN of an existing connection can be determined within some practical range, a malicious agent may be able to close or hijack the connection. If the ISNs of future connections are targeted, an agent may be able to "complete" a TCP three-way handshake and spoof TCP packets delivered to a victim.
Implement the suggestions in RFC1948, namely the segmentation of the ISN space on a per-host, per-connection basis using cryptographic hashed secrets.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Beckwith Electric||Affected||-||20 Oct 2015|
|FreeBSD, Inc.||Affected||08 Mar 2001||12 Sep 2002|
|Fujitsu||Affected||08 Mar 2001||22 Apr 2001|
|Hewlett-Packard Company||Affected||08 Mar 2001||12 Sep 2002|
|OpenBSD||Affected||08 Mar 2001||19 Apr 2001|
|SGI||Affected||-||20 Mar 2002|
|Sun Microsystems, Inc.||Affected||08 Mar 2001||12 Sep 2002|
|Wind River||Affected||-||20 Oct 2015|
|IBM Corporation||Not Affected||08 Mar 2001||19 Apr 2001|
|Apple Computer, Inc.||Unknown||08 Mar 2001||12 Sep 2002|
|Berkeley Software Design, Inc.||Unknown||08 Mar 2001||12 Sep 2002|
|Cisco Systems, Inc.||Unknown||08 Mar 2001||12 Sep 2002|
|Data General||Unknown||08 Mar 2001||12 Sep 2002|
|Microsoft Corporation||Unknown||08 Mar 2001||12 Sep 2002|
|NetBSD||Unknown||08 Mar 2001||12 Sep 2002|
CVSS Metrics (Learn More)
The CERT/CC thanks the following individuals and organizations for their contributions to this advisory:
- Steve Bellovin, AT&T Labs
- CVE IDs: CVE-2001-0328
- CERT Advisory: CA-2001-09
- Date Public: 12 Mar 2001
- Date First Published: 13 Mar 2001
- Date Last Updated: 20 Oct 2015
- Severity Metric: 15.19
- Document Revision: 82
Tim Newsham, Guardent, Inc.
This document was written by Jeffrey S. Havrilla.
If you have feedback, comments, or additional information about this vulnerability, please send us email.