__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Cisco IOS Software TCP Initial Sequence Number Improvements March 2, 2001 15:00 GMT Number L-053 ______________________________________________________________________________ PROBLEM: Cisco IOS software contains a flaw that permits the successful prediction of TCP Initial Sequence Numbers. PLATFORM: All released versions of Cisco IOS software running on Cisco routers and switches. Reference the Cisco Security Advisory for more details. DAMAGE: Forged packets can be injected into a network from a location outside its boundary so that they are trusted as authentic by the receiving host, thus resulting in a failure of integrity. Such packets could be crafted to gain access or make some other modification to the receiving system in order to attain some goal, such as gaining unauthorized interactive access to a system or compromising stored data. SOLUTION: To remove the vulnerability, Cisco is offering free software upgrades for all affected platforms. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. The vulnerability may allow unauthorized access ASSESSMENT: to a machine. ______________________________________________________________________________ [****** Start of Cisco Security Advisory ******] Cisco Security Advisory: Cisco IOS Software TCP Initial Sequence Number Randomization Improvements Revision 1.0: INTERIM For Public Release 2001 February 28 18:00 US/Pacific (UTC+0800) ------------------------------------------------------------------------ Summary Cisco IOS software contains a flaw that permits the successful prediction of TCP Initial Sequence Numbers. This vulnerability is present in all released versions of Cisco IOS software running on Cisco routers and switches. It only affects the security of TCP connections that originate or terminate on the affected Cisco device itself; it does not apply to TCP traffic forwarded through the affected device in transit between two other hosts. To remove the vulnerability, Cisco is offering free software upgrades for all affected platforms. The defect is described in DDTS record CSCds04747. Workarounds are available that limit or deny successful exploitation of the vulnerability by filtering traffic containing forged IP source addresses at the perimeter of a network or directly on individual devices. This notice will be posted at http://www.cisco.com/warp/public/707/ios-tcp-isn-random-pub.shtml. Affected Products The vulnerability is present in all Cisco routers and switches running affected releases of Cisco IOS Software. To determine the software running on a Cisco product, log in to the device and issue the command "show version" to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS (tm)". On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name. Other Cisco devices will not have the "show version" command or will give different output. The following example identifies a Cisco product running IOS release 12.0(3) with an installed image name of C2500-IS-L: Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-IS-L), Version 12.0(3), RELEASE SOFTWARE Cisco devices that may be running an affected IOS software release include, but are not limited to: * 800, 1000, 1005, 1400, 1600, 1700, 2500, 2600, 3600, MC3810, 4000, 4500, 4700, 6200, 6400 NRP, 6400 NSP series Cisco routers. * ubr900 and ubr920 universal broadband routers. * Catalyst 2900 ATM, 2900XL, 2948g, 3500XL, 4232, 4840g, 5000 RSFC series switches. * 5200, 5300, 5800 series access servers. * Catalyst 6000 MSM, 6000 Hybrid Mode, 6000 Native Mode, 6000 Supervisor Module, Catalyst ATM Blade. * RSM, 7000, 7010, 7100, 7200, ubr7200, 7500, 10000 ESR, and 12000 GSR series Cisco routers. * DistributedDirector. * Catalyst 8510CSR, 8510MSR, 8540CSR, 8540MSR series switches. Cisco products that do not run Cisco IOS software and are not affected by the vulnerabilities described in this notice include, but are not limited to: * Cisco PIX firewall. * Cisco 600 family of routers running CBOS. * Host-based network management or access management products. * Cisco IP Telephony and telephony management software (except those that are hosted on a vulnerable IOS platform). * Voice gateways and convergence products (except those that are hosted on a vulnerable IOS platform). Details To provide reliable delivery in the Internet, the Transmission Control Protocol (TCP) makes use of a sequence number in each packet to provide orderly reassembly of data after arrival, and to notify the sending host of the successful arrival of the data in each packet. TCP sequence numbers are 32-bit integers in the circular range of 0 to 4,294,967,295. The host devices at both ends of a TCP connection exchange an Initial Sequence Number (ISN) selected at random from that range as part of the setup of a new TCP connection. After the session is established and data transfer begins, the sequence number is regularly augmented by the number of octets transferred, and transmitted to the other host. To prevent the receipt and reassembly of duplicate or late packets in a TCP stream, each host maintains a "window", a range of values close to the expected sequence number, in which the sequence number in an arriving packet must fall if it is to be accepted. Assuming a packet arrives with the correct source and destination IP addresses, source and destination port numbers, and a sequence number within the allowable window, the receiving host will accept the packet as genuine. This method provides reasonably good protection against accidental receipt of unintended data. However, to guard against malicious use, it should not be possible for an attacker to infer a particular number in the sequence. If the initial sequence number is not chosen randomly or if it is incremented in a non-random manner between the initialization of subsequent TCP sessions, then it is possible, with varying degrees of success, to forge one half of a TCP connection with another host in order to gain access to that host, or hijack an existing connection between two hosts in order to compromise the contents of the TCP connection. To guard against such compromises, ISNs should be generated as randomly as possible. This defect, documented as DDTS CSCds04747, has been corrected by providing an improved method for generating TCP Initial Sequence Numbers. Impact Forged packets can be injected into a network from a location outside its boundary so that they are trusted as authentic by the receiving host, thus resulting in a failure of integrity. Such packets could be crafted to gain access or make some other modification to the receiving system in order to attain some goal, such as gaining unauthorized interactive access to a system or compromising stored data. - From a position within the network where it is possible to receive the return traffic (but not necessarily in a position that is directly in the traffic path), a greater range of violations is possible. For example, the contents of a message could be diverted, modified, and then returned to the traffic flow again, causing a failure of integrity and a possible failure of confidentiality. NOTE: Any compromise using this vulnerability is only possible for TCP sessions that originate or terminate on the affected Cisco device itself. It does not apply to TCP traffic that is merely forwarded through the device. Software Versions and Fixes The following table summarizes the IOS software releases that are known to be affected, and the earliest estimated dates of availability for the recommended fixed versions. Dates are always tentative and subject to change. Each row of the table describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix and the anticipated date of availability for each are listed in the "Rebuild", "Interim", and "Maintenance" columns. A device running any release in the given train that is earlier the release in a specific column (less than the earliest fixed release) is known to be vulnerable, and it should be upgraded at least to the indicated release or a later version (greater than the earliest fixed release label). When selecting a release, keep in mind the following definitions: Maintenance Most heavily tested and highly recommended release of any label in a given row of the table. Rebuild Constructed from the previous maintenance or major release in the same train, it contains the fix for a specific defect. Although it receives less testing, it contains only the minimal changes necessary to effect the repair. Interim Built at regular intervals between maintenance releases and receive less testing. Interims should be selected only if there is no other suitable release that addresses the vulnerability, and interim images should be upgraded to the next available maintenance release as soon as possible. Interim releases are not available via manufacturing, and usually they are not available for customer download from CCO without prior arrangement with the Cisco TAC. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco TAC for assistance as shown later in this notice. More information on IOS release names and abbreviations is available at http://www.cisco.com/warp/public/620/1.html. +===========================================================================+ Train Description of Availability of Fixed Releases* Image or Platform +===========================================================================+ 11.0-based Releases Rebuild Interim** Maintenance +===========================================================================+ 11.0(22a) 11.0 Major GD release for all platforms 2001-Mar-08 +===========================================================================+ 11.1-based Releases Rebuild Interim** Maintenance +===========================================================================+ 11.1(24a) 11.1 Major release for all platforms 2001-Mar-08 +----------+-----------------+---------------+-----------+------------------+ ED release for Unavailable 11.1AA access servers: Upgrade recommended to 12.1(7), available 1600, 3200, and 5200 series. 2001-Feb-26 +----------+-----------------+---------------+-----------+------------------+ Platform-specific 11.1(36)CA1 11.1CA support for 7500, 7200, 7000, and RSP 2001-Mar-02 +----------+-----------------+---------------+-----------+------------------+ ISP train: added support for FIB, 11.1(36)CC1 11.1CC CEF, and NetFlow on 7500, 7200, 2001-Mar-02 7000, and RSP +----------+-----------------+---------------+-----------+------------------+ Added support for 12.0(11)ST2 11.1CT Tag Switching on 7500, 7200, 7000, and RSP 2001-Feb-26 +----------+-----------------+---------------+-----------+------------------+ 11.1(28a)IA1 11.1IA Distributed Director only 2001-Feb-26 +===========================================================================+ 11.2-based Releases Rebuild Interim** Maintenance +===========================================================================+ Major release, 11.2(25a) 11.2(25) 11.2 general deployment 2001-Mar-05 Available +----------+-----------------+---------------+-----------+------------------+ Platform-specific Unavailable support for IBM 11.2BC networking, CIP, and TN3270 on Upgrade recommended to 12.1(7), available 7500, 7000, and 2001-Feb-26 RSP +----------+-----------------+---------------+-----------+------------------+ Unavailable 11.2F Feature train for all platforms Upgrade recommended +----------+-----------------+---------------+-----------+------------------+ Early deployment Unavailable 11.2GS release to Upgrade recommended to 12.0(15)S1, support 12000 GSR available 2001-Feb-26 +----------+-----------------+---------------+-----------+------------------+ 11.2(25a)P 11.2(25)P 11.2P New platform support 2001-Mar-05 Available +----------+-----------------+---------------+-----------+------------------+ Unavailable 11.2SA Catalyst 2900XL Upgrade recommended to 12.1WC, available switch only 2001-Apr-12 +----------+-----------------+---------------+-----------+------------------+ Unavailable 11.2WA3 LightStream 1010 Upgrade recommended to 12.0(10)W5(20, ATM switch available 2001-Feb-28 +----------+-----------------+---------------+-----------+------------------+ Initial release 11.2(25a)P 11.2(25)P 11.2(4)XA for the 1600 and 3600 2001-Mar-05 Available +----------+-----------------+---------------+-----------+------------------+ Initial release for the 5300 and 11.2(25a)P 11.2(25)P 11.2(9)XA digital modem support for the 2001-Mar-05 Available 3600 +===========================================================================+ 11.3-based Releases Rebuild Interim** Maintenance +===========================================================================+ 11.3(11b) 11.3 Major release for all platforms 2001-Mar-05 +----------+-----------------+---------------+-----------+------------------+ ED for dial platforms and 11.3(11a)AA 11.3AA access servers: 5800, 5200, 5300, 2001-Mar-05 7200 +----------+-----------------+---------------+-----------+------------------+ Early deployment Unavailable 11.3DA train for ISP Upgrade recommended to 12.1(5)DA1, DSLAM 6200 platform available 2001-Mar-19 +----------+-----------------+---------------+-----------+------------------+ Early deployment train for Unavailable ISP/Telco/PTT 11.3DB xDSL broadband concentrator Upgrade recommended to 12.1(4)DB1, platform, (NRP) available 2001-Feb-28 for 6400 +----------+-----------------+---------------+-----------+------------------+ Short-lived ED 11.3HA release for ISR Vulnerable 3300 (SONET/SDH router) +----------+-----------------+---------------+-----------+------------------+ MC3810 11.3(1)MA8 11.3MA functionality only 2001-Mar-05 +----------+-----------------+---------------+-----------+------------------+ Voice over IP, Unavailable 11.3NA media Upgrade recommended to 12.1(7), available convergence, various platforms 2001-Feb-26 +----------+-----------------+---------------+-----------+------------------+ Early deployment 11.3(11b)T1 11.3T major release, feature-rich for early adopters 2001-Mar-05 +----------+-----------------+---------------+-----------+------------------+ Multilayer Switching and Unavailable Multiprotocol over ATM 11.3WA4 functionality for Catalyst 5000 Upgrade recommended to 12.0(14)W5(20), RSM, 4500, 4700, available 2001-Feb-28 7200, 7500, LightStream 1010 +----------+-----------------+---------------+-----------+------------------+ 11.3(11b)T1 11.3(2)XA Introduction of ubr7246 and 2600 2001-Mar-05 +===========================================================================+ 12.0-based Releases Rebuild Interim** Maintenance +===========================================================================+ General 12.0(15) 12.0 deployment release for all platforms Available +----------+-----------------+---------------+-----------+------------------+ Unavailable 12.0DA xDSL support: Upgrade recommended to 12.1(5)DA1, 6100, 6200 available 2001-Mar-19 +----------+-----------------+---------------+-----------+------------------+ General Unavailable 12.0DB deployment Upgrade recommended to 12.1(4)DB1, release for all platforms available 2001-Feb-28 +----------+-----------------+---------------+-----------+------------------+ General Unavailable 12.0DC deployment Upgrade recommended to 12.1(4)DC2, release for all platforms available 2001-Feb-28 +----------+-----------------+---------------+-----------+------------------+ 12.0(14)S1 12.0(14.6)S 12.0S Core/ISP support: GSR, RSP, c7200 Available Available +----------+-----------------+---------------+-----------+------------------+ 12.0(15)SC1 12.0SC Cable/broadband ISP: ubr7200 2001-Feb-26 +----------+-----------------+---------------+-----------+------------------+ 12.0(14)SL1 12.0SL 10000 ESR: c10k 2001-Feb-26 +----------+-----------------+---------------+-----------+------------------+ General 12.0(11)ST2 12.0ST deployment release for all platforms 2001-Feb-26 +----------+-----------------+---------------+-----------+------------------+ 12.0(5c)E8 12.0SX Early Deployment (ED) 2001-Feb-26 +----------+-----------------+---------------+-----------+------------------+ Early Unavailable Deployment(ED): 12.0T VPN, Distributed Director, various Upgrade recommended to 12.1(7), available platforms 2001-Feb-26 +----------+-----------------+---------------+-----------+------------------+ Catalyst switches: cat8510c, 12.0(14)W5(20) cat8540c, c6msm, ls1010, cat8510m, 12.0W5 cat8540m, c5atm, c5atm, c3620, c3640, c4500, c5rsfc, c5rsm, 2001-Feb-28 c7200, rsp, cat2948g, cat4232 +----------+-----------------+---------------+-----------+------------------+ General 12.0(13)WT6(1) 12.0WT deployment release for all platforms 2001-Feb-20 +----------+-----------------+---------------+-----------+------------------+ Early Deployment Unavailable 12.0XA (ED): limited Upgrade recommended to 12.1(7), available platforms 2001-Feb-26 +----------+-----------------+---------------+-----------+------------------+ Short-lived early Unavailable 12.0XB deployment Upgrade recommended to 12.1(7), available release 2001-Feb-26 +----------+-----------------+---------------+-----------+------------------+ Early Deployment Unavailable 12.0XC (ED): limited Upgrade recommended to 12.1(7), available platforms 2001-Feb-26 +----------+-----------------+---------------+-----------+------------------+ Early Deployment Unavailable 12.0XD (ED): limited Upgrade recommended to 12.1(7), available platforms 2001-Feb-26 +----------+-----------------+---------------+-----------+------------------+ Early Deployment Unavailable 12.0XE (ED): limited Upgrade recommended to 12.1(5)E8, platforms available 2001-Mar-05 +----------+-----------------+---------------+-----------+------------------+ Early Deployment Unavailable 12.0XF (ED): limited Upgrade recommended to 12.1(7), available platforms 2001-Feb-26 +----------+-----------------+---------------+-----------+------------------+ Early Deployment Unavailable 12.0XG (ED): limited Upgrade recommended to 12.1(7), available platforms 2001-Feb-26 +----------+-----------------+---------------+-----------+------------------+ Early Deployment 12.0(4)XH5 12.0XH (ED): limited platforms 2001-Mar-05 +----------+-----------------+---------------+-----------+------------------+ Early Deployment Unavailable 12.0XI (ED): limited Upgrade recommended to 12.1(7), available platforms 2001-Feb-26 +----------+-----------------+---------------+-----------+------------------+ Early Deployment Unavailable 12.0XJ (ED): limited Upgrade recommended to 12.1(7), available platforms 2001-Feb-26 +----------+-----------------+---------------+-----------+------------------+ Early Deployment 12.0(7)XK4 12.0XK (ED): limited platforms 2001-Mar-19 +----------+-----------------+---------------+-----------+------------------+ Early Deployment 12.0(4)XH5 12.0XL (ED): limited 12.1(7) platforms 2001-Mar-05 +----------+-----------------+---------------+-----------+------------------+ Short-lived early 12.0(5)XM1 12.0XM deployment release 2001-Mar-05 +----------+-----------------+---------------+-----------+------------------+ Early Deployment 12.0XN (ED): limited platforms +----------+-----------------+---------------+-----------+------------------+ Early Deployment Unavailable 12.0XP (ED): limited Upgrade recommended to 12.1WC, available platforms 2001-Apr-12 +----------+-----------------+---------------+-----------+------------------+ Short-lived early Unavailable 12.0XQ deployment Upgrade recommended to 12.1(7), available release 2001-Feb-26 +----------+-----------------+---------------+-----------+------------------+ Short-lived early Unavailable 12.0XR deployment Upgrade recommended to 12.1(5)T5, release available 2001-Mar-05 +----------+-----------------+---------------+-----------+------------------+ Short-lived early Unavailable 12.0XS deployment Upgrade recommended to 12.1(5)E8, release available 2001-Mar-05 +----------+-----------------+---------------+-----------+------------------+ Early Deployment Unavailable 12.0XU (ED): limited Upgrade recommended to 12.1WC, available platforms 2001-Apr-12 +----------+-----------------+---------------+-----------+------------------+ Short-lived early Unavailable 12.0XV deployment Upgrade recommended to 12.1(5)T5, release available 2001-Mar-05 +===========================================================================+ 12.1-based and Later Releases Rebuild Interim** Maintenance +===========================================================================+ General 12.1(7) 12.1 deployment release for all platforms Available +----------+-----------------+---------------+-----------+------------------+ 12.1(7)AA 12.1AA Dial support 2001-Mar-12 +----------+-----------------+---------------+-----------+------------------+ 12.1(5)DA1 12.1(6)DA 12.1DA xDSL support: 6100, 6200 2001-Feb-28 Available +----------+-----------------+---------------+-----------+------------------+ 12.1(4)CX 12.1CX Core/ISP support: GSR, RSP, c7200 2001-Mar-05 +----------+-----------------+---------------+-----------+------------------+ General 12.1(4)DB1 12.1DB deployment release for all platforms 2001-Feb-26 +----------+-----------------+---------------+-----------+------------------+ General 12.1(4)DC2 12.1DC deployment release for all platforms 2001-Feb-26 +----------+-----------------+---------------+-----------+------------------+ 12.1(5c)E8 12.1(5.6)E 12.1E Core/ISP support: GSR, RSP, c7200 2001-Mar-5 +----------+-----------------+---------------+-----------+------------------+ 12.1(5)EC1 12.1(4.5)EC 12.1EC Core/ISP support: GSR, RSP, c7200 2001-Feb-26 +----------+-----------------+---------------+-----------+------------------+ 12.1(5c)EX 12.1EX Core/ISP support: GSR, RSP, c7200 2001-Mar-5 +----------+-----------------+---------------+-----------+------------------+ Early Deployment(ED): 12.1(5)T5 12.1T VPN, Distributed Director, various 2001-Mar-05 platforms +----------+-----------------+---------------+-----------+------------------+ Early Deployment 12.1(5)T5 12.1XA (ED): limited platforms 2001-Mar-05 +----------+-----------------+---------------+-----------+------------------+ Early Deployment 12.1(5)T5 12.1XB (ED): limited platforms 2001-Mar-05 +----------+-----------------+---------------+-----------+------------------+ Early Deployment 12.1(5)T5 12.1XC (ED): limited platforms 2001-Mar-05 +----------+-----------------+---------------+-----------+------------------+ Early Deployment 12.1(5)T5 12.1XD (ED): limited platforms 2001-Mar-05 +----------+-----------------+---------------+-----------+------------------+ Early Deployment 12.1(5)T5 12.1XE (ED): limited platforms 2001-Mar-05 +----------+-----------------+---------------+-----------+------------------+ Early Deployment 12.1(2)XF3 12.1XF (ED): 811 and 813 (c800 images) 2001-Mar-05 +----------+-----------------+---------------+-----------+------------------+ Early Deployment 12.1(3)XG3 12.1XG (ED): 800, 805, 820, and 1600 Available +----------+-----------------+---------------+-----------+------------------+ Early Deployment 12.1(2)XH1 12.1XH (ED): limited platforms 2001-Mar-05 +----------+-----------------+---------------+-----------+------------------+ Early Deployment 12.1(3)XI6 12.1XI (ED): limited platforms 2001-Mar-05 +----------+-----------------+---------------+-----------+------------------+ Early Deployment Indeterminate 12.1XJ (ED): limited platforms Unscheduled +----------+-----------------+---------------+-----------+------------------+ Early Deployment 12.1(5)T5 12.1XK (ED): limited platforms 2001-Mar-05 +----------+-----------------+---------------+-----------+------------------+ Early Deployment 12.1(3)XL1 12.1XL (ED): limited platforms 2001-Mar-05 +----------+-----------------+---------------+-----------+------------------+ Short-lived early 12.1(5)XM1 12.1XM deployment release 2001-Mar-05 +----------+-----------------+---------------+-----------+------------------+ Early Deployment 12.1(3)XP3 12.1XP (ED): 1700 and SOHO 2001-Mar-05 +----------+-----------------+---------------+-----------+------------------+ Short-lived early 12.1(3)XQ1 12.1XQ deployment release 2001-Mar-05 +----------+-----------------+---------------+-----------+------------------+ Short-lived early 12.1(5)XR1 12.1XR deployment release 2001-Feb-20 +----------+-----------------+---------------+-----------+------------------+ Short-lived early 12.1(5)XS 12.1XS deployment release 2001-Mar-05 +----------+-----------------+---------------+-----------+------------------+ 12.1(3)XT1 12.1XT Early Deployment (ED): 1700 series Available +----------+-----------------+---------------+-----------+------------------+ Early Deployment 12.1(5)XU1 12.1XU (ED): limited platforms 2001-Feb-15 +----------+-----------------+---------------+-----------+------------------+ Short-lived early 12.1(5)XV1 12.1XV deployment release 2001-Mar-05 +----------+-----------------+---------------+-----------+------------------+ Short-lived early 12.1(5)XW2 12.1XW deployment release 2001-Feb-26 +----------+-----------------+---------------+-----------+------------------+ Short-lived early 12.1(5)XX3 12.1XX deployment release 2001-Feb-26 +----------+-----------------+---------------+-----------+------------------+ Short-lived early 12.1(5)XY4 12.1XY deployment release 2001-Feb-26 +----------+-----------------+---------------+-----------+------------------+ Short-lived early 12.1(5)XZ2 12.1XZ deployment release 2001-Feb-26 +----------+-----------------+---------------+-----------+------------------+ Short-lived early 12.1(5)YA1 12.1YA deployment release 2001-Feb-28 +----------+-----------------+---------------+-----------+------------------+ Short-lived early 12.1(5)YB 12.1YB deployment release 2001-Feb-13 +----------+-----------------+---------------+-----------+------------------+ Short-lived early 12.1(5)YC1 12.1YC deployment release 2001-Feb-26 +----------+-----------------+---------------+-----------+------------------+ Short-lived early 12.1(5)YD 12.1YD deployment release 2001-Mar-12 +===========================================================================+ Notes +===========================================================================+ * All dates are estimated and subject to change. ** Interim releases are subjected to less rigorous testing than regular maintenance releases, and may have serious bugs. +===========================================================================+ Obtaining Fixed Software Cisco is offering free software upgrades to remedy this vulnerability for all affected customers. Customers with service contracts may upgrade to any software release. Customers without contracts may upgrade only within a single row of the table above, except that any available fixed software release will be provided to any customer who can use it and for whom the standard fixed software release is not yet available. Customers may install only the feature sets they have purchased. Note that not all fixed software may be available as of the release date of this notice. Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained via Cisco's Software Center at http://www.cisco.com/. Customers without contracts or warranty should get their upgrades by contacting the Cisco Technical Assistance Center (TAC) as shown below: * (800) 553-2447 (toll-free in North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including instructions and e-mail addresses for use in various languages. Give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades; faster results will be obtained by contacting the TAC directly. Workarounds There is no specific configurable workaround to directly address the possibility of predicting a TCP Initial Sequence Number. To prevent malicious use of this vulnerability from inside the network, ensure that transport that makes interception and modification detectable, if not altogether preventable, is in use as appropriate. Examples include using IPSEC or SSH to the Cisco device for interactive session, MD5 authentication to protect BGP sessions, strong authentication for access control, and so on. Malicious use of this vulnerability from a position outside the administrative boundaries of the network can be mitigated, if not prevented entirely, by using access control lists to prevent the injection of packets with forged source or destination IP addresses. Exploitation and Public Announcements The general case of this vulnerability in TCP is well-known to the information system security community. Details specific to TCP connections to or from Cisco products do not appear to be widely known and the topic does not appear to have been widely discussed. Cisco is not aware of instances in which this vulnerability has been used maliciously. However, there are numerous off-the-shelf programs and scripts available which can demonstrate the vulnerability and which could be modified to exploit it with malicious intent. Various security scanning programs have been known to provide positive test results for this vulnerability on Cisco devices. This vulnerability was discovered internally. Two customers reported the vulnerability while a fix was still in progress. Status of This Notice: INTERIM This is an interim security advisory. Cisco anticipates issuing updated versions of this notice at irregular intervals as there are material changes in the facts, and will continue to update this notice as necessary. The reader is warned that this notice may contain inaccurate or incomplete information. Although Cisco cannot guarantee the accuracy of all statements in this notice, all of the facts have been checked to the best of our ability. Cisco anticipates issuing monthly updates of this notice until it reaches FINAL status. A standalone copy or paraphrase of the text of this security advisory that omits the following URL is an uncontrolled copy, and may lack important information or contain factual errors. Distribution This notice will be posted at http://www.cisco.com/warp/public/707/ios-tcp-isn-random-pub.shtml. In addition to Worldwide Web posting, a text version of this notice will be clear-signed with the Cisco PSIRT PGP key and will be posted to the following e-mail and Usenet news recipients: * cust-security-announce@cisco.com * bugtraq@securityfocus.com * first-teams@first.org (including CERT/CC) * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * comp.dcom.sys.cisco * Various internal Cisco mailing lists Future updates of this notice, if any, will be placed on Cisco's Worldwide Web server, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the URL given above for any updates. Revision History Revision 1.0 2001-Feb-28 Initial public release Cisco Product Security Incident Procedures The page at http://www.cisco.com/warp/public/707/sec_incident_response.shtml contains instructions for reporting security vulnerabilities in Cisco products, obtaining assistance with customer security incidents, registering to receive security information from Cisco, and making press inquiries regarding Cisco Security Advisories. This document is Cisco's complete public statement regarding this product security vulnerability. ------------------------------------------------------------------------ Copyright 2001 by Cisco Systems, Inc. This notice may not be redistributed in any form without the advance knowledge and consent of the Cisco Product Security Incident Response Team. ------------------------------------------------------------------------ [****** End of Cisco Security Advisory ******] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Cisco Systems, Inc. for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) L-042: Compaq Web-enabled Management Software Buffer Overflow L-043: Microsoft NTLMSSP Privilege Elevation Vulnerability L-044: Microsoft Network DDE Agent Request Vulnerability L-045: Red Hat Linux 'sysctl, ptrace, & mxcsr P4 ' Vulnerability L-046: The VBS.AnnaKournikova Worm L-047: OpenSSH SSH1 Coding Error and Server Key Vulnerability L-048: Red Hat Linux "vixie-cron buffer overflow username crontab" L-049: Microsoft "Malformed Request to Domain Controller" L-051: Microsoft "Windows 2000 Event Viewer" Vulnerability L-052: Cisco IOS Software SNMP Read-Write ILMI Community String