Borderware predictable TCP seq. numbers - Summary of responses

From: Roy Hills (Roy.Hills@NTA-MONITOR.COM)
Date: Mon Sep 14 1998 - 09:21:39 PDT

Next message: Aleph One: "[rootshell] Security Bulletin #23"

Previous message: Pavel Kankovsky: "Re: tmp exploit with redhat printfilter?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The Borderware Firewall predictable initial TCP sequence numbers issue
has resulted in quite a few comments and sub-threads both in the list
and in private Emails to my mailbox.  This message summarises the
different threads:

1.  Borderware v4 and v5 vulnerable

The reports I've had back from people using the testing tool indicate that
both version 4 and version 5 of Borderware are vulnerable to this issue.  I've
not had any reports of earlier versions (was there ever a Borderware v3 or
earlier?).

2.  Other OS'es vulnerable to this issue

Many people pointed out that HP-UX 9.x and 10.x produce predictable
sequence numbers by default, although both versions can be easily
changed to pseudo-random sequences (I wonder why HP don't make
this the default setting?  Does it have a significant performance hit?).

There has also been lots of comment about NT 4's time-based sequence
numbers which increment once per millisecond.  The general feeling here
seems to be that, even though this sequence is harder to predict than the
"64k" sequence seen on Borderware & HP-UX, it is possible to do so.  I've
had a few packet-trace examples demonstrating this.

I have also observed the "64k" sequence on old versions of AIX and SCO
UNIX.  I'm sure that there are plenty of other old OS'es out there which share
this problem.

Does anyone know if there is a list of the initial TCP sequence number
patterns exhibited by the major operating systems and TCP/IP stacks?

3.  Certification issues

I've received lots of private Email on the subject of certification, and why
this issue was not picked up in the ICSA (previously NCSA) tests.  The
general opinion was that ICSA testing is quite superficial and should be
seen as a minimum acceptable level rather than a "gold standard".

Another common theme was that certification was no substitute for
independent testing of the "real world" connection.

Roy Hills
NTA Monitor Ltd
--
Roy Hills                                    Tel:   01634 721855
NTA Monitor Ltd                              FAX:   01634 721844
6 Beaufort Court, Medway City Estate,        Email: Roy.Hills@nta-monitor.com
Rochester, Kent ME2 4FB, UK                  WWW:   http://www.nta-monitor.com/

Next message: Aleph One: "[rootshell] Security Bulletin #23"
Previous message: Pavel Kankovsky: "Re: tmp exploit with redhat printfilter?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:16:14 PDT