TCP weakness may be worse than suspected

[InfoSec News <isn () C4I ORG>]

http://www.zdnet.com/eweek/stories/general/0,11011,2696792,00.html

By Dennis Fisher, eWEEK
March 15, 2001 11:07 AM ET

Two days after a security vendor announced it had found a new
vulnerability in TCP, only to be lambasted for passing an old problem
off as news, the researcher who identified the weakness defended his
work and the decision to announce it.

Tim Newsham, senior research scientist at Guardent Inc., said that
although the vulnerability he found in the Transmission Control
Protocol is quite similar to one identified in 1985 by another
researcher, it differs in several important ways.

The original problem, discovered by AT&T Corp.'s Robert Morris, was
that ISNs (Initial Sequence Numbers) generated at the beginning of TCP
sessions to authenticate subsequent packets were predictable and could
be used to create a forged connection between an attacker and a remote
host. This, in turn, would enable the attacker to impersonate a
trusted host.

In response to this discovery, many vendors updated their software to
begin incrementing their ISNs by a random value.

This change prevented attackers from guessing the ISN, but Newsham
found that a skilled attacker could still glean enough information
from other TCP sessions between two hosts to be able to infer the ISN
value, regardless of whether it is incremented in a random manner.

That would enable an attacker to hijack a given TCP session and
execute a number of different attacks.

"What I pointed out is that existing [TCP] connections are still
vulnerable even when random increments are used," Newsham said. "It
makes no difference if these increments are random or pseudo-random."

No easy fix

In 1996, another AT&T researcher, Steve Bellovin, submitted a paper to
the Internet Engineering Task Force proposing a fix for the problem.
However, he said that some vendors found the solution to be too
CPU-intensive and instead decided to rely on the random incrementation
method.

Bellovin added that in light of Newsham's discovery, the only reliable
ways to guard the integrity of TCP sessions are cryptography or his
fix, which involves basing the ISN on a complex combination of a
random number generated by each machine, an administratively installed
secret phrase and the machine's IP address.

"What this does is show that the fix the companies used isn't as good
as Bellovin's [fix ]," said Bruce Schneier, a noted cryptographer and
chief technology officer of Counterpane Internet Security Inc. in San
Jose, Calif.

Guardent, a Waltham, Mass., security company, announced Monday it had
found a new flaw in the TCP protocol but declined to provide much
detail for fear that attackers would use the information before
vendors could implement fixes.

News reports about the announcement generated considerable backlash,
with some observers accusing Guardent of using scare tactics to
generate publicity for itself.

However, Newsham said he believes the company went about it the right
way.

"We wanted to make people aware of the problem but still give the
vendors a chance to fix it," he said.

He added that the company is currently working with the CERT Center at
Carnegie Mellon University and several software vendors to come up
with a solution to the problem.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".