Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Cisco :: ciacl053.htm

Cisco IOS Software TCP Initial Sequence Number Improvements



Cisco IOS Software TCP Initial Sequence Number Improvements Privacy and Legal Notice

CIAC

L-053: Cisco IOS Software TCP Initial Sequence Number Improvements

March 2, 2001 16:00 GMT


PROBLEM:

Cisco IOS software contains a flaw that permits the successful prediction of TCP Initial Sequence Numbers.

PLATFORM:

All released versions of Cisco IOS software running on Cisco routers and switches. Reference the Cisco Security Advisory for more details.

DAMAGE:

Forged packets can be injected into a network from a location outside its boundary so that they are trusted as authentic by the receiving host, thus resulting in a failure of integrity. Such packets could be crafted to gain access or make some other modification to the receiving system in order to attain some goal, such as gaining unauthorized interactive access to a system or compromising stored data.

SOLUTION:

To remove the vulnerability, Cisco is offering free software upgrades for all affected platforms.


VULNERABILITY
ASSESSMENT:

The risk is HIGH. The vulnerability may allow unauthorized access to a machine.


 

[****** Start of Cisco Security Advisory ******]

 

Cisco Security Advisory: Cisco IOS Software TCP Initial Sequence Number

Randomization Improvements

 

Revision 1.0: INTERIM

 

For Public Release 2001 February 28 18:00 US/Pacific (UTC+0800)

 

------------------------------------------------------------------------

 

Summary

 

Cisco IOS software contains a flaw that permits the successful prediction

of TCP Initial Sequence Numbers.

 

This vulnerability is present in all released versions of Cisco IOS

software running on Cisco routers and switches. It only affects the

security of TCP connections that originate or terminate on the affected

Cisco device itself; it does not apply to TCP traffic forwarded through the

affected device in transit between two other hosts.

 

To remove the vulnerability, Cisco is offering free software upgrades for

all affected platforms. The defect is described in DDTS record CSCds04747.

 

Workarounds are available that limit or deny successful exploitation of the

vulnerability by filtering traffic containing forged IP source addresses at

the perimeter of a network or directly on individual devices.

 

This notice will be posted

at http://www.cisco.com/warp/public/707/ios-tcp-isn-random-pub.shtml.

 

Affected Products

 

The vulnerability is present in all Cisco routers and switches running

affected releases of Cisco IOS Software.

 

To determine the software running on a Cisco product, log in to the device

and issue the command "show version" to display the system banner. Cisco

IOS software will identify itself as "Internetwork Operating System

Software" or simply "IOS (tm)". On the next line of output, the image name

will be displayed between parentheses, followed by "Version" and the IOS

release name. Other Cisco devices will not have the "show version" command

or will give different output.

 

The following example identifies a Cisco product running IOS release

12.0(3) with an installed image name of C2500-IS-L:

 

     Cisco Internetwork Operating System Software IOS (tm)

     2500 Software (C2500-IS-L), Version 12.0(3), RELEASE SOFTWARE

 

Cisco devices that may be running an affected IOS software release include,

but are not limited to:

 

   * 800, 1000, 1005, 1400, 1600, 1700, 2500, 2600, 3600, MC3810, 4000,

     4500, 4700, 6200, 6400 NRP, 6400 NSP series Cisco routers.

   * ubr900 and ubr920 universal broadband routers.

   * Catalyst 2900 ATM, 2900XL, 2948g, 3500XL, 4232, 4840g, 5000 RSFC

     series switches.

   * 5200, 5300, 5800 series access servers.

   * Catalyst 6000 MSM, 6000 Hybrid Mode, 6000 Native Mode, 6000 Supervisor

     Module, Catalyst ATM Blade.

   * RSM, 7000, 7010, 7100, 7200, ubr7200, 7500, 10000 ESR, and 12000 GSR

     series Cisco routers.

   * DistributedDirector.

   * Catalyst 8510CSR, 8510MSR, 8540CSR, 8540MSR series switches.

 

Cisco products that do not run Cisco IOS software and are not affected by

the vulnerabilities described in this notice include, but are not limited

to:

 

   * Cisco PIX firewall.

   * Cisco 600 family of routers running CBOS.

   * Host-based network management or access management products.

   * Cisco IP Telephony and telephony management software (except those

     that are hosted on a vulnerable IOS platform).

   * Voice gateways and convergence products (except those that are hosted

     on a vulnerable IOS platform).

 

Details

 

To provide reliable delivery in the Internet, the Transmission Control

Protocol (TCP) makes use of a sequence number in each packet to provide

orderly reassembly of data after arrival, and to notify the sending host of

the successful arrival of the data in each packet.

 

TCP sequence numbers are 32-bit integers in the circular range of 0 to

4,294,967,295. The host devices at both ends of a TCP connection exchange

an Initial Sequence Number (ISN) selected at random from that range as part

of the setup of a new TCP connection. After the session is established and

data transfer begins, the sequence number is regularly augmented by the

number of octets transferred, and transmitted to the other host. To prevent

the receipt and reassembly of duplicate or late packets in a TCP stream,

each host maintains a "window", a range of values close to the expected

sequence number, in which the sequence number in an arriving packet must

fall if it is to be accepted. Assuming a packet arrives with the correct

source and destination IP addresses, source and destination port numbers,

and a sequence number within the allowable window, the receiving host will

accept the packet as genuine.

 

This method provides reasonably good protection against accidental receipt

of unintended data. However, to guard against malicious use, it should not

be possible for an attacker to infer a particular number in the sequence.

If the initial sequence number is not chosen randomly or if it is

incremented in a non-random manner between the initialization of subsequent

TCP sessions, then it is possible, with varying degrees of success, to

forge one half of a TCP connection with another host in order to gain

access to that host, or hijack an existing connection between two hosts in

order to compromise the contents of the TCP connection. To guard against

such compromises, ISNs should be generated as randomly as possible.

 

This defect, documented as DDTS CSCds04747, has been corrected by providing

an improved method for generating TCP Initial Sequence Numbers.

 

Impact

 

Forged packets can be injected into a network from a location outside its

boundary so that they are trusted as authentic by the receiving host, thus

resulting in a failure of integrity. Such packets could be crafted to gain

access or make some other modification to the receiving system in order to

attain some goal, such as gaining unauthorized interactive access to a

system or compromising stored data.

 

- From a position within the network where it is possible to receive the

return traffic (but not necessarily in a position that is directly in the

traffic path), a greater range of violations is possible. For example, the

contents of a message could be diverted, modified, and then returned to the

traffic flow again, causing a failure of integrity and a possible failure

of confidentiality.

 

NOTE: Any compromise using this vulnerability is only possible for TCP

sessions that originate or terminate on the affected Cisco device itself.

It does not apply to TCP traffic that is merely forwarded through the

device.

 

Software Versions and Fixes

 

The following table summarizes the IOS software releases that are known to

be affected, and the earliest estimated dates of availability for the

recommended fixed versions. Dates are always tentative and subject to

change.

 

Each row of the table describes a release train and the platforms or

products for which it is intended. If a given release train is vulnerable,

then the earliest possible releases that contain the fix and the

anticipated date of availability for each are listed in the "Rebuild",

"Interim", and "Maintenance" columns. A device running any release in the

given train that is earlier the release in a specific column (less than the

earliest fixed release) is known to be vulnerable, and it should be

upgraded at least to the indicated release or a later version (greater than

the earliest fixed release label).

 

When selecting a release, keep in mind the following definitions:

 

     Maintenance

          Most heavily tested and highly recommended release of any label

          in a given row of the table.

     Rebuild

          Constructed from the previous maintenance or major release in the

          same train, it contains the fix for a specific defect. Although

          it receives less testing, it contains only the minimal changes

          necessary to effect the repair.

     Interim

          Built at regular intervals between maintenance releases and

          receive less testing. Interims should be selected only if there

          is no other suitable release that addresses the vulnerability,

          and interim images should be upgraded to the next available

          maintenance release as soon as possible. Interim releases are not

          available via manufacturing, and usually they are not available

          for customer download from CCO without prior arrangement with the

          Cisco TAC.

 

In all cases, customers should exercise caution to be certain the devices

to be upgraded contain sufficient memory and that current hardware and

software configurations will continue to be supported properly by the new

release. If the information is not clear, contact the Cisco TAC for

assistance as shown later in this notice.

 

More information on IOS release names and abbreviations is available at

http://www.cisco.com/warp/public/620/1.html.

 

+===========================================================================+

   Train     Description of         Availability of Fixed Releases*

            Image or Platform

+===========================================================================+

     11.0-based Releases          Rebuild      Interim**    Maintenance

+===========================================================================+

                              11.0(22a)

    11.0    Major GD release

            for all platforms 2001-Mar-08

+===========================================================================+

     11.1-based Releases          Rebuild      Interim**    Maintenance

+===========================================================================+

                              11.1(24a)

    11.1    Major release for

            all platforms     2001-Mar-08

+----------+-----------------+---------------+-----------+------------------+

            ED release for    Unavailable

   11.1AA   access servers:   Upgrade recommended to 12.1(7), available

            1600, 3200, and

            5200 series.      2001-Feb-26

+----------+-----------------+---------------+-----------+------------------+

            Platform-specific 11.1(36)CA1

   11.1CA   support for 7500,

            7200, 7000, and

            RSP               2001-Mar-02

+----------+-----------------+---------------+-----------+------------------+

            ISP train: added

            support for FIB,  11.1(36)CC1

   11.1CC   CEF, and NetFlow

            on 7500, 7200,    2001-Mar-02

            7000, and RSP

+----------+-----------------+---------------+-----------+------------------+

            Added support for 12.0(11)ST2

   11.1CT   Tag Switching on

            7500, 7200, 7000,

            and RSP           2001-Feb-26

+----------+-----------------+---------------+-----------+------------------+

                              11.1(28a)IA1

   11.1IA   Distributed

            Director only     2001-Feb-26

+===========================================================================+

     11.2-based Releases          Rebuild      Interim**    Maintenance

+===========================================================================+

            Major release,    11.2(25a)                   11.2(25)

    11.2    general

            deployment        2001-Mar-05                 Available

+----------+-----------------+---------------+-----------+------------------+

            Platform-specific Unavailable

            support for IBM

   11.2BC   networking, CIP,

            and TN3270 on     Upgrade recommended to 12.1(7), available

            7500, 7000, and   2001-Feb-26

            RSP

+----------+-----------------+---------------+-----------+------------------+

                              Unavailable

   11.2F    Feature train for

            all platforms     Upgrade recommended

+----------+-----------------+---------------+-----------+------------------+

            Early deployment  Unavailable

   11.2GS   release to        Upgrade recommended to 12.0(15)S1,

            support 12000 GSR available 2001-Feb-26

+----------+-----------------+---------------+-----------+------------------+

                              11.2(25a)P                  11.2(25)P

   11.2P    New platform

            support           2001-Mar-05                 Available

+----------+-----------------+---------------+-----------+------------------+

                              Unavailable

   11.2SA   Catalyst 2900XL   Upgrade recommended to 12.1WC, available

            switch only

                              2001-Apr-12

+----------+-----------------+---------------+-----------+------------------+

                              Unavailable

  11.2WA3   LightStream 1010  Upgrade recommended to 12.0(10)W5(20,

            ATM switch

                              available 2001-Feb-28

+----------+-----------------+---------------+-----------+------------------+

            Initial release   11.2(25a)P                  11.2(25)P

 11.2(4)XA  for the 1600 and

            3600              2001-Mar-05                 Available

+----------+-----------------+---------------+-----------+------------------+

            Initial release

            for the 5300 and  11.2(25a)P                  11.2(25)P

 11.2(9)XA  digital modem

            support for the   2001-Mar-05                 Available

            3600

+===========================================================================+

     11.3-based Releases          Rebuild      Interim**    Maintenance

+===========================================================================+

                              11.3(11b)

    11.3    Major release for

            all platforms     2001-Mar-05

+----------+-----------------+---------------+-----------+------------------+

            ED for dial

            platforms and     11.3(11a)AA

   11.3AA   access servers:

            5800, 5200, 5300, 2001-Mar-05

            7200

+----------+-----------------+---------------+-----------+------------------+

            Early deployment  Unavailable

   11.3DA   train for ISP     Upgrade recommended to 12.1(5)DA1,

            DSLAM 6200

            platform          available 2001-Mar-19

+----------+-----------------+---------------+-----------+------------------+

            Early deployment

            train for         Unavailable

            ISP/Telco/PTT

   11.3DB   xDSL broadband

            concentrator      Upgrade recommended to 12.1(4)DB1,

            platform, (NRP)   available 2001-Feb-28

            for 6400

+----------+-----------------+---------------+-----------+------------------+

            Short-lived ED

   11.3HA   release for ISR   Vulnerable

            3300 (SONET/SDH

            router)

+----------+-----------------+---------------+-----------+------------------+

            MC3810            11.3(1)MA8

   11.3MA   functionality

            only              2001-Mar-05

+----------+-----------------+---------------+-----------+------------------+

            Voice over IP,    Unavailable

   11.3NA   media             Upgrade recommended to 12.1(7), available

            convergence,

            various platforms 2001-Feb-26

+----------+-----------------+---------------+-----------+------------------+

            Early deployment  11.3(11b)T1

   11.3T    major release,

            feature-rich for

            early adopters    2001-Mar-05

+----------+-----------------+---------------+-----------+------------------+

            Multilayer

            Switching and     Unavailable

            Multiprotocol

            over ATM

  11.3WA4   functionality for

            Catalyst 5000     Upgrade recommended to 12.0(14)W5(20),

            RSM, 4500, 4700,  available 2001-Feb-28

            7200, 7500,

            LightStream 1010

+----------+-----------------+---------------+-----------+------------------+

                              11.3(11b)T1

 11.3(2)XA  Introduction of

            ubr7246 and 2600  2001-Mar-05

+===========================================================================+

     12.0-based Releases          Rebuild      Interim**    Maintenance

+===========================================================================+

            General                                       12.0(15)

    12.0    deployment

            release for all

            platforms                                     Available

+----------+-----------------+---------------+-----------+------------------+

                              Unavailable

   12.0DA   xDSL support:     Upgrade recommended to 12.1(5)DA1,

            6100, 6200

                              available 2001-Mar-19

+----------+-----------------+---------------+-----------+------------------+

            General           Unavailable

   12.0DB   deployment        Upgrade recommended to 12.1(4)DB1,

            release for all

            platforms         available 2001-Feb-28

+----------+-----------------+---------------+-----------+------------------+

            General           Unavailable

   12.0DC   deployment        Upgrade recommended to 12.1(4)DC2,

            release for all

            platforms         available 2001-Feb-28

+----------+-----------------+---------------+-----------+------------------+

                              12.0(14)S1      12.0(14.6)S

   12.0S    Core/ISP support:

            GSR, RSP, c7200   Available       Available

+----------+-----------------+---------------+-----------+------------------+

                              12.0(15)SC1

   12.0SC   Cable/broadband

            ISP: ubr7200      2001-Feb-26

+----------+-----------------+---------------+-----------+------------------+

                              12.0(14)SL1

   12.0SL   10000 ESR: c10k

                              2001-Feb-26

+----------+-----------------+---------------+-----------+------------------+

            General           12.0(11)ST2

   12.0ST   deployment

            release for all

            platforms         2001-Feb-26

+----------+-----------------+---------------+-----------+------------------+

                              12.0(5c)E8

   12.0SX   Early Deployment

            (ED)              2001-Feb-26

+----------+-----------------+---------------+-----------+------------------+

            Early             Unavailable

            Deployment(ED):

   12.0T    VPN, Distributed

            Director, various Upgrade recommended to 12.1(7), available

            platforms         2001-Feb-26

+----------+-----------------+---------------+-----------+------------------+

            Catalyst

            switches:

            cat8510c,                                     12.0(14)W5(20)

            cat8540c, c6msm,

            ls1010, cat8510m,

   12.0W5   cat8540m, c5atm,

            c5atm, c3620,

            c3640, c4500,

            c5rsfc, c5rsm,                                2001-Feb-28

            c7200, rsp,

            cat2948g, cat4232

+----------+-----------------+---------------+-----------+------------------+

            General           12.0(13)WT6(1)

   12.0WT   deployment

            release for all

            platforms         2001-Feb-20

+----------+-----------------+---------------+-----------+------------------+

            Early Deployment  Unavailable

   12.0XA   (ED): limited     Upgrade recommended to 12.1(7), available

            platforms         2001-Feb-26

+----------+-----------------+---------------+-----------+------------------+

            Short-lived early Unavailable

   12.0XB   deployment        Upgrade recommended to 12.1(7), available

            release           2001-Feb-26

+----------+-----------------+---------------+-----------+------------------+

            Early Deployment  Unavailable

   12.0XC   (ED): limited     Upgrade recommended to 12.1(7), available

            platforms         2001-Feb-26

+----------+-----------------+---------------+-----------+------------------+

            Early Deployment  Unavailable

   12.0XD   (ED): limited     Upgrade recommended to 12.1(7), available

            platforms         2001-Feb-26

+----------+-----------------+---------------+-----------+------------------+

            Early Deployment  Unavailable

   12.0XE   (ED): limited     Upgrade recommended to 12.1(5)E8,

            platforms         available 2001-Mar-05

+----------+-----------------+---------------+-----------+------------------+

            Early Deployment  Unavailable

   12.0XF   (ED): limited     Upgrade recommended to 12.1(7), available

            platforms         2001-Feb-26

+----------+-----------------+---------------+-----------+------------------+

            Early Deployment  Unavailable

   12.0XG   (ED): limited     Upgrade recommended to 12.1(7), available

            platforms         2001-Feb-26

+----------+-----------------+---------------+-----------+------------------+

            Early Deployment  12.0(4)XH5

   12.0XH   (ED): limited

            platforms         2001-Mar-05

+----------+-----------------+---------------+-----------+------------------+

            Early Deployment  Unavailable

   12.0XI   (ED): limited     Upgrade recommended to 12.1(7), available

            platforms         2001-Feb-26

+----------+-----------------+---------------+-----------+------------------+

            Early Deployment  Unavailable

   12.0XJ   (ED): limited     Upgrade recommended to 12.1(7), available

            platforms         2001-Feb-26

+----------+-----------------+---------------+-----------+------------------+

            Early Deployment  12.0(7)XK4

   12.0XK   (ED): limited

            platforms         2001-Mar-19

+----------+-----------------+---------------+-----------+------------------+

            Early Deployment  12.0(4)XH5

   12.0XL   (ED): limited                                 12.1(7)

            platforms         2001-Mar-05

+----------+-----------------+---------------+-----------+------------------+

            Short-lived early 12.0(5)XM1

   12.0XM   deployment

            release           2001-Mar-05

+----------+-----------------+---------------+-----------+------------------+

            Early Deployment

   12.0XN   (ED): limited

            platforms

+----------+-----------------+---------------+-----------+------------------+

            Early Deployment  Unavailable

   12.0XP   (ED): limited     Upgrade recommended to 12.1WC, available

            platforms         2001-Apr-12

+----------+-----------------+---------------+-----------+------------------+

            Short-lived early Unavailable

   12.0XQ   deployment        Upgrade recommended to 12.1(7), available

            release           2001-Feb-26

+----------+-----------------+---------------+-----------+------------------+

            Short-lived early Unavailable

   12.0XR   deployment        Upgrade recommended to 12.1(5)T5,

            release           available 2001-Mar-05

+----------+-----------------+---------------+-----------+------------------+

            Short-lived early Unavailable

   12.0XS   deployment        Upgrade recommended to 12.1(5)E8,

            release           available 2001-Mar-05

+----------+-----------------+---------------+-----------+------------------+

            Early Deployment  Unavailable

   12.0XU   (ED): limited     Upgrade recommended to 12.1WC, available

            platforms         2001-Apr-12

+----------+-----------------+---------------+-----------+------------------+

            Short-lived early Unavailable

   12.0XV   deployment        Upgrade recommended to 12.1(5)T5,

            release           available 2001-Mar-05

+===========================================================================+

     12.1-based and Later

           Releases               Rebuild      Interim**    Maintenance

+===========================================================================+

            General                                       12.1(7)

    12.1    deployment

            release for all

            platforms                                     Available

+----------+-----------------+---------------+-----------+------------------+

                                                          12.1(7)AA

   12.1AA   Dial support

                                                          2001-Mar-12

+----------+-----------------+---------------+-----------+------------------+

                              12.1(5)DA1                  12.1(6)DA

   12.1DA   xDSL support:

            6100, 6200        2001-Feb-28                 Available

+----------+-----------------+---------------+-----------+------------------+

                                                          12.1(4)CX

   12.1CX   Core/ISP support:

            GSR, RSP, c7200                               2001-Mar-05

+----------+-----------------+---------------+-----------+------------------+

            General           12.1(4)DB1

   12.1DB   deployment

            release for all

            platforms         2001-Feb-26

+----------+-----------------+---------------+-----------+------------------+

            General           12.1(4)DC2

   12.1DC   deployment

            release for all

            platforms         2001-Feb-26

+----------+-----------------+---------------+-----------+------------------+

                              12.1(5c)E8      12.1(5.6)E

   12.1E    Core/ISP support:

            GSR, RSP, c7200   2001-Mar-5

+----------+-----------------+---------------+-----------+------------------+

                              12.1(5)EC1      12.1(4.5)EC

   12.1EC   Core/ISP support:

            GSR, RSP, c7200   2001-Feb-26

+----------+-----------------+---------------+-----------+------------------+

                              12.1(5c)EX

   12.1EX   Core/ISP support:

            GSR, RSP, c7200   2001-Mar-5

+----------+-----------------+---------------+-----------+------------------+

            Early

            Deployment(ED):   12.1(5)T5

   12.1T    VPN, Distributed

            Director, various 2001-Mar-05

            platforms

+----------+-----------------+---------------+-----------+------------------+

            Early Deployment  12.1(5)T5

   12.1XA   (ED): limited

            platforms         2001-Mar-05

+----------+-----------------+---------------+-----------+------------------+

            Early Deployment  12.1(5)T5

   12.1XB   (ED): limited

            platforms         2001-Mar-05

+----------+-----------------+---------------+-----------+------------------+

            Early Deployment  12.1(5)T5

   12.1XC   (ED): limited

            platforms         2001-Mar-05

+----------+-----------------+---------------+-----------+------------------+

            Early Deployment  12.1(5)T5

   12.1XD   (ED): limited

            platforms         2001-Mar-05

+----------+-----------------+---------------+-----------+------------------+

            Early Deployment  12.1(5)T5

   12.1XE   (ED): limited

            platforms         2001-Mar-05

+----------+-----------------+---------------+-----------+------------------+

            Early Deployment  12.1(2)XF3

   12.1XF   (ED): 811 and 813

            (c800 images)     2001-Mar-05

+----------+-----------------+---------------+-----------+------------------+

            Early Deployment  12.1(3)XG3

   12.1XG   (ED): 800, 805,

            820, and 1600     Available

+----------+-----------------+---------------+-----------+------------------+

            Early Deployment  12.1(2)XH1

   12.1XH   (ED): limited

            platforms         2001-Mar-05

+----------+-----------------+---------------+-----------+------------------+

            Early Deployment  12.1(3)XI6

   12.1XI   (ED): limited

            platforms         2001-Mar-05

+----------+-----------------+---------------+-----------+------------------+

            Early Deployment                              Indeterminate

   12.1XJ   (ED): limited

            platforms                                     Unscheduled

+----------+-----------------+---------------+-----------+------------------+

            Early Deployment  12.1(5)T5

   12.1XK   (ED): limited

            platforms         2001-Mar-05

+----------+-----------------+---------------+-----------+------------------+

            Early Deployment  12.1(3)XL1

   12.1XL   (ED): limited

            platforms         2001-Mar-05

+----------+-----------------+---------------+-----------+------------------+

            Short-lived early 12.1(5)XM1

   12.1XM   deployment

            release           2001-Mar-05

+----------+-----------------+---------------+-----------+------------------+

            Early Deployment  12.1(3)XP3

   12.1XP   (ED): 1700 and

            SOHO              2001-Mar-05

+----------+-----------------+---------------+-----------+------------------+

            Short-lived early 12.1(3)XQ1

   12.1XQ   deployment

            release           2001-Mar-05

+----------+-----------------+---------------+-----------+------------------+

            Short-lived early 12.1(5)XR1

   12.1XR   deployment

            release           2001-Feb-20

+----------+-----------------+---------------+-----------+------------------+

            Short-lived early                             12.1(5)XS

   12.1XS   deployment

            release                                       2001-Mar-05

+----------+-----------------+---------------+-----------+------------------+

                              12.1(3)XT1

   12.1XT   Early Deployment

            (ED): 1700 series Available

+----------+-----------------+---------------+-----------+------------------+

            Early Deployment  12.1(5)XU1

   12.1XU   (ED): limited

            platforms         2001-Feb-15

+----------+-----------------+---------------+-----------+------------------+

            Short-lived early 12.1(5)XV1

   12.1XV   deployment

            release           2001-Mar-05

+----------+-----------------+---------------+-----------+------------------+

            Short-lived early 12.1(5)XW2

   12.1XW   deployment

            release           2001-Feb-26

+----------+-----------------+---------------+-----------+------------------+

            Short-lived early 12.1(5)XX3

   12.1XX   deployment

            release           2001-Feb-26

+----------+-----------------+---------------+-----------+------------------+

            Short-lived early 12.1(5)XY4

   12.1XY   deployment

            release           2001-Feb-26

+----------+-----------------+---------------+-----------+------------------+

            Short-lived early 12.1(5)XZ2

   12.1XZ   deployment

            release           2001-Feb-26

+----------+-----------------+---------------+-----------+------------------+

            Short-lived early 12.1(5)YA1

   12.1YA   deployment

            release           2001-Feb-28

+----------+-----------------+---------------+-----------+------------------+

            Short-lived early                             12.1(5)YB

   12.1YB   deployment

            release                                       2001-Feb-13

+----------+-----------------+---------------+-----------+------------------+

            Short-lived early 12.1(5)YC1

   12.1YC   deployment

            release           2001-Feb-26

+----------+-----------------+---------------+-----------+------------------+

            Short-lived early                             12.1(5)YD

   12.1YD   deployment

            release                                       2001-Mar-12

+===========================================================================+

                                  Notes

+===========================================================================+

 * All dates are estimated and subject to change.

 

 ** Interim releases are subjected to less rigorous testing than regular

 maintenance releases, and may have serious bugs.

+===========================================================================+

 

Obtaining Fixed Software

 

Cisco is offering free software upgrades to remedy this vulnerability for

all affected customers. Customers with service contracts may upgrade to any

software release. Customers without contracts may upgrade only within a

single row of the table above, except that any available fixed software

release will be provided to any customer who can use it and for whom the

standard fixed software release is not yet available. Customers may install

only the feature sets they have purchased.

 

Note that not all fixed software may be available as of the release date of

this notice.

 

Customers with contracts should obtain upgraded software through their

regular update channels. For most customers, this means that upgrades

should be obtained via Cisco's Software Center at http://www.cisco.com/.

 

Customers without contracts or warranty should get their upgrades by

contacting the Cisco Technical Assistance Center (TAC) as shown below:

 

   * (800) 553-2447 (toll-free in North America)

   * +1 408 526 7209 (toll call from anywhere in the world)

   * e-mail: tac@cisco.com

 

See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for

additional TAC contact information, including instructions and e-mail

addresses for use in various languages.

 

Give the URL of this notice as evidence of your entitlement to a free

upgrade. Free upgrades for non-contract customers must be requested through

the TAC. Please do not contact either "psirt@cisco.com" or

"security-alert@cisco.com" for software upgrades; faster results will be

obtained by contacting the TAC directly.

 

Workarounds

 

There is no specific configurable workaround to directly address the

possibility of predicting a TCP Initial Sequence Number. To prevent

malicious use of this vulnerability from inside the network, ensure that

transport that makes interception and modification detectable, if not

altogether preventable, is in use as appropriate. Examples include using

IPSEC or SSH to the Cisco device for interactive session, MD5

authentication to protect BGP sessions, strong authentication for access

control, and so on.

 

Malicious use of this vulnerability from a position outside the

administrative boundaries of the network can be mitigated, if not prevented

entirely, by using access control lists to prevent the injection of packets

with forged source or destination IP addresses.

 

Exploitation and Public Announcements

 

The general case of this vulnerability in TCP is well-known to the

information system security community. Details specific to TCP connections

to or from Cisco products do not appear to be widely known and the topic

does not appear to have been widely discussed.

 

Cisco is not aware of instances in which this vulnerability has been used

maliciously. However, there are numerous off-the-shelf programs and scripts

available which can demonstrate the vulnerability and which could be

modified to exploit it with malicious intent. Various security scanning

programs have been known to provide positive test results for this

vulnerability on Cisco devices.

 

This vulnerability was discovered internally. Two customers reported the

vulnerability while a fix was still in progress.

 

Status of This Notice: INTERIM

 

This is an interim security advisory. Cisco anticipates issuing updated

versions of this notice at irregular intervals as there are material

changes in the facts, and will continue to update this notice as necessary.

The reader is warned that this notice may contain inaccurate or incomplete

information. Although Cisco cannot guarantee the accuracy of all statements

in this notice, all of the facts have been checked to the best of our

ability. Cisco anticipates issuing monthly updates of this notice until it

reaches FINAL status.

 

A standalone copy or paraphrase of the text of this security advisory that

omits the following URL is an uncontrolled copy, and may lack important

information or contain factual errors.

 

Distribution

 

This notice will be posted

at http://www.cisco.com/warp/public/707/ios-tcp-isn-random-pub.shtml.

 

In addition to Worldwide Web posting, a text version of this notice will be

clear-signed with the Cisco PSIRT PGP key and will be posted to the

following e-mail and Usenet news recipients:

 

   * cust-security-announce@cisco.com

   * bugtraq@securityfocus.com

   * first-teams@first.org (including CERT/CC)

   * cisco@spot.colorado.edu

   * cisco-nsp@puck.nether.net

   * comp.dcom.sys.cisco

   * Various internal Cisco mailing lists

 

Future updates of this notice, if any, will be placed on Cisco's Worldwide

Web server, but may or may not be actively announced on mailing lists or

newsgroups. Users concerned about this problem are encouraged to check the

URL given above for any updates.

 

Revision History

 

 Revision 1.0  2001-Feb-28 Initial public release

 

Cisco Product Security Incident Procedures

 

The page at

http://www.cisco.com/warp/public/707/sec_incident_response.shtml contains

instructions for reporting security vulnerabilities in Cisco products,

obtaining assistance with customer security incidents, registering to

receive security information from Cisco, and making press inquiries

regarding Cisco Security Advisories. This document is Cisco's complete

public statement regarding this product security vulnerability.

 

  ------------------------------------------------------------------------

Copyright 2001 by Cisco Systems, Inc. This notice may not be redistributed

in any form without the advance knowledge and consent of the Cisco Product

Security Incident Response Team.

  ------------------------------------------------------------------------

 

[****** End of Cisco Security Advisory ******]

 

CIAC wishes to acknowledge the contributions of Cisco Systems, Inc. for the information contained in this bulletin.


CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     http://ciac.llnl.gov
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     ciac.llnl.gov
                     (same machine -- either one will work)

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH