INFORMATION BULLETIN
L-053: Cisco IOS Software TCP Initial Sequence Number Improvements
March 2, 2001 16:00 GMT
|
|
||
|
PROBLEM: |
Cisco IOS software contains a flaw that permits the successful prediction of TCP Initial Sequence Numbers. |
|
|
PLATFORM: |
All released versions of Cisco IOS software running on Cisco routers and switches. Reference the Cisco Security Advisory for more details. |
|
|
DAMAGE: |
Forged packets can be injected into a network from a location outside its boundary so that they are trusted as authentic by the receiving host, thus resulting in a failure of integrity. Such packets could be crafted to gain access or make some other modification to the receiving system in order to attain some goal, such as gaining unauthorized interactive access to a system or compromising stored data. |
|
|
SOLUTION: |
To remove the vulnerability, Cisco is offering free software upgrades for all affected platforms. |
|
|
|
||
|
VULNERABILITY |
The risk is HIGH. The vulnerability may allow unauthorized access to a machine. |
|
|
|
||
[******
Start of Cisco Security Advisory ******]
Cisco Security
Advisory: Cisco IOS Software TCP Initial Sequence Number
Randomization
Improvements
Revision
1.0: INTERIM
For
Public Release 2001 February 28 18:00 US/Pacific (UTC+0800)
------------------------------------------------------------------------
Summary
Cisco
IOS software contains a flaw that permits the successful prediction
of TCP
Initial Sequence Numbers.
This
vulnerability is present in all released versions of Cisco IOS
software
running on Cisco routers and switches. It only affects the
security
of TCP connections that originate or terminate on the affected
Cisco
device itself; it does not apply to TCP traffic forwarded through the
affected
device in transit between two other hosts.
To
remove the vulnerability, Cisco is offering free software upgrades for
all
affected platforms. The defect is described in DDTS record CSCds04747.
Workarounds
are available that limit or deny successful exploitation of the
vulnerability
by filtering traffic containing forged IP source addresses at
the
perimeter of a network or directly on individual devices.
This
notice will be posted
at http://www.cisco.com/warp/public/707/ios-tcp-isn-random-pub.shtml.
Affected
Products
The vulnerability
is present in all Cisco routers and switches running
affected
releases of Cisco IOS Software.
To
determine the software running on a Cisco product, log in to the device
and
issue the command "show version" to display the system banner. Cisco
IOS
software will identify itself as "Internetwork Operating System
Software"
or simply "IOS (tm)". On the next line of output, the image name
will be
displayed between parentheses, followed by "Version" and the IOS
release
name. Other Cisco devices will not have the "show version" command
or will
give different output.
The
following example identifies a Cisco product running IOS release
12.0(3)
with an installed image name of C2500-IS-L:
Cisco Internetwork
Operating System Software IOS (tm)
2500 Software
(C2500-IS-L), Version 12.0(3), RELEASE SOFTWARE
Cisco
devices that may be running an affected IOS software release include,
but are
not limited to:
* 800, 1000, 1005, 1400, 1600,
1700, 2500, 2600, 3600, MC3810, 4000,
4500, 4700, 6200,
6400 NRP, 6400 NSP series Cisco routers.
* ubr900 and ubr920 universal
broadband routers.
* Catalyst 2900 ATM, 2900XL,
2948g, 3500XL, 4232, 4840g, 5000 RSFC
series switches.
* 5200, 5300, 5800 series access
servers.
* Catalyst 6000 MSM, 6000 Hybrid
Mode, 6000 Native Mode, 6000 Supervisor
Module, Catalyst ATM
Blade.
* RSM, 7000, 7010, 7100, 7200,
ubr7200, 7500, 10000 ESR, and 12000 GSR
series Cisco routers.
* DistributedDirector.
* Catalyst 8510CSR, 8510MSR, 8540CSR,
8540MSR series switches.
Cisco
products that do not run Cisco IOS software and are not affected by
the
vulnerabilities described in this notice include, but are not limited
to:
* Cisco PIX firewall.
* Cisco 600 family of routers
running CBOS.
* Host-based network management
or access management products.
* Cisco IP Telephony and
telephony management software (except those
that are hosted on a
vulnerable IOS platform).
* Voice gateways and convergence
products (except those that are hosted
on a vulnerable IOS
platform).
Details
To
provide reliable delivery in the Internet, the Transmission Control
Protocol
(TCP) makes use of a sequence number in each packet to provide
orderly
reassembly of data after arrival, and to notify the sending host of
the
successful arrival of the data in each packet.
TCP
sequence numbers are 32-bit integers in the circular range of 0 to
4,294,967,295.
The host devices at both ends of a TCP connection exchange
an
Initial Sequence Number (ISN) selected at random from that range as part
of the
setup of a new TCP connection. After the session is established and
data
transfer begins, the sequence number is regularly augmented by the
number of
octets transferred, and transmitted to the other host. To prevent
the
receipt and reassembly of duplicate or late packets in a TCP stream,
each
host maintains a "window", a range of values close to the expected
sequence
number, in which the sequence number in an arriving packet must
fall if
it is to be accepted. Assuming a packet arrives with the correct
source
and destination IP addresses, source and destination port numbers,
and a
sequence number within the allowable window, the receiving host will
accept
the packet as genuine.
This
method provides reasonably good protection against accidental receipt
of
unintended data. However, to guard against malicious use, it should not
be
possible for an attacker to infer a particular number in the sequence.
If the
initial sequence number is not chosen randomly or if it is
incremented
in a non-random manner between the initialization of subsequent
TCP
sessions, then it is possible, with varying degrees of success, to
forge
one half of a TCP connection with another host in order to gain
access
to that host, or hijack an existing connection between two hosts in
order
to compromise the contents of the TCP connection. To guard against
such
compromises, ISNs should be generated as randomly as possible.
This
defect, documented as DDTS CSCds04747, has been corrected by providing
an
improved method for generating TCP Initial Sequence Numbers.
Impact
Forged
packets can be injected into a network from a location outside its
boundary
so that they are trusted as authentic by the receiving host, thus
resulting
in a failure of integrity. Such packets could be crafted to gain
access
or make some other modification to the receiving system in order to
attain
some goal, such as gaining unauthorized interactive access to a
system or
compromising stored data.
- From
a position within the network where it is possible to receive the
return
traffic (but not necessarily in a position that is directly in the
traffic
path), a greater range of violations is possible. For example, the
contents
of a message could be diverted, modified, and then returned to the
traffic
flow again, causing a failure of integrity and a possible failure
of
confidentiality.
NOTE:
Any compromise using this vulnerability is only possible for TCP
sessions
that originate or terminate on the affected Cisco device itself.
It does
not apply to TCP traffic that is merely forwarded through the
device.
Software
Versions and Fixes
The
following table summarizes the IOS software releases that are known to
be
affected, and the earliest estimated dates of availability for the
recommended
fixed versions. Dates are always tentative and subject to
change.
Each
row of the table describes a release train and the platforms or
products
for which it is intended. If a given release train is vulnerable,
then
the earliest possible releases that contain the fix and the
anticipated
date of availability for each are listed in the "Rebuild",
"Interim",
and "Maintenance" columns. A device running any release in the
given
train that is earlier the release in a specific column (less than the
earliest
fixed release) is known to be vulnerable, and it should be
upgraded
at least to the indicated release or a later version (greater than
the
earliest fixed release label).
When selecting
a release, keep in mind the following definitions:
Maintenance
Most heavily
tested and highly recommended release of any label
in a given
row of the table.
Rebuild
Constructed
from the previous maintenance or major release in the
same train,
it contains the fix for a specific defect. Although
it receives
less testing, it contains only the minimal changes
necessary to
effect the repair.
Interim
Built at
regular intervals between maintenance releases and
receive less
testing. Interims should be selected only if there
is no other
suitable release that addresses the vulnerability,
and interim
images should be upgraded to the next available
maintenance
release as soon as possible. Interim releases are not
available
via manufacturing, and usually they are not available
for customer
download from CCO without prior arrangement with the
Cisco TAC.
In all
cases, customers should exercise caution to be certain the devices
to be
upgraded contain sufficient memory and that current hardware and
software
configurations will continue to be supported properly by the new
release.
If the information is not clear, contact the Cisco TAC for
assistance
as shown later in this notice.
More
information on IOS release names and abbreviations is available at
http://www.cisco.com/warp/public/620/1.html.
+===========================================================================+
Train Description of Availability of
Fixed Releases*
Image or Platform
+===========================================================================+
11.0-based Releases Rebuild Interim** Maintenance
+===========================================================================+
11.0(22a)
11.0 Major GD release
for all platforms 2001-Mar-08
+===========================================================================+
11.1-based
Releases Rebuild Interim** Maintenance
+===========================================================================+
11.1(24a)
11.1 Major release for
all platforms
2001-Mar-08
+----------+-----------------+---------------+-----------+------------------+
ED release for
Unavailable
11.1AA access servers: Upgrade recommended to 12.1(7), available
1600, 3200, and
5200 series. 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
Platform-specific 11.1(36)CA1
11.1CA support for 7500,
7200, 7000, and
RSP
2001-Mar-02
+----------+-----------------+---------------+-----------+------------------+
ISP train: added
support for FIB,
11.1(36)CC1
11.1CC CEF, and NetFlow
on
7500, 7200,
2001-Mar-02
7000, and RSP
+----------+-----------------+---------------+-----------+------------------+
Added support for 12.0(11)ST2
11.1CT Tag Switching on
7500, 7200, 7000,
and RSP 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
11.1(28a)IA1
11.1IA Distributed
Director only
2001-Feb-26
+===========================================================================+
11.2-based
Releases Rebuild Interim** Maintenance
+===========================================================================+
Major release,
11.2(25a)
11.2(25)
11.2 general
deployment 2001-Mar-05
Available
+----------+-----------------+---------------+-----------+------------------+
Platform-specific Unavailable
support for IBM
11.2BC networking, CIP,
and TN3270 on
Upgrade recommended to 12.1(7), available
7500, 7000, and
2001-Feb-26
RSP
+----------+-----------------+---------------+-----------+------------------+
Unavailable
11.2F Feature train for
all platforms
Upgrade recommended
+----------+-----------------+---------------+-----------+------------------+
Early deployment
Unavailable
11.2GS release to Upgrade recommended to
12.0(15)S1,
support 12000 GSR available 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
11.2(25a)P
11.2(25)P
11.2P New platform
support 2001-Mar-05
Available
+----------+-----------------+---------------+-----------+------------------+
Unavailable
11.2SA Catalyst 2900XL Upgrade recommended to 12.1WC, available
switch only
2001-Apr-12
+----------+-----------------+---------------+-----------+------------------+
Unavailable
11.2WA3 LightStream 1010
Upgrade recommended to 12.0(10)W5(20,
ATM switch
available
2001-Feb-28
+----------+-----------------+---------------+-----------+------------------+
Initial release
11.2(25a)P
11.2(25)P
11.2(4)XA for the 1600 and
3600
2001-Mar-05
Available
+----------+-----------------+---------------+-----------+------------------+
Initial release
for the 5300 and
11.2(25a)P
11.2(25)P
11.2(9)XA digital modem
support for the
2001-Mar-05
Available
3600
+===========================================================================+
11.3-based
Releases Rebuild Interim** Maintenance
+===========================================================================+
11.3(11b)
11.3 Major release for
all platforms
2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
ED for dial
platforms and
11.3(11a)AA
11.3AA access servers:
5800, 5200, 5300, 2001-Mar-05
7200
+----------+-----------------+---------------+-----------+------------------+
Early deployment
Unavailable
11.3DA train for ISP Upgrade recommended to 12.1(5)DA1,
DSLAM 6200
platform available
2001-Mar-19
+----------+-----------------+---------------+-----------+------------------+
Early
deployment
train for Unavailable
ISP/Telco/PTT
11.3DB xDSL broadband
concentrator Upgrade recommended to 12.1(4)DB1,
platform, (NRP)
available 2001-Feb-28
for 6400
+----------+-----------------+---------------+-----------+------------------+
Short-lived ED
11.3HA release for ISR Vulnerable
3300 (SONET/SDH
router)
+----------+-----------------+---------------+-----------+------------------+
MC3810
11.3(1)MA8
11.3MA functionality
only
2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Voice over IP,
Unavailable
11.3NA media
Upgrade recommended to 12.1(7), available
convergence,
various platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
Early deployment
11.3(11b)T1
11.3T major release,
feature-rich for
early adopters
2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Multilayer
Switching
and Unavailable
Multiprotocol
over ATM
11.3WA4 functionality for
Catalyst 5000
Upgrade recommended to 12.0(14)W5(20),
RSM, 4500, 4700, available
2001-Feb-28
7200, 7500,
LightStream 1010
+----------+-----------------+---------------+-----------+------------------+
11.3(11b)T1
11.3(2)XA Introduction of
ubr7246 and 2600
2001-Mar-05
+===========================================================================+
12.0-based
Releases Rebuild Interim** Maintenance
+===========================================================================+
General 12.0(15)
12.0 deployment
release for all
platforms
Available
+----------+-----------------+---------------+-----------+------------------+
Unavailable
12.0DA xDSL support: Upgrade recommended to 12.1(5)DA1,
6100, 6200
available 2001-Mar-19
+----------+-----------------+---------------+-----------+------------------+
General
Unavailable
12.0DB deployment Upgrade recommended to
12.1(4)DB1,
release for all
platforms available
2001-Feb-28
+----------+-----------------+---------------+-----------+------------------+
General
Unavailable
12.0DC deployment Upgrade recommended to
12.1(4)DC2,
release for all
platforms available
2001-Feb-28
+----------+-----------------+---------------+-----------+------------------+
12.0(14)S1
12.0(14.6)S
12.0S Core/ISP support:
GSR, RSP, c7200
Available Available
+----------+-----------------+---------------+-----------+------------------+
12.0(15)SC1
12.0SC Cable/broadband
ISP: ubr7200 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
12.0(14)SL1
12.0SL 10000 ESR: c10k
2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
General
12.0(11)ST2
12.0ST deployment
release for all
platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
12.0(5c)E8
12.0SX Early Deployment
(ED)
2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
Early
Unavailable
Deployment(ED):
12.0T VPN, Distributed
Director, various Upgrade recommended to 12.1(7), available
platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
Catalyst
switches:
cat8510c,
12.0(14)W5(20)
cat8540c, c6msm,
ls1010, cat8510m,
12.0W5 cat8540m, c5atm,
c5atm, c3620,
c3640, c4500,
c5rsfc, c5rsm,
2001-Feb-28
c7200, rsp,
cat2948g, cat4232
+----------+-----------------+---------------+-----------+------------------+
General 12.0(13)WT6(1)
12.0WT deployment
release for all
platforms 2001-Feb-20
+----------+-----------------+---------------+-----------+------------------+
Early Deployment
Unavailable
12.0XA (ED): limited Upgrade recommended to 12.1(7), available
platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
Short-lived early Unavailable
12.0XB deployment Upgrade recommended to
12.1(7), available
release
2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
Early Deployment
Unavailable
12.0XC (ED): limited Upgrade recommended to 12.1(7), available
platforms
2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
Early Deployment
Unavailable
12.0XD (ED): limited Upgrade recommended to 12.1(7), available
platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
Early Deployment
Unavailable
12.0XE (ED): limited Upgrade recommended to 12.1(5)E8,
platforms available
2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Early Deployment
Unavailable
12.0XF (ED): limited Upgrade recommended to 12.1(7), available
platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
Early Deployment
Unavailable
12.0XG (ED): limited Upgrade recommended to 12.1(7), available
platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
Early Deployment 12.0(4)XH5
12.0XH (ED): limited
platforms 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Early Deployment Unavailable
12.0XI (ED): limited Upgrade recommended to 12.1(7), available
platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
Early Deployment
Unavailable
12.0XJ (ED): limited Upgrade recommended to 12.1(7), available
platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
Early Deployment 12.0(7)XK4
12.0XK (ED): limited
platforms
2001-Mar-19
+----------+-----------------+---------------+-----------+------------------+
Early Deployment 12.0(4)XH5
12.0XL (ED): limited
12.1(7)
platforms 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Short-lived early 12.0(5)XM1
12.0XM deployment
release
2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Early Deployment
12.0XN (ED): limited
platforms
+----------+-----------------+---------------+-----------+------------------+
Early Deployment
Unavailable
12.0XP (ED): limited Upgrade recommended to 12.1WC, available
platforms 2001-Apr-12
+----------+-----------------+---------------+-----------+------------------+
Short-lived early Unavailable
12.0XQ deployment Upgrade recommended to
12.1(7), available
release
2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
Short-lived early Unavailable
12.0XR deployment Upgrade recommended to 12.1(5)T5,
release
available 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Short-lived early Unavailable
12.0XS deployment Upgrade recommended to
12.1(5)E8,
release
available 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Early Deployment
Unavailable
12.0XU (ED): limited Upgrade recommended to 12.1WC, available
platforms 2001-Apr-12
+----------+-----------------+---------------+-----------+------------------+
Short-lived early Unavailable
12.0XV deployment Upgrade recommended to
12.1(5)T5,
release
available 2001-Mar-05
+===========================================================================+
12.1-based and Later
Releases
Rebuild
Interim**
Maintenance
+===========================================================================+
General
12.1(7)
12.1 deployment
release for all
platforms
Available
+----------+-----------------+---------------+-----------+------------------+
12.1(7)AA
12.1AA Dial support
2001-Mar-12
+----------+-----------------+---------------+-----------+------------------+
12.1(5)DA1
12.1(6)DA
12.1DA xDSL support:
6100, 6200 2001-Feb-28
Available
+----------+-----------------+---------------+-----------+------------------+
12.1(4)CX
12.1CX Core/ISP support:
GSR, RSP, c7200
2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
General
12.1(4)DB1
12.1DB deployment
release for all
platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
General
12.1(4)DC2
12.1DC deployment
release for all
platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
12.1(5c)E8
12.1(5.6)E
12.1E Core/ISP support:
GSR, RSP, c7200 2001-Mar-5
+----------+-----------------+---------------+-----------+------------------+
12.1(5)EC1
12.1(4.5)EC
12.1EC Core/ISP support:
GSR, RSP, c7200
2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
12.1(5c)EX
12.1EX Core/ISP support:
GSR, RSP, c7200
2001-Mar-5
+----------+-----------------+---------------+-----------+------------------+
Early
Deployment(ED):
12.1(5)T5
12.1T VPN, Distributed
Director, various 2001-Mar-05
platforms
+----------+-----------------+---------------+-----------+------------------+
Early Deployment 12.1(5)T5
12.1XA (ED): limited
platforms 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Early Deployment 12.1(5)T5
12.1XB (ED): limited
platforms 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Early Deployment 12.1(5)T5
12.1XC (ED): limited
platforms 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Early Deployment 12.1(5)T5
12.1XD (ED): limited
platforms 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Early Deployment