Vulnerability Note VU#498440
Multiple TCP/IP implementations may use statistically predictable initial sequence numbers
Attacks against TCP initial sequence number generation have been discussed for some time now. It has long been recognized that the ability to know or predict ISNs can lead to TCP connection hijacking or spoofing. What was not previously illustrated was just how predictable one commonly-used method of randomizing new connection ISNs is in some modern TCP/IP implementations.
The CERT/CC has received a report from Guardent, Inc. concerning an observed statistical weakness in initial sequence number (ISN) generation for TCP connections. Guardent asserts in copyrighted research forwarded to us that incrementing the ISN by some series of pseudo-random amounts is insufficient to protect some TCP implementations from a practical ISN guessing attack in some real-world situations. Such attacks would not rely on data collected (sniffed) from a a victim site. These observations and statistical analyses provide empirical data which draw attention to the protocol analysis documented by Steve Bellovin (building on work pioneered by Robert Morris), culminating in RFC1948.
In RFC1948, Steve noted:
If the ISN of an existing connection can be determined within some practical range, a malicious agent may be able to close or hijack the connection. If the ISNs of future connections are targeted, an agent may be able to "complete" a TCP three-way handshake and spoof TCP packets delivered to a victim.
Implement the suggestions in RFC1948, namely the segmentation of the ISN space on a per-host, per-connection basis using cryptographic hashed secrets.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|FreeBSD, Inc.||Affected||08 Mar 2001||12 Sep 2002|
|Fujitsu||Affected||08 Mar 2001||22 Apr 2001|
|Hewlett-Packard Company||Affected||08 Mar 2001||12 Sep 2002|
|OpenBSD||Affected||08 Mar 2001||19 Apr 2001|
|SGI||Affected||-||20 Mar 2002|
|Sun Microsystems, Inc.||Affected||08 Mar 2001||12 Sep 2002|
|IBM Corporation||Not Affected||08 Mar 2001||19 Apr 2001|
|Apple Computer, Inc.||Unknown||08 Mar 2001||12 Sep 2002|
|Berkeley Software Design, Inc.||Unknown||08 Mar 2001||12 Sep 2002|
|Cisco Systems, Inc.||Unknown||08 Mar 2001||12 Sep 2002|
|Data General||Unknown||08 Mar 2001||12 Sep 2002|
|Microsoft Corporation||Unknown||08 Mar 2001||12 Sep 2002|
|NetBSD||Unknown||08 Mar 2001||12 Sep 2002|
|NeXT||Unknown||08 Mar 2001||12 Sep 2002|
|Red Hat, Inc.||Unknown||08 Mar 2001||12 Sep 2002|
CVSS Metrics (Learn More)
- ftp://research.att.com/dist/internet_security/117.ps.Z (Morris)
- ftp://research.att.com/dist/internet_security/ipext.ps.Z (Bellovin)
- Related URLs:
- ftp://ftp.isi.edu/in-notes/rfc1323.txt (obsoletes RFC1185)
- TCP session spoofing: "A Weakness in the 4.2BSD UNIX TCP/IP Software",
- Morris, R., ComputingScience Technical Report No 117, ATT Bell
- Laboratories, Murray Hill,New Jersey, 1985.
- TCP session hijacking: "Security Problems in the TCP/IP Protocol
- Suite", Bellovin, S., Computer Communications Review, April 1989.
- TCP session desyncronization: “Simple Active Attack Against
- TCP”, Joncheray, L., Proceedings, 5th USENIX UNIX Security
- Symposium, June 1995.
The CERT/CC thanks the following individuals for their contributions to this advisory
This document was written by Jeffrey S. Havrilla
- CVE IDs: CVE-2001-0328
- CERT Advisory: CA-2001-09
- Date Public: 12 Mar 2001
- Date First Published: 13 Mar 2001
- Date Last Updated: 02 Aug 2007
- Severity Metric: 15.19
- Document Revision: 67
If you have feedback, comments, or additional information about this vulnerability, please send us email.