Predictable TCP Initial Sequence Numbers

[NetScreen Security Response Team <security-alert () netscreen com>]

Title: NetScreen Security Alert 51897

Date: 25 November 2002

Description: Predictable TCP Initial Sequence Numbers

Impact: Circumvention of Defined Security Policies

Affected Products: All firewall/VPN appliances and systems

Affected Software Releases: ScreenOS 1.7, 2.6, 2.8, 3.0, 3.1, 4.0

Summary:

A vulnerability has been reported and confirmed in the algorithms generating TCP initial sequence numbers that makes 
their selection predictable. This vulnerability is present in ScreenOS 4.0.0 and all prior released versions of 
ScreenOS.

Predictable TCP ISNs and IP spoofing may be used to gain access to TCP applications or services that use IP address 
based authentication. A considerable amount of information regarding this topic can be found at 
http://www.cert.org/advisories/CA-2001-09.html

The vulnerability is exploitable on TCP connections to and from the NetScreen device itself. The vulnerability is also 
exploitable on TCP connections that match policies requiring authentication, and on connections forwarded through the 
device between two other hosts during syn-flood protection, when the NetScreen device is performing SYN proxying for 
the protected hosts.

This vulnerability is not exploitable on TCP traffic secured via IPSec, SSH, or other mechanisms that make interception 
and modification of traffic detectable.

The algorithms used to select TCP ISNs in affected versions of ScreenOS 2.6 and earlier are most predictable, thus the 
risks associated with this vulnerability are higher for devices running these versions of ScreenOS. Different 
algorithms with significantly less predictability were introduced in ScreenOS 3.0. Algorithms based on RFC 1948 were 
introduced in ScreenOS 4.0.1, and are used in the maintenance releases indicated below.

Recommended Actions:

Any or all of

(1) Install one of the maintenance releases indicated below.

(2) Upgrade to ScreenOS 4.0.1.

(3) Only permit protocols that make interception and modification detectable (IPSec, SSH, SSL, etc.) to traverse the 
firewall.

(3) Turn off or readjust syn-flood protection related parameters to minimize exposure to the vulnerability.

(4) Follow standard good security practices regarding configuration of the NetScreen device and communication to and 
from it that makes interception and modification detectable, if not altogether preventable. Examples include using 
IPSec tunnels or SSH to the device for administrative access to the CLI, MD5 authentication to protect BGP sessions, 
strong authentication for access control, and so on.

Release Schedule:

For a complete release schedule, please visit:  

http://www.netscreen.com/support/alerts/Predictable_TCP_Initial_Sequence_Numbers.html

How to Get ScreenOS:

If you have registered your product with NetScreen and have a valid service contract, you can simply download the 
software from:
http://www.netscreen.com/support/updates.html

You will be prompted for your User ID and Password. Enter the whole or part of your company name as your User ID and 
enter your registered NetScreen device serial number as the password.

If you have not yet registered your product with NetScreen, you will need to contact NetScreen Technical Support for 
special instructions on how to obtain the fixed software. NetScreen Technical Support is available 24 hours a day, 365 
days a year. Contact information can be located at http://www.netscreen.com/support/technical_assistance.html

Please reference this Advisory title as evidence of your entitlement to the fixed software version.

NetScreen authorized Value Added Resellers have access to NetScreen software versions and may also be a channel through 
which to obtain the new release.