[NEWS] Predictable TCP Initial Sequence Numbers in NetScreen

From: support@securiteam.com
Date: 11/26/02

  • Next message: support@securiteam.com: "[NEWS] Potential H.323 Denial of Service in NetScreen" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 27 Nov 2002 00:57:53 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Predictable TCP Initial Sequence Numbers in NetScreen
    ------------------------------------------------------------------------

    SUMMARY

    A vulnerability has been reported and confirmed in the algorithms
    generating TCP initial sequence numbers that makes their selection
    predictable. This vulnerability is present in ScreenOS 4.0.0 and all prior
    released versions of ScreenOS.

    Predictable TCP ISNs and IP spoofing may be used to gain access to TCP
    applications or services that use IP address based authentication. A
    considerable amount of information regarding this topic can be found at
    <http://www.cert.org/advisories/CA-2001-09.html>
    http://www.cert.org/advisories/CA-2001-09.html

    The vulnerability is exploitable on TCP connections to and from the
    NetScreen device itself. The vulnerability is also exploitable on TCP
    connections that match policies requiring authentication, and on
    connections forwarded through the device between two other hosts during
    SYN-flood protection, when the NetScreen device is performing SYN Proxying
    for the protected hosts.

    This vulnerability is not exploitable on TCP traffic secured via IPSec,
    SSH, or other mechanisms that make interception and modification of
    traffic detectable.

    The algorithms used to select TCP ISNs in affected versions of ScreenOS
    2.6 and earlier are most predictable, thus the risks associated with this
    vulnerability are higher for devices running these versions of ScreenOS.
    Different algorithms with significantly less predictability were
    introduced in ScreenOS 3.0. Algorithms based on RFC 1948 were introduced
    in ScreenOS 4.0.1, and are used in the maintenance releases indicated
    below.

    DETAILS

    Vulnerable systems:
     * ScreenOS 1.7
     * ScreenOS 2.6
     * ScreenOS 2.8
     * ScreenOS 3.0
     * ScreenOS 3.1
     * ScreenOS 4.0

    Immune systems:
     * ScreenOS 4.01

    Recommended Actions:
    Any or all of

    (1) Install one of the maintenance releases indicated below.

    (2) Upgrade to ScreenOS 4.0.1.

    (3) Only permit protocols that make interception and modification
    detectable (IPSec, SSH, SSL, etc.) to traverse the firewall.

    (3) Turn off or readjust SYN-flood protection related parameters to
    minimize exposure to the vulnerability.

    (4) Follow standard good security practices regarding configuration of the
    NetScreen device and communication to and from it that makes interception
    and modification detectable, if not altogether preventable. Examples
    include using IPSec tunnels or SSH to the device for administrative access
    to the CLI, MD5 authentication to protect BGP sessions, strong
    authentication for access control, and so on.

    Release Schedule:
    For a complete release schedule, please visit:
     
    <http://www.netscreen.com/support/alerts/Predictable_TCP_Initial_Sequence_Numbers.html> http://www.netscreen.com/support/alerts/Predictable_TCP_Initial_Sequence_Numbers.html

    How to Get ScreenOS:
    If you have registered your product with NetScreen and have a valid
    service contract, you can simply download the software from:
    <http://www.netscreen.com/support/updates.html>
    http://www.netscreen.com/support/updates.html

    You will be prompted for your User ID and Password. Enter the whole or
    part of your company name as your User ID and enter your registered
    NetScreen device serial number as the password.

    If you have not yet registered your product with NetScreen, you will need
    to contact NetScreen Technical Support for special instructions on how to
    obtain the fixed software. NetScreen Technical Support is available 24
    hours a day, 365 days a year. Contact information can be located at
    <http://www.netscreen.com/support/technical_assistance.html>
    http://www.netscreen.com/support/technical_assistance.html

    Please reference this Advisory title as evidence of your entitlement to
    the fixed software version.

    NetScreen authorized Value Added Resellers have access to NetScreen
    software versions and may also be a channel through which to obtain the
    new release.

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:security-alert@netscreen.com> NetScreen Security Response Team.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages