Predictable TCP ISN in Packeteer PacketShaper

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Predictable TCP ISN in Packeteer PacketShaper
From: nnposter@xxxxxxxxxxxxx
Date: 18 May 2007 13:36:10 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Predictable TCP ISN in Packeteer PacketShaper


Critical: Less critical
Impact: Connection spoofing, DoS
Where: Local network

Product: Packeteer PacketShaper
http://www.packetshaper.com/


Description: The TCP/IP stack of Packeteer PacketShaper is generating 
predictable initial sequence numbers (ISN): The sequence number is incremented 
by 128000 per second and by 64000 per connection. (As an example, if the 
current SYN/ACK ISN is 319104000 then about six seconds later the ISN is likely 
to be 319936000.) This allows an attacker to spoof connections from trusted 
clients or launch a DoS attack.


This type of vulnerability has been described over ten years ago in:

* CERT Advisory CA-1995-01
  http://www.cert.org/advisories/CA-1995-01.html

* RFC 1948
  http://www.faqs.org/rfcs/rfc1948.html


The vulnerability has been identified in versions 7.3.0g2 and 7.5.0g1. However, 
other versions may be also affected.


Solution:
Restrict network access to the device management interfaces


Found by:
nnposter

Prev by Date: Re: Re: Defeating Citibank Virtual Keyboard protection using screenshot method
Next by Date: [OpenPKG-SA-2007.017] OpenPKG Security Advisory (ratbox)
Previous by thread: eSyndiCat Input Validation Error Vulnerability
Next by thread: [OpenPKG-SA-2007.017] OpenPKG Security Advisory (ratbox)
Index(es):
- Date
- Thread