Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:1344
HistoryMar 03, 2001 - 12:00 a.m.

Cisco Security Advisory: Cisco IOS Software TCP Initial Sequence NumberRandomization Improvements

2001-03-0300:00:00
vulners.com
19
JSON

-----BEGIN PGP SIGNED MESSAGE-----

Cisco Security Advisory: Cisco IOS Software TCP Initial Sequence
Number
Randomization Improvements

Revision 1.0: INTERIM

For Public Release 2001 February 28 18:00 US/Pacific (UTC+0800)

Summary

Cisco IOS software contains a flaw that permits the successful
prediction
of TCP Initial Sequence Numbers.

This vulnerability is present in all released versions of Cisco IOS
software running on Cisco routers and switches. It only affects the
security of TCP connections that originate or terminate on the
affected
Cisco device itself; it does not apply to TCP traffic forwarded
through the
affected device in transit between two other hosts.

To remove the vulnerability, Cisco is offering free software
upgrades for
all affected platforms. The defect is described in DDTS record
CSCds04747.

Workarounds are available that limit or deny successful exploitation
of the
vulnerability by filtering traffic containing forged IP source
addresses at
the perimeter of a network or directly on individual devices.

This notice will be posted
at http://www.cisco.com/warp/public/707/ios-tcp-isn-random-pub.shtml.

Affected Products

The vulnerability is present in all Cisco routers and switches
running
affected releases of Cisco IOS Software.

To determine the software running on a Cisco product, log in to the
device
and issue the command "show version" to display the system banner.
Cisco
IOS software will identify itself as "Internetwork Operating System
Software" or simply "IOS (tm)". On the next line of output, the
image name
will be displayed between parentheses, followed by "Version" and the
IOS
release name. Other Cisco devices will not have the "show version"
command
or will give different output.

The following example identifies a Cisco product running IOS release
12.0(3) with an installed image name of C2500-IS-L:

 Cisco Internetwork Operating System Software IOS (tm)
 2500 Software (C2500-IS-L), Version 12.0(3), RELEASE SOFTWARE

Cisco devices that may be running an affected IOS software release
include,
but are not limited to:

  • 800, 1000, 1005, 1400, 1600, 1700, 2500, 2600, 3600, MC3810,
    4000,
    4500, 4700, 6200, 6400 NRP, 6400 NSP series Cisco routers.
  • ubr900 and ubr920 universal broadband routers.
  • Catalyst 2900 ATM, 2900XL, 2948g, 3500XL, 4232, 4840g, 5000 RSFC
    series switches.
  • 5200, 5300, 5800 series access servers.
  • Catalyst 6000 MSM, 6000 Hybrid Mode, 6000 Native Mode, 6000
    Supervisor
    Module, Catalyst ATM Blade.
  • RSM, 7000, 7010, 7100, 7200, ubr7200, 7500, 10000 ESR, and
    12000 GSR
    series Cisco routers.
  • DistributedDirector.
  • Catalyst 8510CSR, 8510MSR, 8540CSR, 8540MSR series switches.

Cisco products that do not run Cisco IOS software and are not
affected by
the vulnerabilities described in this notice include, but are not
limited
to:

  • Cisco PIX firewall.
  • Cisco 600 family of routers running CBOS.
  • Host-based network management or access management products.
  • Cisco IP Telephony and telephony management software (except
    those
    that are hosted on a vulnerable IOS platform).
  • Voice gateways and convergence products (except those that are
    hosted
    on a vulnerable IOS platform).

Details

To provide reliable delivery in the Internet, the Transmission
Control
Protocol (TCP) makes use of a sequence number in each packet to
provide
orderly reassembly of data after arrival, and to notify the sending
host of
the successful arrival of the data in each packet.

TCP sequence numbers are 32-bit integers in the circular range of 0
to
4,294,967,295. The host devices at both ends of a TCP connection
exchange
an Initial Sequence Number (ISN) selected at random from that range
as part
of the setup of a new TCP connection. After the session is
established and
data transfer begins, the sequence number is regularly augmented by
the
number of octets transferred, and transmitted to the other host. To
prevent
the receipt and reassembly of duplicate or late packets in a TCP
stream,
each host maintains a "window", a range of values close to the
expected
sequence number, in which the sequence number in an arriving packet
must
fall if it is to be accepted. Assuming a packet arrives with the
correct
source and destination IP addresses, source and destination port
numbers,
and a sequence number within the allowable window, the receiving
host will
accept the packet as genuine.

This method provides reasonably good protection against accidental
receipt
of unintended data. However, to guard against malicious use, it
should not
be possible for an attacker to infer a particular number in the
sequence.
If the initial sequence number is not chosen randomly or if it is
incremented in a non-random manner between the initialization of
subsequent
TCP sessions, then it is possible, with varying degrees of success,
to
forge one half of a TCP connection with another host in order to gain
access to that host, or hijack an existing connection between two
hosts in
order to compromise the contents of the TCP connection. To guard
against
such compromises, ISNs should be generated as randomly as possible.

This defect, documented as DDTS CSCds04747, has been corrected by
providing
an improved method for generating TCP Initial Sequence Numbers.

Impact

Forged packets can be injected into a network from a location
outside its
boundary so that they are trusted as authentic by the receiving
host, thus
resulting in a failure of integrity. Such packets could be crafted
to gain
access or make some other modification to the receiving system in
order to
attain some goal, such as gaining unauthorized interactive access to
system or compromising stored data.

  • From a position within the network where it is possible to receive
    the
    return traffic (but not necessarily in a position that is directly
    in the
    traffic path), a greater range of violations is possible. For
    example, the
    contents of a message could be diverted, modified, and then returned
    to the
    traffic flow again, causing a failure of integrity and a possible
    failure
    of confidentiality.

NOTE: Any compromise using this vulnerability is only possible for
TCP
sessions that originate or terminate on the affected Cisco device
itself.
It does not apply to TCP traffic that is merely forwarded through the
device.

Software Versions and Fixes

The following table summarizes the IOS software releases that are
known to
be affected, and the earliest estimated dates of availability for the
recommended fixed versions. Dates are always tentative and subject to
change.

Each row of the table describes a release train and the platforms or
products for which it is intended. If a given release train is
vulnerable,
then the earliest possible releases that contain the fix and the
anticipated date of availability for each are listed in the
"Rebuild",
"Interim", and "Maintenance" columns. A device running any release
in the
given train that is earlier the release in a specific column (less
than the
earliest fixed release) is known to be vulnerable, and it should be
upgraded at least to the indicated release or a later version
(greater than
the earliest fixed release label).

When selecting a release, keep in mind the following definitions:

 Maintenance
      Most heavily tested and highly recommended release of any

label
in a given row of the table.
Rebuild
Constructed from the previous maintenance or major release
in the
same train, it contains the fix for a specific defect.
Although
it receives less testing, it contains only the minimal
changes
necessary to effect the repair.
Interim
Built at regular intervals between maintenance releases and
receive less testing. Interims should be selected only if
there
is no other suitable release that addresses the
vulnerability,
and interim images should be upgraded to the next available
maintenance release as soon as possible. Interim releases
are not
available via manufacturing, and usually they are not
available
for customer download from CCO without prior arrangement
with the
Cisco TAC.

In all cases, customers should exercise caution to be certain the
devices
to be upgraded contain sufficient memory and that current hardware
and
software configurations will continue to be supported properly by
the new
release. If the information is not clear, contact the Cisco TAC for
assistance as shown later in this notice.

More information on IOS release names and abbreviations is available
at
http://www.cisco.com/warp/public/620/1.html.

+===========================================================================+
Train Description of Availability of Fixed Releases*
Image or Platform
+===========================================================================+
11.0-based Releases Rebuild Interim**
Maintenance
+===========================================================================+
11.0(22a)
11.0 Major GD release
for all platforms 2001-Mar-08
+===========================================================================+
11.1-based Releases Rebuild Interim**
Maintenance
+===========================================================================+
11.1(24a)
11.1 Major release for
all platforms 2001-Mar-08
±---------±----------------±--------------±----------±-----------------+
ED release for Unavailable
11.1AA access servers: Upgrade recommended to 12.1(7),
available
1600, 3200, and
5200 series. 2001-Feb-26
±---------±----------------±--------------±----------±-----------------+
Platform-specific 11.1(36)CA1
11.1CA support for 7500,
7200, 7000, and
RSP 2001-Mar-02
±---------±----------------±--------------±----------±-----------------+
ISP train: added
support for FIB, 11.1(36)CC1
11.1CC CEF, and NetFlow
on 7500, 7200, 2001-Mar-02
7000, and RSP
±---------±----------------±--------------±----------±-----------------+
Added support for 12.0(11)ST2
11.1CT Tag Switching on
7500, 7200, 7000,
and RSP 2001-Feb-26
±---------±----------------±--------------±----------±-----------------+
11.1(28a)IA1
11.1IA Distributed
Director only 2001-Feb-26
+===========================================================================+
11.2-based Releases Rebuild Interim**
Maintenance
+===========================================================================+
Major release, 11.2(25a) 11.2(25)
11.2 general
deployment 2001-Mar-05 Available
±---------±----------------±--------------±----------±-----------------+
Platform-specific Unavailable
support for IBM
11.2BC networking, CIP,
and TN3270 on Upgrade recommended to 12.1(7),
available
7500, 7000, and 2001-Feb-26
RSP
±---------±----------------±--------------±----------±-----------------+
Unavailable
11.2F Feature train for
all platforms Upgrade recommended
±---------±----------------±--------------±----------±-----------------+
Early deployment Unavailable
11.2GS release to Upgrade recommended to 12.0(15)S1,
support 12000 GSR available 2001-Feb-26
±---------±----------------±--------------±----------±-----------------+
11.2(25a)P 11.2(25)P
11.2P New platform
support 2001-Mar-05 Available
±---------±----------------±--------------±----------±-----------------+
Unavailable
11.2SA Catalyst 2900XL Upgrade recommended to 12.1WC,
available
switch only
2001-Apr-12
±---------±----------------±--------------±----------±-----------------+
Unavailable
11.2WA3 LightStream 1010 Upgrade recommended to 12.0(10)W5(20,
ATM switch
available 2001-Feb-28
±---------±----------------±--------------±----------±-----------------+
Initial release 11.2(25a)P 11.2(25)P
11.2(4)XA for the 1600 and
3600 2001-Mar-05 Available
±---------±----------------±--------------±----------±-----------------+
Initial release
for the 5300 and 11.2(25a)P 11.2(25)P
11.2(9)XA digital modem
support for the 2001-Mar-05 Available
3600
+===========================================================================+
11.3-based Releases Rebuild Interim**
Maintenance
+===========================================================================+
11.3(11b)
11.3 Major release for
all platforms 2001-Mar-05
±---------±----------------±--------------±----------±-----------------+
ED for dial
platforms and 11.3(11a)AA
11.3AA access servers:
5800, 5200, 5300, 2001-Mar-05
7200
±---------±----------------±--------------±----------±-----------------+
Early deployment Unavailable
11.3DA train for ISP Upgrade recommended to 12.1(5)DA1,
DSLAM 6200
platform available 2001-Mar-19
±---------±----------------±--------------±----------±-----------------+
Early deployment
train for Unavailable
ISP/Telco/PTT
11.3DB xDSL broadband
concentrator Upgrade recommended to 12.1(4)DB1,
platform, (NRP) available 2001-Feb-28
for 6400
±---------±----------------±--------------±----------±-----------------+
Short-lived ED
11.3HA release for ISR Vulnerable
3300 (SONET/SDH
router)
±---------±----------------±--------------±----------±-----------------+
MC3810 11.3(1)MA8
11.3MA functionality
only 2001-Mar-05
±---------±----------------±--------------±----------±-----------------+
Voice over IP, Unavailable
11.3NA media Upgrade recommended to 12.1(7),
available
convergence,
various platforms 2001-Feb-26
±---------±----------------±--------------±----------±-----------------+
Early deployment 11.3(11b)T1
11.3T major release,
feature-rich for
early adopters 2001-Mar-05
±---------±----------------±--------------±----------±-----------------+
Multilayer
Switching and Unavailable
Multiprotocol
over ATM
11.3WA4 functionality for
Catalyst 5000 Upgrade recommended to 12.0(14)W5(20),
RSM, 4500, 4700, available 2001-Feb-28
7200, 7500,
LightStream 1010
±---------±----------------±--------------±----------±-----------------+
11.3(11b)T1
11.3(2)XA Introduction of
ubr7246 and 2600 2001-Mar-05
+===========================================================================+
12.0-based Releases Rebuild Interim**
Maintenance
+===========================================================================+
General 12.0(15)
12.0 deployment
release for all
platforms Available
±---------±----------------±--------------±----------±-----------------+
Unavailable
12.0DA xDSL support: Upgrade recommended to 12.1(5)DA1,
6100, 6200
available 2001-Mar-19
±---------±----------------±--------------±----------±-----------------+
General Unavailable
12.0DB deployment Upgrade recommended to 12.1(4)DB1,
release for all
platforms available 2001-Feb-28
±---------±----------------±--------------±----------±-----------------+
General Unavailable
12.0DC deployment Upgrade recommended to 12.1(4)DC2,
release for all
platforms available 2001-Feb-28
±---------±----------------±--------------±----------±-----------------+
12.0(14)S1 12.0(14.6)S
12.0S Core/ISP support:
GSR, RSP, c7200 Available Available
±---------±----------------±--------------±----------±-----------------+
12.0(15)SC1
12.0SC Cable/broadband
ISP: ubr7200 2001-Feb-26
±---------±----------------±--------------±----------±-----------------+
12.0(14)SL1
12.0SL 10000 ESR: c10k
2001-Feb-26
±---------±----------------±--------------±----------±-----------------+
General 12.0(11)ST2
12.0ST deployment
release for all
platforms 2001-Feb-26
±---------±----------------±--------------±----------±-----------------+
12.0(5c)E8
12.0SX Early Deployment
(ED) 2001-Feb-26
±---------±----------------±--------------±----------±-----------------+
Early Unavailable
Deployment(ED):
12.0T VPN, Distributed
Director, various Upgrade recommended to 12.1(7),
available
platforms 2001-Feb-26
±---------±----------------±--------------±----------±-----------------+
Catalyst
switches:
cat8510c,
12.0(14)W5(20)
cat8540c, c6msm,
ls1010, cat8510m,
12.0W5 cat8540m, c5atm,
c5atm, c3620,
c3640, c4500,
c5rsfc, c5rsm, 2001-Feb-28
c7200, rsp,
cat2948g, cat4232
±---------±----------------±--------------±----------±-----------------+
General 12.0(13)WT6(1)
12.0WT deployment
release for all
platforms

JSON