TCP security flaw--an age-old problem

[InfoSec News <isn () C4I ORG>]

http://www.zdnet.com/zdnn/stories/news/0,4586,2694878,00.html

By Dennis Fisher
eWEEK
UPDATED March 12, 2001 12:32 PM PT

Researchers have found a serious flaw in one of the key pieces of the
Internet's software backbone.

But despite Monday's advisory, the INS flaw is hardly a new problem.
The architects of the early Internet knew that the lack of randomness
in the way that INS (Initial Sequence Numbers) are chosen would be a
problem as far back as the mid-1980s and warned of the potential
consequences. AT&T Corp. researchers submitted a paper to the Internet
Engineering Task Force in 1996 proposing a fix for the problem.

Security vendor Guardent Inc. on Monday announced it has identified a
potentially huge problem in the inner workings of TCP (Transmission
Control Protocol), one half of the TCP/IP standard that enables
Internet traffic to flow across heterogeneous networks.

The problem, which is nearly identical to one found in some
implementations of Cisco Systems Inc.'s IOS software two weeks ago,
involves the manner in which machines running TCP select the ISN. The
ISN, a random value known only to the two machines at either end of a
TCP session, is used to help identify legitimate packets and prevent
extraneous data from muddying a transmission.

ISN values are exchanged by the sending and receiving hosts and are
supposed to be chosen randomly. Each successive packet then contains a
sequence number that is based on the ISN plus the number of bytes
transferred to the receiving host.

But if the ISN is not chosen at random or if it is increased by a
non-random increment in subsequent TCP sessions, an attacker could
guess the ISN, thereby enabling him or her to hijack the session's
traffic, inject false packets into the stream or even launch a denial
of service attack against individual Web servers.

No mean feat

However, any attacker looking to exploit this vulnerability would
likely have a hard time, security experts say. Not only is it
inordinately difficult to identify machines that are vulnerable, but
the attacks themselves are quite hard to execute.

And because the flaw has been known for so long, it's unlikely that
there are many TCP implementations that are still vulnerable to such
attacks.

"This is extremely difficult to do. It's a theoretical attack," said
security expert Steve Gibson, of Gibson Research Corp. in Laguna
Hills, Calif. "It's weird that they're talking about something like
this. It's as old as the hills."

While they acknowledge that it takes a very knowledgeable cracker to
exploit the TCP flaw, Guardent officials defended the timing of their
advisory and said it's only a matter of time before someone develops a
set of tools to do the job and posts them on the Internet.

"The hard part was the reduction of this from theory to practice,"
said Jerry Brady, vice president of research and development at
Guardent, of Waltham, Mass. "But if someone makes a tool for this
available, it wouldn't take a very experienced person to [launch an
attack]."

Guardent officials alerted CERT and the affected vendors to the
problem before making it public.

"We're trying to break new ground here," Brady said. "We were
intentionally vague about the details of the problem. We want to work
with the vendors to fix this."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".