[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Cisco Security Advisory: Cisco IOS Software TCP Initial Sequence NumberRandomization Improvements

Subject: Cisco Security Advisory: Cisco IOS Software TCP Initial Sequence NumberRandomization Improvements
From: Cisco Systems Product Security Incident Response Team <psirt@CISCO.COM>
Date: Wed, 28 Feb 2001 18:30:00 -0800
Approved-By: beng@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Reply-To: Cisco Systems Product Security Incident Response Team <psirt@CISCO.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>

-----BEGIN PGP SIGNED MESSAGE-----

Cisco Security Advisory: Cisco IOS Software TCP Initial Sequence Number
Randomization Improvements

Revision 1.0: INTERIM

For Public Release 2001 February 28 18:00 US/Pacific (UTC+0800)

  ------------------------------------------------------------------------

Summary

Cisco IOS software contains a flaw that permits the successful prediction
of TCP Initial Sequence Numbers.

This vulnerability is present in all released versions of Cisco IOS
software running on Cisco routers and switches. It only affects the
security of TCP connections that originate or terminate on the affected
Cisco device itself; it does not apply to TCP traffic forwarded through the
affected device in transit between two other hosts.

To remove the vulnerability, Cisco is offering free software upgrades for
all affected platforms. The defect is described in DDTS record CSCds04747.

Workarounds are available that limit or deny successful exploitation of the
vulnerability by filtering traffic containing forged IP source addresses at
the perimeter of a network or directly on individual devices.

This notice will be posted
at http://www.cisco.com/warp/public/707/ios-tcp-isn-random-pub.shtml.

Affected Products

The vulnerability is present in all Cisco routers and switches running
affected releases of Cisco IOS Software.

To determine the software running on a Cisco product, log in to the device
and issue the command "show version" to display the system banner. Cisco
IOS software will identify itself as "Internetwork Operating System
Software" or simply "IOS (tm)". On the next line of output, the image name
will be displayed between parentheses, followed by "Version" and the IOS
release name. Other Cisco devices will not have the "show version" command
or will give different output.

The following example identifies a Cisco product running IOS release
12.0(3) with an installed image name of C2500-IS-L:

     Cisco Internetwork Operating System Software IOS (tm)
     2500 Software (C2500-IS-L), Version 12.0(3), RELEASE SOFTWARE

Cisco devices that may be running an affected IOS software release include,
but are not limited to:

   * 800, 1000, 1005, 1400, 1600, 1700, 2500, 2600, 3600, MC3810, 4000,
     4500, 4700, 6200, 6400 NRP, 6400 NSP series Cisco routers.
   * ubr900 and ubr920 universal broadband routers.
   * Catalyst 2900 ATM, 2900XL, 2948g, 3500XL, 4232, 4840g, 5000 RSFC
     series switches.
   * 5200, 5300, 5800 series access servers.
   * Catalyst 6000 MSM, 6000 Hybrid Mode, 6000 Native Mode, 6000 Supervisor
     Module, Catalyst ATM Blade.
   * RSM, 7000, 7010, 7100, 7200, ubr7200, 7500, 10000 ESR, and 12000 GSR
     series Cisco routers.
   * DistributedDirector.
   * Catalyst 8510CSR, 8510MSR, 8540CSR, 8540MSR series switches.

Cisco products that do not run Cisco IOS software and are not affected by
the vulnerabilities described in this notice include, but are not limited
to:

   * Cisco PIX firewall.
   * Cisco 600 family of routers running CBOS.
   * Host-based network management or access management products.
   * Cisco IP Telephony and telephony management software (except those
     that are hosted on a vulnerable IOS platform).
   * Voice gateways and convergence products (except those that are hosted
     on a vulnerable IOS platform).

Details

To provide reliable delivery in the Internet, the Transmission Control
Protocol (TCP) makes use of a sequence number in each packet to provide
orderly reassembly of data after arrival, and to notify the sending host of
the successful arrival of the data in each packet.

TCP sequence numbers are 32-bit integers in the circular range of 0 to
4,294,967,295. The host devices at both ends of a TCP connection exchange
an Initial Sequence Number (ISN) selected at random from that range as part
of the setup of a new TCP connection. After the session is established and
data transfer begins, the sequence number is regularly augmented by the
number of octets transferred, and transmitted to the other host. To prevent
the receipt and reassembly of duplicate or late packets in a TCP stream,
each host maintains a "window", a range of values close to the expected
sequence number, in which the sequence number in an arriving packet must
fall if it is to be accepted. Assuming a packet arrives with the correct
source and destination IP addresses, source and destination port numbers,
and a sequence number within the allowable window, the receiving host will
accept the packet as genuine.

This method provides reasonably good protection against accidental receipt
of unintended data. However, to guard against malicious use, it should not
be possible for an attacker to infer a particular number in the sequence.
If the initial sequence number is not chosen randomly or if it is
incremented in a non-random manner between the initialization of subsequent
TCP sessions, then it is possible, with varying degrees of success, to
forge one half of a TCP connection with another host in order to gain
access to that host, or hijack an existing connection between two hosts in
order to compromise the contents of the TCP connection. To guard against
such compromises, ISNs should be generated as randomly as possible.

This defect, documented as DDTS CSCds04747, has been corrected by providing
an improved method for generating TCP Initial Sequence Numbers.

Impact

Forged packets can be injected into a network from a location outside its
boundary so that they are trusted as authentic by the receiving host, thus
resulting in a failure of integrity. Such packets could be crafted to gain
access or make some other modification to the receiving system in order to
attain some goal, such as gaining unauthorized interactive access to a
system or compromising stored data.

- From a position within the network where it is possible to receive the
return traffic (but not necessarily in a position that is directly in the
traffic path), a greater range of violations is possible. For example, the
contents of a message could be diverted, modified, and then returned to the
traffic flow again, causing a failure of integrity and a possible failure
of confidentiality.

NOTE: Any compromise using this vulnerability is only possible for TCP
sessions that originate or terminate on the affected Cisco device itself.
It does not apply to TCP traffic that is merely forwarded through the
device.

Software Versions and Fixes

The following table summarizes the IOS software releases that are known to
be affected, and the earliest estimated dates of availability for the
recommended fixed versions. Dates are always tentative and subject to
change.

Each row of the table describes a release train and the platforms or
products for which it is intended. If a given release train is vulnerable,
then the earliest possible releases that contain the fix and the
anticipated date of availability for each are listed in the "Rebuild",
"Interim", and "Maintenance" columns. A device running any release in the
given train that is earlier the release in a specific column (less than the
earliest fixed release) is known to be vulnerable, and it should be
upgraded at least to the indicated release or a later version (greater than
the earliest fixed release label).

When selecting a release, keep in mind the following definitions:

     Maintenance
          Most heavily tested and highly recommended release of any label
          in a given row of the table.
     Rebuild
          Constructed from the previous maintenance or major release in the
          same train, it contains the fix for a specific defect. Although
          it receives less testing, it contains only the minimal changes
          necessary to effect the repair.
     Interim
          Built at regular intervals between maintenance releases and
          receive less testing. Interims should be selected only if there
          is no other suitable release that addresses the vulnerability,
          and interim images should be upgraded to the next available
          maintenance release as soon as possible. Interim releases are not
          available via manufacturing, and usually they are not available
          for customer download from CCO without prior arrangement with the
          Cisco TAC.

In all cases, customers should exercise caution to be certain the devices
to be upgraded contain sufficient memory and that current hardware and
software configurations will continue to be supported properly by the new
release. If the information is not clear, contact the Cisco TAC for
assistance as shown later in this notice.

More information on IOS release names and abbreviations is available at
http://www.cisco.com/warp/public/620/1.html.

Prev by Date: Re: Nortel CES (3DES version) offers false sense of securitywhenusi ng IPSEC
Next by Date: Re: /N grouped concurrency limits for network services
Prev by thread: Re: Nortel CES (3DES version) offers false sense of securitywhenusi ng IPSEC
Next by thread: Re: /N grouped concurrency limits for network services
Index(es):
- Date
- Thread