- Jun 7, 2011
- 2
- 0
- 18,510
I'm failing my Security Metrics scan in part b/c of predictable sequences. I don't know how to fix this. The error is this:
"Description: initial TCP sequence number is predictable
dpcxxxxxxxxxx.direcpc.comxx.xx.xxx.xxxJun 06 09:14:46 2011newSeverity: Area
of Concern CVE: CVE-1999-0077 5.0918new11Impact: A remote attacker could
hijack an existing session or create a new session using an arbitrary source
IP address. If services which use address-based authentication mechanisms
are enabled on the server, the attacker could execute arbitrary commands.
Background: The Transmission Control Protocol (TCP) is the protocol used by
services such as telnet, ftp, and smtp to establish a connection between a
client and a server. Every TCP packet includes a sequence number in the
header to ensure that all packets are received at the destination and
re-assembled in the correct order. The sequence numbering begins with an
initial sequence number which is chosen by the server and sent to the client
when the connection is established. Thus, sequence numbers also help to
verify the identity of the client, since only the intended client has
knowledge of the initial sequence number. Resolution The Solution described
in [ftp://ftp.isi.edu/in-notes/rfc1948.txt] RFC1948 was developed to
sufficiently randomize initial sequence numbers so they cannot be predicted.
Check [http://www.cert.org/advisories/CA-2001- 09.html] CERT Advisory
2001-09 to see whether your vendor has released a patch which implements
this Solution. If your operating system is vulnerable and there is no patch
available, it would be advisable to upgrade your operating system. Most
modern operating systems are not affected by this vulnerability. Windows NT
users should apply service pack 6a and install the patch referenced in
[http://www.microsoft.com/technet/securi ty/bulletin/ms99-046.mspx]
Microsoft Security Bulletin 99-046. Vulnerability Details: Service: nmap TCP
Sequence Prediction: Difficulty=20 (Good luck!)"
I emailed Security Metrics about this, and got this response:
In regards to the predictable sequence number we have replicated the vulnerability below:
~$ sudo hping3 -S -Q xx.xx.xxx.xxx-p 80
[sudo] password for isaac:
HPING xx.xx.xxx.xxx(eth1 xx.xx.xxx.xxx): S set, 40 headers + 0 data bytes
877548774 +877548774
878700774 +1152000
880300774 +1600000
881260774 +960000
883500774 +2240000
882220774 +4293687295
884588774 +2368000
886124774 +1536000
887468774 +1344000
889068774 +1600000
890348774 +1280000
892332774 +1984000
893420774 +1088000
894316774 +896000
895276774 +960000
896364774 +1088000
898028774 +1664000
899628774 +1600000
901164774 +1536000
902828774 +1664000
904428774 +1600000
905772774 +1344000
As you can see some of the sequence numbers are repeating.
How do I fix this? Security Metrics support didn't bother to tell me. I'm running Windows 7 Home Premium x64.
"Description: initial TCP sequence number is predictable
dpcxxxxxxxxxx.direcpc.comxx.xx.xxx.xxxJun 06 09:14:46 2011newSeverity: Area
of Concern CVE: CVE-1999-0077 5.0918new11Impact: A remote attacker could
hijack an existing session or create a new session using an arbitrary source
IP address. If services which use address-based authentication mechanisms
are enabled on the server, the attacker could execute arbitrary commands.
Background: The Transmission Control Protocol (TCP) is the protocol used by
services such as telnet, ftp, and smtp to establish a connection between a
client and a server. Every TCP packet includes a sequence number in the
header to ensure that all packets are received at the destination and
re-assembled in the correct order. The sequence numbering begins with an
initial sequence number which is chosen by the server and sent to the client
when the connection is established. Thus, sequence numbers also help to
verify the identity of the client, since only the intended client has
knowledge of the initial sequence number. Resolution The Solution described
in [ftp://ftp.isi.edu/in-notes/rfc1948.txt] RFC1948 was developed to
sufficiently randomize initial sequence numbers so they cannot be predicted.
Check [http://www.cert.org/advisories/CA-2001- 09.html] CERT Advisory
2001-09 to see whether your vendor has released a patch which implements
this Solution. If your operating system is vulnerable and there is no patch
available, it would be advisable to upgrade your operating system. Most
modern operating systems are not affected by this vulnerability. Windows NT
users should apply service pack 6a and install the patch referenced in
[http://www.microsoft.com/technet/securi ty/bulletin/ms99-046.mspx]
Microsoft Security Bulletin 99-046. Vulnerability Details: Service: nmap TCP
Sequence Prediction: Difficulty=20 (Good luck!)"
I emailed Security Metrics about this, and got this response:
In regards to the predictable sequence number we have replicated the vulnerability below:
~$ sudo hping3 -S -Q xx.xx.xxx.xxx-p 80
[sudo] password for isaac:
HPING xx.xx.xxx.xxx(eth1 xx.xx.xxx.xxx): S set, 40 headers + 0 data bytes
877548774 +877548774
878700774 +1152000
880300774 +1600000
881260774 +960000
883500774 +2240000
882220774 +4293687295
884588774 +2368000
886124774 +1536000
887468774 +1344000
889068774 +1600000
890348774 +1280000
892332774 +1984000
893420774 +1088000
894316774 +896000
895276774 +960000
896364774 +1088000
898028774 +1664000
899628774 +1600000
901164774 +1536000
902828774 +1664000
904428774 +1600000
905772774 +1344000
As you can see some of the sequence numbers are repeating.
How do I fix this? Security Metrics support didn't bother to tell me. I'm running Windows 7 Home Premium x64.
Facebook
Twitter
Instagram