TCP security hole may be more dangerous than first thought

It may be easier than previously believed for crackers to exploit a long-known and potentially dangerous weakness in the Transmission Control Protocol (TCP) used to drive Internet traffic, according to an advisory from security firm Guardent Inc.

The weakness, which affects a large percentage of devices connected to the Internet or corporate networks, potentially lets malicious users do things such as launch denial-of-service attacks, hijack TCP-based sessions or inject false information into data streams, Waltham, Mass.-based Guardent said.

But one analyst at a rival security firm dismissed Guardent's claims as overblown and said the problem is well understood and had been addressed by vendors for quite some time now.

TCP is a method that, along with the Internet Protocol (IP), is used to send data between computers over the Internet. While the IP layer does the actual data delivery, a TCP layer breaks an Internet message or file into smaller "packets" for more efficient routing. The packets are numbered and forwarded via IP to the destination address, where the TCP layer reassembles the original message.

The vulnerability in question relates to the generation of what's called Initial Sequence Numbers (ISN), which are used by the TCP layer to help identify legitimate packets in a session.

It has been long acknowledged that by figuring out ISNs, which are randomly generated numbers, a cracker would in theory be able to hijack a TCP session, inject extraneous information into the data stream or attack systems on either end of the connection.

Vendors such as Cisco Systems Inc. and Microsoft Corp. have for some time now been incorporating a capability in their technologies that increases the randomness of the ISNs and makes them far more difficult to predict.

But according to Guardent's research, the numbers are easier to predict than previously thought for some TCP/IP implementations and, therefore, present a danger for corporations, said Dan McCall, an executive vice president at Guardent.

The company didn't disclose further details on the actual method by which crackers can guess the numbers. But it has sent its detailed research to CERT at Carnegie Mellon University in Pittsburgh and several software vendors, as well as to network equipment vendors and government agencies under nondisclosure agreements.

"Our research proves that TCP sequence numbers can be guessed with a high degree of accuracy," McCall said. "Using a method that we are only disclosing to people who can help fix the problem, it is possible for someone to build attack tools" that exploit the weakness, he said.

But it would still require a high degree of skill and knowledge on the part of a cracker to exploit the weakness, added Gerard Brady, vice president of research and development at Guardent.

However, "guessing ISNs is not as simple as it sounds, and it doesn't always get you a whole lot even if it is done," said Russ Cooper, an analyst at TruSecure Corp. a Reston, Va.-based security firm.

For one thing, such attacks are extremely difficult to mount and are relatively easy to detect and thwart if not executed perfectly, he said. For such "man-in-the-middle" attacks to be truly successful, the attacker also needs to somehow be able to identify, intercept and hijack the right TCP sessions, Cooper noted.

"You have to be able to establish a connection to something you want to get.... Just taking over any old session doesn't necessarily get you anywhere," he said. And with most important sessions, such as e-commerce over the Internet, protected by encryption, it's unlikely crackers would be able to do much even if they manage to intercept such sessions, he added.

CERT posted a vulnerability note on the subject today at www.kb.cert.org/vuls/id/498440, citing Guardent's research. While noting that the issue is an old one, the advisory added that "what was not previously illustrated was just how predictable one commonly used method of randomizing new-connection ISNs is in some modern TCP/IP implementations." The note adds that CERT is in the process of getting feedback from vendors "to help understand the scope of this observed statistical weakness."

Companies concerned about their security vulnerability should deploy the more secure IPSec (IP security protocol) or follow suggestions outlined in RFC 1948, a set of recommendations published in 1996 for dealing with the issue, said Mark Zajicek, a member of the CERT team.

For more news, analysis, opinions and interactive discussions, head to our Security Watch community.

Related:

Copyright © 2001 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon