TCP sequence prediction
| tcp-seq-predict (139) |  Medium Risk |
Description:
The TCP sequence was found to be predictable. When the TCP sequence is predictable, an attacker can send packets that are forged to appear to come from a trusted computer. These forged packets can compromise services, such as rsh and rlogin, because their authentication is based on IP addresses. Attackers can also perform session hijacking to gain access to unauthorized information.
Some Microsoft patches for this security issue did not completely resolve the sequence predictability. The following information explains the varying levels of TCP sequence predictability in Windows operating systems:
- Windows NT 4.0 pre-SP3 systems are highly predictable. - Windows NT 4.0 SP4 through SP6 use a different algorithm to reduce sequence predictability, but the systems remain predictable. - Microsoft released patch MS99-046, which uses the same algorithm as Windows 2000, to fully fix the problem. - Windows 2000 is not TCP predictable.
*CVSS:
| Base Score: | 3.5 |
| Access Vector: | Remote |
| Access Complexity: | Low |
| Authentication: | Not Required |
| Confidentiality Impact: | Partial |
| Integrity Impact: | None |
| Availability Impact: | None |
| Temporal Score: | 2.6 |
| Exploitability: | Unproven |
| Remediation Level: | Official-Fix |
| Report Confidence: | Confirmed |
Consequences:
Bypass Security
Remedy:
Ask your vendor for patches to correct TCP sequence prediction. Note that some patches make sequence prediction more difficult, but still possible. As a result, the host may continue to report this vulnerability.
For Windows NT 4.0:
Apply the latest Windows NT 4.0 Service Pack (SP6a or later), available from the Windows NT Service Packs Web page. Note that Windows NT system may continue to report this vulnerability. Apply the Security Roll-up Package for your system as listed in Microsoft Security Bulletin, MS02-018.
Note: Microsoft originally provided a patch for this vulnerability in MS99-046, but it was superseded by the patch provided with MS02-001, which has been superseded by the patch released with MS02-018.
For IIS:
Microsoft originally provided a patch for this vulnerability in MS01-033, but it has been superseded by the patch released with MS01-044, MS02-018, and MS02-062, and then superseded by the patch released with MS03-018. See References.
For Windows 2000:
Microsoft originally provided a patch for this vulnerability in MS01-033, but it has been superseded by the patch released with MS02-001. See References.
For HP-UX:
Apply the appropriate patch for your system, as listed in CERT advisory CA-2001-09. See References.
For FreeBSD 3.x:
Upgrade to the latest version of FreeBSD (3.5.1-STABLE dated after 2000-09-28 or later), as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-00:52. See References.
For FreeBSD 4.x:
Upgrade to the latest version of FreeBSD (4.1.1-STABLE dated after 2000-09-28 or later), as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-00:52. See References.
For FreeBSD 5.x:
Upgrade to the latest version of FreeBSD (5.0-CURRENT dated 2000-09-28 or later), as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-00:52. See References.
For Cisco IOS 11.x and 12.x:
Apply the latest patch for this vulnerability, as listed in Cisco Security Advisory: Cisco IOS Software TCP Initial Sequence Number Randomization Improvements. See References.
For Cisco CBOS 2.0.1, 2.1.0, 2.1.0a, 2.2.0, 2.2.1, 2.2.1a, 2.3, 2.3.2, 2.3.5, 2.3.7 and 2.3.8:
Upgrade to the latest version of CBOS (2.42 or later), as listed in Cisco Systems Field Notice, May 22, 2001. See References.
For NetScreen devices:
Upgrade to the latest version of ScreenOS (4.0.1 or later), as listed in NetScreen Security Alert 51897. See References.
For SGI IRIX:
Apply the appropriate patch for your system, as listed in SGI Security Advisory 20030201-01-P. See References.
For other distributions:
Contact your vendor for upgrade or patch information.
References:
- BugTraq Mailing List, Fri May 18 2007 - 08:36:10 CDT: Predictable TCP ISN in Packeteer PacketShaper.
- BugTraq Mailing List, Thu May 30 2002 - 03:45:09 CDT: 2 security problem Quantum SNAP server.
- BugTraq Mailing List, Wed Jul 25 2001 - 18:17:28 CDT: Weak TCP Sequence Numbers in Sonicwall SOHO Firewall.
- CERT Advisory CA-1995-01: IP Spoofing Attacks and Hijacked Terminal Connections.
- CERT Advisory CA-2001-09: Statistical Weaknesses in TCP/IP Initial Sequence Numbers.
- CIAC Information Bulletin K-006: Microsoft - Improve TCP Initial Sequence Number Randomness.
- CIAC Information Bulletin L-003: FreeBSD TCP Sequence Number Vulnerability.
- CIAC Information Bulletin L-053: Cisco IOS Software TCP Initial Sequence Number Improvements.
- CIAC Information Bulletin L-086: Cisco Multiple Vulnerabilities in CBOS.
- Cisco Systems Field Notice, February 28, 2001: Cisco IOS Software TCP Initial Sequence Number Randomization Improvements.
- Cisco Systems Field Notice, May 22, 2001: Security Advisory: More Multiple Vulnerabilities in CBOS.
- FreeBSD Security Advisory FreeBSD-SA-00:52: TCP uses weak initial sequence numbers.
- Hacker Emergency Response Team Security Advisory #00003: FreeBSD IP Spoofing. (From SecurityFocus archive.)
- Microsoft Knowledge Base Article 192292: Unpredictable TCP Sequence Numbers in SP4.
- Microsoft Knowledge Base Article 243835: How to Prevent Predictable TCP/IP Initial Sequence Numbers.
- Microsoft Product Support Services: Windows NT Service Packs.
- Microsoft Security Bulletin MS01-033: Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise.
- Microsoft Security Bulletin MS01-041: Malformed RPC Request Can Cause Service Failure.
- Microsoft Security Bulletin MS01-044: 15 August 2001 Cumulative Patch for IIS.
- Microsoft Security Bulletin MS02-001: Trusting Domains Do Not Verify Domain Membership of SIDs in Authorization Data.
- Microsoft Security Bulletin MS02-018: Cumulative Patch for Internet Information Services (Q319733).
- Microsoft Security Bulletin MS02-062: Cumulative Patch for Internet Information Service (Q327696).
- Microsoft Security Bulletin MS03-018: Cumulative Patch for Internet Information Service (811114).
- Microsoft Security Bulletin MS99-046: Patch Available to Improve TCP Initial Sequence Number Randomness.
- Microsoft Security Bulletin MS99-046 FAQ: Microsoft Security Bulletin MS99-046: Frequently Asked Questions.
- NetScreen Security Alert 51897: Predictable TCP Initial Sequence Numbers.
- Packeteer Web site: PacketShaper.
- Proceedings of the Fifth USENIX UNIX Security Symposium, June 1995: Simple Active Attack Against TCP.
- SGI Security Advisory 20020303-01-A: IRIX TCP/IP Initial Sequence Numbers.
- SGI Security Advisory 20020903-01-P: IP denial-of-service fixes and tunings.
- ASA-2007-416: HP-UX running Apache, Remote Arbitrary Code Execution, Cross Site Scripting (XSS) (HPSBUX02262)
- BID-107: Portmaster Predictable TCP Initial Sequence Number Vulnerability
- BID-1766: BSD Weak initial Sequence Number Vulnerability
- BID-24048: Packeteer PacketShaper ISN TCP Packet Spoofing Vulnerability
- BID-2682: Multiple Vendor TCP Initial Sequence Number Statistical Vulnerability
- BID-3098: SonicWALL SOHO Firewall Predictable TCP Initial Sequence Number Vulnerability
- BID-4892: Quantum Snap Server Predictable TCP Sequence Number Vulnerability
- BID-604: NT Predictable TCP Sequence Number Vulnerability
- BID-6249: NetScreen ScreenOS Predictable Initial TCP Sequence Number Vulnerability
- BID-670: Linux Predictable TCP Initial Sequence Number Vulnerability
- CVE-1999-0077: Predictable TCP sequence numbers allow spoofing.
- CVE-2000-0328: Windows NT 4.0 generates predictable random TCP initial sequence numbers (ISN), which allows remote attackers to perform spoofing and session hijacking.
- CVE-2000-0916: FreeBSD 4.1.1 and earlier, and possibly other BSD-based OSes, uses an insufficient random number generator to generate initial TCP sequence numbers (ISN), which allows remote attackers to spoof TCP connections.
- CVE-2001-0288: Cisco switches and routers running IOS 12.1 and earlier produce predictable TCP Initial Sequence Numbers (ISNs), which allows remote attackers to spoof or hijack TCP connections.
- CVE-2001-0328: TCP implementations that use random increments for initial sequence numbers (ISN) can allow remote attackers to perform session hijacking or disruption by injecting a flood of packets with a range of ISN values, one of which may match the expected ISN.
- CVE-2001-0751: Cisco switches and routers running CBOS 2.3.8 and earlier use predictable TCP Initial Sequence Numbers (ISN), which allows remote attackers to spoof or hijack TCP connections.
- CVE-2001-1104: SonicWALL SOHO uses easily predictable TCP sequence numbers, which allows remote attackers to spoof or hijack sessions.
- CVE-2007-2782: Packeteer PacketShaper uses fixed increments in TCP initial sequence number (ISN) values, which allows remote attackers to predict the ISN value, and perform session hijacking or disruption.
- SA25344: Packeteer PacketShaper TCP ISN Generation Weakness
- SA8044: SGI IRIX Multiple Vulnerabilities
- US-CERT VU#498440: Multiple TCP/IP implementations may use statistically predictable initial sequence numbers
- VUPEN/ADV-2007-1891: Packeteer PacketShaper TCP ISN Generation Connection Spoofing Security Issue
Platforms Affected:
- Apple Mac OS
- Cisco IOS
- Compaq Tru64
- Data General DG/UX
- HP HP-UX
- IBM AIX
- IBM OS2
- Linux Kernel
- Microsoft Windows 2000
- Microsoft Windows 2003 Server
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows Me
- Microsoft Windows NT 4.0
- Microsoft Windows Vista
- Microsoft Windows XP
- Novell NetWare
- Packeteer Packeteer PacketShaper 7.3.0g2
- Packeteer Packeteer PacketShaper 7.5.0g1
- SCO SCO Unix
- SGI IRIX
- Sun Solaris
- WindRiver BSDOS
Reported:
Jan 01, 1995
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net
* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.