Predictable Initial Sequence Numbers05/08/2001
Welcome to Security Alerts, an overview of recent Unix and open-source security advisories. In this column, we look at predictable initial sequence number attacks; a format string vulnerability in
minicom; a buffer overflow in
mailx; a new version of GnuPG; and problems in SAP R/3 demo, Bugzilla, and Red Hat Linux 7.1's mount package.
Many systems have statistical weaknesses in the methods that are used to generate TCP/IP initial sequence numbers, possibly allowing an attacker to hijack or close TCP/IP sessions.
If attackers know the TCP/IP initial sequence number and the amount of traffic that has been sent, they may be able to close the TCP/IP session, hijack it, or inject arbitrary data. In this type of attack, it is not necessary for the attacker to know the next sequence number. They can send a flood of packets that contain likely sequence numbers so that the one packet containing the correct number will be accepted. If the set of possible sequence numbers is small enough, it becomes practical for an attacker to send packets set with all possible sequence numbers. The larger the available bandwidth of a system, the larger the set of packets can be.
To protect against these types of attacks, many operating systems use pseudo-random number generators to choose the TCP/IP initial sequence number for the TCP/IP session. A new study by Michal Zalewski has shown that many of these pseudo-random number generators are statistically weak and make sequence number-based attacks not just possible, but practical.
Alerts this week:
Operating systems that have been reported to be safe from practical attacks are: Cisco IOS, OpenBSD 2.8-current, FreeBSD 4.3-RELEASE, AIX, HP/UX 11i, and all Linux Kernels after 1996.
It has been reported that versions of Solaris starting with Solaris 2.6 are safe if support for strong initial sequence numbers has been turned on. This is done by changing the value of
2 in the file
/etc/default/inetinit. To change the value on a running system use the command
ndd -set /dev/tcp tcp_strong_iss 2.
HP/UX version 11.00 can be made safe by applying TRANSPORT patch PHNE_22397. Versions of HP/UX up to, but not including 10.30, should have the TRANSPORT Megapatch PHNE_5361 applied and then tune the system using
IRIX 6.5.3 and above can be made safe by using the
tcpiss_md5 tunable kernel parameter, which by default is off. This is done using the command
/usr/sbin/systune -b tcpiss_md5 1 and can be verified by using the command
/usr/sbin/systune tcpiss_md5 which should return
tcpiss_md5 = 1 (0x1).
Compaq has announced that they are investigating the impact of this problem on their Tru64 Unix and OpenVMS operating systems and that their customers should watch for further information.
The best long-term protection from these types of attacks is to use some form of cryptographic protection. These cryptographic protections can be broken down into two categories: solutions that operate above the transport layer such as SSL and SSH, and solutions that operate on the network layer such as IPSec.
Solutions that operate above the transport layer protect against session hijacking and injected data, but do not protect against denial-of-service attacks caused by spoofed packets resetting the connection as this occurs at a lower level.
Network layer encryption solutions protect against session hijacking and injection of data into the session, will prevent arbitrary packets from entering the data stream, and will prevent denial-of-service attacks using session resets.
minicom, a widely distributed serial communications application, has several format string vulnerabilities that can be exploited by local users to execute arbitrary commands as the user "uucp". On some systems, the ability to execute commands as the uucp user can be exploited to gain root privileges.
Administrators of systems that have
minicom installed should remove the set group ID bit as soon as possible.
The SAP R/3 Web Application Server Demo for Linux contains the set user ID root program
saposcol that, due to unsafe use of the
popen() system call, can be used to execute arbitrary commands as root.
SAP recommends that users upgrade to
saposcol version 1.5. It also may be advisable to restrict access to the set user ID tools provided in the demo to the group
Bugzilla, a web-based bug reporting and tracking package, fails to escape shell meta-characters in registered users' email addresses. An attacker can craft an email address containing these shell meta-characters and execute arbitrary commands on the server with the permissions of the user that is running the web server.
Users of Bugzilla should upgrade to version 2.12 or newer as soon as possible.
A new version of the GNU privacy guard, GnuPG, has been released that fixes several security problems and bugs.
Users of GnuPG should upgrade to version 1.0.5 or newer.
mount package distributed with Red Hat Linux 7.1 incorrectly creates world-readable swap partitions during installation. Any user on a system with world-readable swap partitions can scan the swap partitions for sensitive information including passwords.
Red Hat recommends that users update their
mount package. The new version will enforce the proper permissions on the swap partitions.
The mail program
mailx that is provided with both SPARC and x86 versions of Solaris from Solaris 2.5 through 8, contains a buffer overflow that can be exploited to execute arbitrary code with the permissions of the mail group.
Administrators of Solaris systems should remove the set group ID bit from
mailx until a patch has been provided by Sun.
Read more Security Alerts columns.
Return to the Linux DevCenter.