TCP sequence prediction

tcp-seq-predict (139)

Medium Risk

Description:

The TCP sequence was found to be predictable. When the TCP sequence is predictable, an attacker can send packets that are forged to appear to come from a trusted computer. These forged packets can compromise services, such as rsh and rlogin, because their authentication is based on IP addresses. Attackers can also perform session hijacking to gain access to unauthorized information.

Some Microsoft patches for this security issue did not completely resolve the sequence predictability. The following information explains the varying levels of TCP sequence predictability in Windows operating systems:

- Windows NT 4.0 pre-SP3 systems are highly predictable. - Windows NT 4.0 SP4 through SP6 use a different algorithm to reduce sequence predictability, but the systems remain predictable. - Microsoft released patch MS99-046, which uses the same algorithm as Windows 2000, to fully fix the problem. - Windows 2000 is not TCP predictable.

Platforms Affected:

• Apple, Mac OS
• Cisco, IOS
• Compaq, Tru64
• Data General, DG/UX
• HP, HP-UX
• IBM, AIX
• IBM, OS2
• Linux, Kernel
• Microsoft, Windows 2000
• Microsoft, Windows 2003 Server
• Microsoft, Windows 95
• Microsoft, Windows 98
• Microsoft, Windows 98SE
• Microsoft, Windows Me
• Microsoft, Windows NT 4.0
• Microsoft, Windows Vista
• Microsoft, Windows XP
• Novell, NetWare
• Packeteer, Packeteer PacketShaper 7.3.0g2
• Packeteer, Packeteer PacketShaper 7.5.0g1
• SCO, SCO Unix
• SGI, IRIX
• Sun, Solaris
• WindRiver, BSDOS

Remedy:

Ask your vendor for patches to correct TCP sequence prediction. Note that some patches make sequence prediction more difficult, but still possible. As a result, the host may continue to report this vulnerability.

For Windows NT 4.0:
Apply the latest Windows NT 4.0 Service Pack (SP6a or later), available from the Windows NT Service Packs Web page. Note that Windows NT system may continue to report this vulnerability. Apply the Security Roll-up Package for your system as listed in Microsoft Security Bulletin, MS02-018.

Note: Microsoft originally provided a patch for this vulnerability in MS99-046, but it was superseded by the patch provided with MS02-001, which has been superseded by the patch released with MS02-018.

For IIS:
Microsoft originally provided a patch for this vulnerability in MS01-033, but it has been superseded by the patch released with MS01-044, MS02-018, and MS02-062, and then superseded by the patch released with MS03-018. See References.

For Windows 2000:
Microsoft originally provided a patch for this vulnerability in MS01-033, but it has been superseded by the patch released with MS02-001. See References.

For HP-UX:
Apply the appropriate patch for your system, as listed in CERT advisory CA-2001-09. See References.

For FreeBSD 3.x:
Upgrade to the latest version of FreeBSD (3.5.1-STABLE dated after 2000-09-28 or later), as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-00:52. See References.

For FreeBSD 4.x:
Upgrade to the latest version of FreeBSD (4.1.1-STABLE dated after 2000-09-28 or later), as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-00:52. See References.

For FreeBSD 5.x:
Upgrade to the latest version of FreeBSD (5.0-CURRENT dated 2000-09-28 or later), as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-00:52. See References.

For Cisco IOS 11.x and 12.x:
Apply the latest patch for this vulnerability, as listed in Cisco Security Advisory: Cisco IOS Software TCP Initial Sequence Number Randomization Improvements. See References.

For Cisco CBOS 2.0.1, 2.1.0, 2.1.0a, 2.2.0, 2.2.1, 2.2.1a, 2.3, 2.3.2, 2.3.5, 2.3.7 and 2.3.8:
Upgrade to the latest version of CBOS (2.42 or later), as listed in Cisco Systems Field Notice, May 22, 2001. See References.

For NetScreen devices:
Upgrade to the latest version of ScreenOS (4.0.1 or later), as listed in NetScreen Security Alert 51897. See References.

For SGI IRIX:
Apply the appropriate patch for your system, as listed in SGI Security Advisory 20030201-01-P. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Bypass Security

References:

• BugTraq Mailing List, Fri May 18 2007 - 08:36:10 CDT, Predictable TCP ISN in Packeteer PacketShaper at http://archives.neohapsis.com/archives/bugtraq/2007-05/0289.html.
• BugTraq Mailing List, Thu May 30 2002 - 03:45:09 CDT, 2 security problem Quantum SNAP server at http://archives.neohapsis.com/archives/bugtraq/2002-05/0268.html.
• BugTraq Mailing List, Wed Jul 25 2001 - 18:17:28 CDT, Weak TCP Sequence Numbers in Sonicwall SOHO Firewall at http://archives.neohapsis.com/archives/bugtraq/2001-07/0604.html.
• CERT Advisory CA-1995-01, IP Spoofing Attacks and Hijacked Terminal Connections at http://www.cert.org/advisories/CA-1995-01.html.
• CERT Advisory CA-2001-09, Statistical Weaknesses in TCP/IP Initial Sequence Numbers at http://www.cert.org/advisories/CA-2001-09.html.
• CIAC Information Bulletin K-006, Microsoft - Improve TCP Initial Sequence Number Randomness at http://www.ciac.org/ciac/bulletins/k-006.shtml.
• CIAC Information Bulletin L-003, FreeBSD TCP Sequence Number Vulnerability at http://www.ciac.org/ciac/bulletins/l-003.shtml.
• CIAC Information Bulletin L-053, Cisco IOS Software TCP Initial Sequence Number Improvements at http://www.ciac.org/ciac/bulletins/l-053.shtml.
• CIAC Information Bulletin L-086, Cisco Multiple Vulnerabilities in CBOS at http://www.ciac.org/ciac/bulletins/l-086.shtml.
• Cisco Systems Field Notice, February 28, 2001, Cisco IOS Software TCP Initial Sequence Number Randomization Improvements at http://www.cisco.com/warp/public/707/ios-tcp-isn-random-pub.shtml.
• Cisco Systems Field Notice, May 22, 2001, Security Advisory: More Multiple Vulnerabilities in CBOS at http://www.cisco.com/warp/public/707/CBOS-multiple2-pub.html.
• FreeBSD Security Advisory FreeBSD-SA-00:52, TCP uses weak initial sequence numbers at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:52.tcp-iss.asc.
• Hacker Emergency Response Team Security Advisory #00003, FreeBSD IP Spoofing at http://online.securityfocus.com/advisories/2703. (From SecurityFocus archive.)
• Microsoft Knowledge Base Article 192292, Unpredictable TCP Sequence Numbers in SP4 at http://support.microsoft.com/default.aspx?scid=kb;[LN];192292.
• Microsoft Knowledge Base Article 243835, How to Prevent Predictable TCP/IP Initial Sequence Numbers at http://support.microsoft.com/default.aspx?scid=kb;[LN];243835.
• Microsoft Product Support Services, Windows NT Service Packs at http://www.microsoft.com/ntserver/downloads.
• Microsoft Security Bulletin MS01-033, Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise at http://www.microsoft.com/technet/security/bulletin/ms01-033.mspx.
• Microsoft Security Bulletin MS01-041, Malformed RPC Request Can Cause Service Failure at http://www.microsoft.com/technet/security/bulletin/ms01-041.mspx.
• Microsoft Security Bulletin MS01-044, 15 August 2001 Cumulative Patch for IIS at http://www.microsoft.com/technet/security/bulletin/ms01-044.mspx.
• Microsoft Security Bulletin MS02-001, Trusting Domains Do Not Verify Domain Membership of SIDs in Authorization Data at http://www.microsoft.com/technet/security/bulletin/ms02-001.mspx.
• Microsoft Security Bulletin MS02-018, Cumulative Patch for Internet Information Services (Q319733) at http://www.microsoft.com/technet/security/bulletin/ms02-018.mspx.
• Microsoft Security Bulletin MS02-062, Cumulative Patch for Internet Information Service (Q327696) at http://www.microsoft.com/technet/security/Bulletin/MS02-062.mspx.
• Microsoft Security Bulletin MS03-018, Cumulative Patch for Internet Information Service (811114) at http://www.microsoft.com/technet/security/bulletin/ms03-018.mspx.
• Microsoft Security Bulletin MS99-046, Patch Available to Improve TCP Initial Sequence Number Randomness at http://www.microsoft.com/technet/security/bulletin/ms99-046.mspx.
• Microsoft Security Bulletin MS99-046 FAQ, Microsoft Security Bulletin MS99-046: Frequently Asked Questions at http://www.microsoft.com/technet/security/bulletin/fq99-046.mspx.
• NetScreen Security Alert 51897, Predictable TCP Initial Sequence Numbers at http://www.netscreen.com/support/alerts/Predictable_TCP_Initial_Sequence_Numbers.html.
• Packeteer Web site, PacketShaper at http://www.packeteer.com/products/packetshaper/.
• Proceedings of the Fifth USENIX UNIX Security Symposium, June 1995, Simple Active Attack Against TCP at http://www.usenix.com/publications/library/proceedings/security95/full_papers/joncheray.txt.
• SGI Security Advisory 20020303-01-A, IRIX TCP/IP Initial Sequence Numbers at ftp://patches.sgi.com/support/free/security/advisories/20020303-01-A.
• SGI Security Advisory 20020903-01-P, IP denial-of-service fixes and tunings at ftp://patches.sgi.com/support/free/security/advisories/20021103-02-P.
• ASA-2007-416: HP-UX running Apache, Remote Arbitrary Code Execution, Cross Site Scripting (XSS) (HPSBUX02262)
• BID-107: Portmaster Predictable TCP Initial Sequence Number Vulnerability
• BID-1766: BSD Weak initial Sequence Number Vulnerability
• BID-24048: Packeteer PacketShaper ISN TCP Packet Spoofing Vulnerability
• BID-2682: Multiple Vendor TCP Initial Sequence Number Statistical Vulnerability
• BID-3098: SonicWALL SOHO Firewall Predictable TCP Initial Sequence Number Vulnerability
• BID-4892: Quantum Snap Server Predictable TCP Sequence Number Vulnerability
• BID-604: NT Predictable TCP Sequence Number Vulnerability
• BID-6249: NetScreen ScreenOS Predictable Initial TCP Sequence Number Vulnerability
• BID-670: Linux Predictable TCP Initial Sequence Number Vulnerability
• CVE-1999-0077: Predictable TCP sequence numbers allow spoofing.
• CVE-2000-0328: Windows NT 4.0 generates predictable random TCP initial sequence numbers (ISN), which allows remote attackers to perform spoofing and session hijacking.
• CVE-2000-0916: FreeBSD 4.1.1 and earlier, and possibly other BSD-based OSes, uses an insufficient random number generator to generate initial TCP sequence numbers (ISN), which allows remote attackers to spoof TCP connections.
• CVE-2001-0288: Cisco switches and routers running IOS 12.1 and earlier produce predictable TCP Initial Sequence Numbers (ISNs), which allows remote attackers to spoof or hijack TCP connections.
• CVE-2001-0328: TCP implementations that use random increments for initial sequence numbers (ISN) can allow remote attackers to perform session hijacking or disruption by injecting a flood of packets with a range of ISN values, one of which may match the expected ISN.
• CVE-2001-0751: Cisco switches and routers running CBOS 2.3.8 and earlier use predictable TCP Initial Sequence Numbers (ISN), which allows remote attackers to spoof or hijack TCP connections.
• CVE-2001-1104: SonicWALL SOHO uses easily predictable TCP sequence numbers, which allows remote attackers to spoof or hijack sessions.
• CVE-2007-2782: Packeteer PacketShaper uses fixed increments in TCP initial sequence number (ISN) values, which allows remote attackers to predict the ISN value, and perform session hijacking or disruption.
• SA25344: Packeteer PacketShaper TCP ISN Generation Weakness
• SA8044: SGI IRIX Multiple Vulnerabilities
• US-CERT VU#498440: Multiple TCP/IP implementations may use statistically predictable initial sequence numbers
• VUPEN/ADV-2007-1891: Packeteer PacketShaper TCP ISN Generation Connection Spoofing Security Issue

Reported:

Jan 01, 1995

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page