Information Security News mailing list archives
TCP weakness may be worse than suspected
From: InfoSec News <isn () C4I ORG>
Date: Thu, 15 Mar 2001 22:31:22 -0600
http://www.zdnet.com/eweek/stories/general/0,11011,2696792,00.html By Dennis Fisher, eWEEK March 15, 2001 11:07 AM ET Two days after a security vendor announced it had found a new vulnerability in TCP, only to be lambasted for passing an old problem off as news, the researcher who identified the weakness defended his work and the decision to announce it. Tim Newsham, senior research scientist at Guardent Inc., said that although the vulnerability he found in the Transmission Control Protocol is quite similar to one identified in 1985 by another researcher, it differs in several important ways. The original problem, discovered by AT&T Corp.'s Robert Morris, was that ISNs (Initial Sequence Numbers) generated at the beginning of TCP sessions to authenticate subsequent packets were predictable and could be used to create a forged connection between an attacker and a remote host. This, in turn, would enable the attacker to impersonate a trusted host. In response to this discovery, many vendors updated their software to begin incrementing their ISNs by a random value. This change prevented attackers from guessing the ISN, but Newsham found that a skilled attacker could still glean enough information from other TCP sessions between two hosts to be able to infer the ISN value, regardless of whether it is incremented in a random manner. That would enable an attacker to hijack a given TCP session and execute a number of different attacks. "What I pointed out is that existing [TCP] connections are still vulnerable even when random increments are used," Newsham said. "It makes no difference if these increments are random or pseudo-random." No easy fix In 1996, another AT&T researcher, Steve Bellovin, submitted a paper to the Internet Engineering Task Force proposing a fix for the problem. However, he said that some vendors found the solution to be too CPU-intensive and instead decided to rely on the random incrementation method. Bellovin added that in light of Newsham's discovery, the only reliable ways to guard the integrity of TCP sessions are cryptography or his fix, which involves basing the ISN on a complex combination of a random number generated by each machine, an administratively installed secret phrase and the machine's IP address. "What this does is show that the fix the companies used isn't as good as Bellovin's [fix ]," said Bruce Schneier, a noted cryptographer and chief technology officer of Counterpane Internet Security Inc. in San Jose, Calif. Guardent, a Waltham, Mass., security company, announced Monday it had found a new flaw in the TCP protocol but declined to provide much detail for fear that attackers would use the information before vendors could implement fixes. News reports about the announcement generated considerable backlash, with some observers accusing Guardent of using scare tactics to generate publicity for itself. However, Newsham said he believes the company went about it the right way. "We wanted to make people aware of the problem but still give the vendors a chance to fix it," he said. He added that the company is currently working with the CERT Center at Carnegie Mellon University and several software vendors to come up with a solution to the problem. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- TCP weakness may be worse than suspected InfoSec News (Mar 15)