[nsp] Cisco Security Advisory: Cisco IOS Software TCP Initial Sequence NumberRandomization Improvements

From: Cisco Systems Product Security Incident Response Team (psirt@cisco.com)
Date: Wed Feb 28 2001 - 21:30:00 EST


-----BEGIN PGP SIGNED MESSAGE-----

Cisco Security Advisory: Cisco IOS Software TCP Initial Sequence Number
Randomization Improvements

Revision 1.0: INTERIM

For Public Release 2001 February 28 18:00 US/Pacific (UTC+0800)

  ------------------------------------------------------------------------

Summary

Cisco IOS software contains a flaw that permits the successful prediction
of TCP Initial Sequence Numbers.

This vulnerability is present in all released versions of Cisco IOS
software running on Cisco routers and switches. It only affects the
security of TCP connections that originate or terminate on the affected
Cisco device itself; it does not apply to TCP traffic forwarded through the
affected device in transit between two other hosts.

To remove the vulnerability, Cisco is offering free software upgrades for
all affected platforms. The defect is described in DDTS record CSCds04747.

Workarounds are available that limit or deny successful exploitation of the
vulnerability by filtering traffic containing forged IP source addresses at
the perimeter of a network or directly on individual devices.

This notice will be posted
at http://www.cisco.com/warp/public/707/ios-tcp-isn-random-pub.shtml.

Affected Products

The vulnerability is present in all Cisco routers and switches running
affected releases of Cisco IOS Software.

To determine the software running on a Cisco product, log in to the device
and issue the command "show version" to display the system banner. Cisco
IOS software will identify itself as "Internetwork Operating System
Software" or simply "IOS (tm)". On the next line of output, the image name
will be displayed between parentheses, followed by "Version" and the IOS
release name. Other Cisco devices will not have the "show version" command
or will give different output.

The following example identifies a Cisco product running IOS release
12.0(3) with an installed image name of C2500-IS-L:

     Cisco Internetwork Operating System Software IOS (tm)
     2500 Software (C2500-IS-L), Version 12.0(3), RELEASE SOFTWARE

Cisco devices that may be running an affected IOS software release include,
but are not limited to:

   * 800, 1000, 1005, 1400, 1600, 1700, 2500, 2600, 3600, MC3810, 4000,
     4500, 4700, 6200, 6400 NRP, 6400 NSP series Cisco routers.
   * ubr900 and ubr920 universal broadband routers.
   * Catalyst 2900 ATM, 2900XL, 2948g, 3500XL, 4232, 4840g, 5000 RSFC
     series switches.
   * 5200, 5300, 5800 series access servers.
   * Catalyst 6000 MSM, 6000 Hybrid Mode, 6000 Native Mode, 6000 Supervisor
     Module, Catalyst ATM Blade.
   * RSM, 7000, 7010, 7100, 7200, ubr7200, 7500, 10000 ESR, and 12000 GSR
     series Cisco routers.
   * DistributedDirector.
   * Catalyst 8510CSR, 8510MSR, 8540CSR, 8540MSR series switches.

Cisco products that do not run Cisco IOS software and are not affected by
the vulnerabilities described in this notice include, but are not limited
to:

   * Cisco PIX firewall.
   * Cisco 600 family of routers running CBOS.
   * Host-based network management or access management products.
   * Cisco IP Telephony and telephony management software (except those
     that are hosted on a vulnerable IOS platform).
   * Voice gateways and convergence products (except those that are hosted
     on a vulnerable IOS platform).

Details

To provide reliable delivery in the Internet, the Transmission Control
Protocol (TCP) makes use of a sequence number in each packet to provide
orderly reassembly of data after arrival, and to notify the sending host of
the successful arrival of the data in each packet.

TCP sequence numbers are 32-bit integers in the circular range of 0 to
4,294,967,295. The host devices at both ends of a TCP connection exchange
an Initial Sequence Number (ISN) selected at random from that range as part
of the setup of a new TCP connection. After the session is established and
data transfer begins, the sequence number is regularly augmented by the
number of octets transferred, and transmitted to the other host. To prevent
the receipt and reassembly of duplicate or late packets in a TCP stream,
each host maintains a "window", a range of values close to the expected
sequence number, in which the sequence number in an arriving packet must
fall if it is to be accepted. Assuming a packet arrives with the correct
source and destination IP addresses, source and destination port numbers,
and a sequence number within the allowable window, the receiving host will
accept the packet as genuine.

This method provides reasonably good protection against accidental receipt
of unintended data. However, to guard against malicious use, it should not
be possible for an attacker to infer a particular number in the sequence.
If the initial sequence number is not chosen randomly or if it is
incremented in a non-random manner between the initialization of subsequent
TCP sessions, then it is possible, with varying degrees of success, to
forge one half of a TCP connection with another host in order to gain
access to that host, or hijack an existing connection between two hosts in
order to compromise the contents of the TCP connection. To guard against
such compromises, ISNs should be generated as randomly as possible.

This defect, documented as DDTS CSCds04747, has been corrected by providing
an improved method for generating TCP Initial Sequence Numbers.

Impact

Forged packets can be injected into a network from a location outside its
boundary so that they are trusted as authentic by the receiving host, thus
resulting in a failure of integrity. Such packets could be crafted to gain
access or make some other modification to the receiving system in order to
attain some goal, such as gaining unauthorized interactive access to a
system or compromising stored data.

- From a position within the network where it is possible to receive the
return traffic (but not necessarily in a position that is directly in the
traffic path), a greater range of violations is possible. For example, the
contents of a message could be diverted, modified, and then returned to the
traffic flow again, causing a failure of integrity and a possible failure
of confidentiality.

NOTE: Any compromise using this vulnerability is only possible for TCP
sessions that originate or terminate on the affected Cisco device itself.
It does not apply to TCP traffic that is merely forwarded through the
device.

Software Versions and Fixes

The following table summarizes the IOS software releases that are known to
be affected, and the earliest estimated dates of availability for the
recommended fixed versions. Dates are always tentative and subject to
change.

Each row of the table describes a release train and the platforms or
products for which it is intended. If a given release train is vulnerable,
then the earliest possible releases that contain the fix and the
anticipated date of availability for each are listed in the "Rebuild",
"Interim", and "Maintenance" columns. A device running any release in the
given train that is earlier the release in a specific column (less than the
earliest fixed release) is known to be vulnerable, and it should be
upgraded at least to the indicated release or a later version (greater than
the earliest fixed release label).

When selecting a release, keep in mind the following definitions:

     Maintenance
          Most heavily tested and highly recommended release of any label
          in a given row of the table.
     Rebuild
          Constructed from the previous maintenance or major release in the
          same train, it contains the fix for a specific defect. Although
          it receives less testing, it contains only the minimal changes
          necessary to effect the repair.
     Interim
          Built at regular intervals between maintenance releases and
          receive less testing. Interims should be selected only if there
          is no other suitable release that addresses the vulnerability,
          and interim images should be upgraded to the next available
          maintenance release as soon as possible. Interim releases are not
          available via manufacturing, and usually they are not available
          for customer download from CCO without prior arrangement with the
          Cisco TAC.

In all cases, customers should exercise caution to be certain the devices
to be upgraded contain sufficient memory and that current hardware and
software configurations will continue to be supported properly by the new
release. If the information is not clear, contact the Cisco TAC for
assistance as shown later in this notice.

More information on IOS release names and abbreviations is available at
http://www.cisco.com/warp/public/620/1.html.

+===========================================================================+
   Train Description of Availability of Fixed Releases*
            Image or Platform
+===========================================================================+
     11.0-based Releases Rebuild Interim** Maintenance
+===========================================================================+
                              11.0(22a)
    11.0 Major GD release
            for all platforms 2001-Mar-08
+===========================================================================+
     11.1-based Releases Rebuild Interim** Maintenance
+===========================================================================+
                              11.1(24a)
    11.1 Major release for
            all platforms 2001-Mar-08
+----------+-----------------+---------------+-----------+------------------+
            ED release for Unavailable
   11.1AA access servers: Upgrade recommended to 12.1(7), available
            1600, 3200, and
            5200 series. 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
            Platform-specific 11.1(36)CA1
   11.1CA support for 7500,
            7200, 7000, and
            RSP 2001-Mar-02
+----------+-----------------+---------------+-----------+------------------+
            ISP train: added
            support for FIB, 11.1(36)CC1
   11.1CC CEF, and NetFlow
            on 7500, 7200, 2001-Mar-02
            7000, and RSP
+----------+-----------------+---------------+-----------+------------------+
            Added support for 12.0(11)ST2
   11.1CT Tag Switching on
            7500, 7200, 7000,
            and RSP 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
                              11.1(28a)IA1
   11.1IA Distributed
            Director only 2001-Feb-26
+===========================================================================+
     11.2-based Releases Rebuild Interim** Maintenance
+===========================================================================+
            Major release, 11.2(25a) 11.2(25)
    11.2 general
            deployment 2001-Mar-05 Available
+----------+-----------------+---------------+-----------+------------------+
            Platform-specific Unavailable
            support for IBM
   11.2BC networking, CIP,
            and TN3270 on Upgrade recommended to 12.1(7), available
            7500, 7000, and 2001-Feb-26
            RSP
+----------+-----------------+---------------+-----------+------------------+
                              Unavailable
   11.2F Feature train for
            all platforms Upgrade recommended
+----------+-----------------+---------------+-----------+------------------+
            Early deployment Unavailable
   11.2GS release to Upgrade recommended to 12.0(15)S1,
            support 12000 GSR available 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
                              11.2(25a)P 11.2(25)P
   11.2P New platform
            support 2001-Mar-05 Available
+----------+-----------------+---------------+-----------+------------------+
                              Unavailable
   11.2SA Catalyst 2900XL Upgrade recommended to 12.1WC, available
            switch only
                              2001-Apr-12
+----------+-----------------+---------------+-----------+------------------+
                              Unavailable
  11.2WA3 LightStream 1010 Upgrade recommended to 12.0(10)W5(20,
            ATM switch
                              available 2001-Feb-28
+----------+-----------------+---------------+-----------+------------------+
            Initial release 11.2(25a)P 11.2(25)P
 11.2(4)XA for the 1600 and
            3600 2001-Mar-05 Available
+----------+-----------------+---------------+-----------+------------------+
            Initial release
            for the 5300 and 11.2(25a)P 11.2(25)P
 11.2(9)XA digital modem
            support for the 2001-Mar-05 Available
            3600
+===========================================================================+
     11.3-based Releases Rebuild Interim** Maintenance
+===========================================================================+
                              11.3(11b)
    11.3 Major release for
            all platforms 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
            ED for dial
            platforms and 11.3(11a)AA
   11.3AA access servers:
            5800, 5200, 5300, 2001-Mar-05
            7200
+----------+-----------------+---------------+-----------+------------------+
            Early deployment Unavailable
   11.3DA train for ISP Upgrade recommended to 12.1(5)DA1,
            DSLAM 6200
            platform available 2001-Mar-19
+----------+-----------------+---------------+-----------+------------------+
            Early deployment
            train for Unavailable
            ISP/Telco/PTT
   11.3DB xDSL broadband
            concentrator Upgrade recommended to 12.1(4)DB1,
            platform, (NRP) available 2001-Feb-28
            for 6400
+----------+-----------------+---------------+-----------+------------------+
            Short-lived ED
   11.3HA release for ISR Vulnerable
            3300 (SONET/SDH
            router)
+----------+-----------------+---------------+-----------+------------------+
            MC3810 11.3(1)MA8
   11.3MA functionality
            only 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
            Voice over IP, Unavailable
   11.3NA media Upgrade recommended to 12.1(7), available
            convergence,
            various platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
            Early deployment 11.3(11b)T1
   11.3T major release,
            feature-rich for
            early adopters 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
            Multilayer
            Switching and Unavailable
            Multiprotocol
            over ATM
  11.3WA4 functionality for
            Catalyst 5000 Upgrade recommended to 12.0(14)W5(20),
            RSM, 4500, 4700, available 2001-Feb-28
            7200, 7500,
            LightStream 1010
+----------+-----------------+---------------+-----------+------------------+
                              11.3(11b)T1
 11.3(2)XA Introduction of
            ubr7246 and 2600 2001-Mar-05
+===========================================================================+
     12.0-based Releases Rebuild Interim** Maintenance
+===========================================================================+
            General 12.0(15)
    12.0 deployment
            release for all
            platforms Available
+----------+-----------------+---------------+-----------+------------------+
                              Unavailable
   12.0DA xDSL support: Upgrade recommended to 12.1(5)DA1,
            6100, 6200
                              available 2001-Mar-19
+----------+-----------------+---------------+-----------+------------------+
            General Unavailable
   12.0DB deployment Upgrade recommended to 12.1(4)DB1,
            release for all
            platforms available 2001-Feb-28
+----------+-----------------+---------------+-----------+------------------+
            General Unavailable
   12.0DC deployment Upgrade recommended to 12.1(4)DC2,
            release for all
            platforms available 2001-Feb-28
+----------+-----------------+---------------+-----------+------------------+
                              12.0(14)S1 12.0(14.6)S
   12.0S Core/ISP support:
            GSR, RSP, c7200 Available Available
+----------+-----------------+---------------+-----------+------------------+
                              12.0(15)SC1
   12.0SC Cable/broadband
            ISP: ubr7200 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
                              12.0(14)SL1
   12.0SL 10000 ESR: c10k
                              2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
            General 12.0(11)ST2
   12.0ST deployment
            release for all
            platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
                              12.0(5c)E8
   12.0SX Early Deployment
            (ED) 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
            Early Unavailable
            Deployment(ED):
   12.0T VPN, Distributed
            Director, various Upgrade recommended to 12.1(7), available
            platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
            Catalyst
            switches:
            cat8510c, 12.0(14)W5(20)
            cat8540c, c6msm,
            ls1010, cat8510m,
   12.0W5 cat8540m, c5atm,
            c5atm, c3620,
            c3640, c4500,
            c5rsfc, c5rsm, 2001-Feb-28
            c7200, rsp,
            cat2948g, cat4232
+----------+-----------------+---------------+-----------+------------------+
            General 12.0(13)WT6(1)
   12.0WT deployment
            release for all
            platforms 2001-Feb-20
+----------+-----------------+---------------+-----------+------------------+
            Early Deployment Unavailable
   12.0XA (ED): limited Upgrade recommended to 12.1(7), available
            platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
            Short-lived early Unavailable
   12.0XB deployment Upgrade recommended to 12.1(7), available
            release 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
            Early Deployment Unavailable
   12.0XC (ED): limited Upgrade recommended to 12.1(7), available
            platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
            Early Deployment Unavailable
   12.0XD (ED): limited Upgrade recommended to 12.1(7), available
            platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
            Early Deployment Unavailable
   12.0XE (ED): limited Upgrade recommended to 12.1(5)E8,
            platforms available 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
            Early Deployment Unavailable
   12.0XF (ED): limited Upgrade recommended to 12.1(7), available
            platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
            Early Deployment Unavailable
   12.0XG (ED): limited Upgrade recommended to 12.1(7), available
            platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
            Early Deployment 12.0(4)XH5
   12.0XH (ED): limited
            platforms 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
            Early Deployment Unavailable
   12.0XI (ED): limited Upgrade recommended to 12.1(7), available
            platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
            Early Deployment Unavailable
   12.0XJ (ED): limited Upgrade recommended to 12.1(7), available
            platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
            Early Deployment 12.0(7)XK4
   12.0XK (ED): limited
            platforms 2001-Mar-19
+----------+-----------------+---------------+-----------+------------------+
            Early Deployment 12.0(4)XH5
   12.0XL (ED): limited 12.1(7)
            platforms 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
            Short-lived early 12.0(5)XM1
   12.0XM deployment
            release 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
            Early Deployment
   12.0XN (ED): limited
            platforms
+----------+-----------------+---------------+-----------+------------------+
            Early Deployment Unavailable
   12.0XP (ED): limited Upgrade recommended to 12.1WC, available
            platforms 2001-Apr-12
+----------+-----------------+---------------+-----------+------------------+
            Short-lived early Unavailable
   12.0XQ deployment Upgrade recommended to 12.1(7), available
            release 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
            Short-lived early Unavailable
   12.0XR deployment Upgrade recommended to 12.1(5)T5,
            release available 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
            Short-lived early Unavailable
   12.0XS deployment Upgrade recommended to 12.1(5)E8,
            release available 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
            Early Deployment Unavailable
   12.0XU (ED): limited Upgrade recommended to 12.1WC, available
            platforms 2001-Apr-12
+----------+-----------------+---------------+-----------+------------------+
            Short-lived early Unavailable
   12.0XV deployment Upgrade recommended to 12.1(5)T5,
            release available 2001-Mar-05
+===========================================================================+
     12.1-based and Later
           Releases Rebuild Interim** Maintenance
+===========================================================================+
            General 12.1(7)
    12.1 deployment
            release for all
            platforms Available
+----------+-----------------+---------------+-----------+------------------+
                                                          12.1(7)AA
   12.1AA Dial support
                                                          2001-Mar-12
+----------+-----------------+---------------+-----------+------------------+
                              12.1(5)DA1 12.1(6)DA
   12.1DA xDSL support:
            6100, 6200 2001-Feb-28 Available
+----------+-----------------+---------------+-----------+------------------+
                                                          12.1(4)CX
   12.1CX Core/ISP support:
            GSR, RSP, c7200 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
            General 12.1(4)DB1
   12.1DB deployment
            release for all
            platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
            General 12.1(4)DC2
   12.1DC deployment
            release for all
            platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
                              12.1(5c)E8 12.1(5.6)E
   12.1E Core/ISP support:
            GSR, RSP, c7200 2001-Mar-5
+----------+-----------------+---------------+-----------+------------------+
                              12.1(5)EC1 12.1(4.5)EC
   12.1EC Core/ISP support:
            GSR, RSP, c7200 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
                              12.1(5c)EX
   12.1EX Core/ISP support:
            GSR, RSP, c7200 2001-Mar-5
+----------+-----------------+---------------+-----------+------------------+
            Early
            Deployment(ED): 12.1(5)T5
   12.1T VPN, Distributed
            Director, various 2001-Mar-05
            platforms
+----------+-----------------+---------------+-----------+------------------+
            Early Deployment 12.1(5)T5
   12.1XA (ED): limited
            platforms 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
            Early Deployment 12.1(5)T5
   12.1XB (ED): limited
            platforms 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
            Early Deployment 12.1(5)T5
   12.1XC (ED): limited
            platforms 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
            Early Deployment 12.1(5)T5
   12.1XD (ED): limited
            platforms 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
            Early Deployment 12.1(5)T5
   12.1XE (ED): limited
            platforms 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
            Early Deployment 12.1(2)XF3
   12.1XF (ED): 811 and 813
            (c800 images) 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
            Early Deployment 12.1(3)XG3
   12.1XG (ED): 800, 805,
            820, and 1600 Available
+----------+-----------------+---------------+-----------+------------------+
            Early Deployment 12.1(2)XH1
   12.1XH (ED): limited
            platforms 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
            Early Deployment 12.1(3)XI6
   12.1XI (ED): limited
            platforms 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
            Early Deployment Indeterminate
   12.1XJ (ED): limited
            platforms Unscheduled
+----------+-----------------+---------------+-----------+------------------+
            Early Deployment 12.1(5)T5
   12.1XK (ED): limited
            platforms 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
            Early Deployment 12.1(3)XL1
   12.1XL (ED): limited
            platforms 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
            Short-lived early 12.1(5)XM1
   12.1XM deployment
            release 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
            Early Deployment 12.1(3)XP3
   12.1XP (ED): 1700 and
            SOHO 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
            Short-lived early 12.1(3)XQ1
   12.1XQ deployment
            release 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
            Short-lived early 12.1(5)XR1
   12.1XR deployment
            release 2001-Feb-20
+----------+-----------------+---------------+-----------+------------------+
            Short-lived early 12.1(5)XS
   12.1XS deployment
            release 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
                              12.1(3)XT1
   12.1XT Early Deployment
            (ED): 1700 series Available
+----------+-----------------+---------------+-----------+------------------+
            Early Deployment 12.1(5)XU1
   12.1XU (ED): limited
            platforms 2001-Feb-15
+----------+-----------------+---------------+-----------+------------------+
            Short-lived early 12.1(5)XV1
   12.1XV deployment
            release 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
            Short-lived early 12.1(5)XW2
   12.1XW deployment
            release 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
            Short-lived early 12.1(5)XX3
   12.1XX deployment
            release 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
            Short-lived early 12.1(5)XY4
   12.1XY deployment
            release 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
            Short-lived early 12.1(5)XZ2
   12.1XZ deployment
            release 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
            Short-lived early 12.1(5)YA1
   12.1YA deployment
            release 2001-Feb-28
+----------+-----------------+---------------+-----------+------------------+
            Short-lived early 12.1(5)YB
   12.1YB deployment
            release 2001-Feb-13
+----------+-----------------+---------------+-----------+------------------+
            Short-lived early 12.1(5)YC1
   12.1YC deployment
            release 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
            Short-lived early 12.1(5)YD
   12.1YD deployment
            release 2001-Mar-12
+===========================================================================+
                                  Notes
+===========================================================================+
 * All dates are estimated and subject to change.

 ** Interim releases are subjected to less rigorous testing than regular
 maintenance releases, and may have serious bugs.
+===========================================================================+

Obtaining Fixed Software

Cisco is offering free software upgrades to remedy this vulnerability for
all affected customers. Customers with service contracts may upgrade to any
software release. Customers without contracts may upgrade only within a
single row of the table above, except that any available fixed software
release will be provided to any customer who can use it and for whom the
standard fixed software release is not yet available. Customers may install
only the feature sets they have purchased.

Note that not all fixed software may be available as of the release date of
this notice.

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained via Cisco's Software Center at http://www.cisco.com/.

Customers without contracts or warranty should get their upgrades by
contacting the Cisco Technical Assistance Center (TAC) as shown below:

   * (800) 553-2447 (toll-free in North America)
   * +1 408 526 7209 (toll call from anywhere in the world)
   * e-mail: tac@cisco.com

See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
additional TAC contact information, including instructions and e-mail
addresses for use in various languages.

Give the URL of this notice as evidence of your entitlement to a free
upgrade. Free upgrades for non-contract customers must be requested through
the TAC. Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades; faster results will be
obtained by contacting the TAC directly.

Workarounds

There is no specific configurable workaround to directly address the
possibility of predicting a TCP Initial Sequence Number. To prevent
malicious use of this vulnerability from inside the network, ensure that
transport that makes interception and modification detectable, if not
altogether preventable, is in use as appropriate. Examples include using
IPSEC or SSH to the Cisco device for interactive session, MD5
authentication to protect BGP sessions, strong authentication for access
control, and so on.

Malicious use of this vulnerability from a position outside the
administrative boundaries of the network can be mitigated, if not prevented
entirely, by using access control lists to prevent the injection of packets
with forged source or destination IP addresses.

Exploitation and Public Announcements

The general case of this vulnerability in TCP is well-known to the
information system security community. Details specific to TCP connections
to or from Cisco products do not appear to be widely known and the topic
does not appear to have been widely discussed.

Cisco is not aware of instances in which this vulnerability has been used
maliciously. However, there are numerous off-the-shelf programs and scripts
available which can demonstrate the vulnerability and which could be
modified to exploit it with malicious intent. Various security scanning
programs have been known to provide positive test results for this
vulnerability on Cisco devices.

This vulnerability was discovered internally. Two customers reported the
vulnerability while a fix was still in progress.

Status of This Notice: INTERIM

This is an interim security advisory. Cisco anticipates issuing updated
versions of this notice at irregular intervals as there are material
changes in the facts, and will continue to update this notice as necessary.
The reader is warned that this notice may contain inaccurate or incomplete
information. Although Cisco cannot guarantee the accuracy of all statements
in this notice, all of the facts have been checked to the best of our
ability. Cisco anticipates issuing monthly updates of this notice until it
reaches FINAL status.

A standalone copy or paraphrase of the text of this security advisory that
omits the following URL is an uncontrolled copy, and may lack important
information or contain factual errors.

Distribution

This notice will be posted
at http://www.cisco.com/warp/public/707/ios-tcp-isn-random-pub.shtml.

In addition to Worldwide Web posting, a text version of this notice will be
clear-signed with the Cisco PSIRT PGP key and will be posted to the
following e-mail and Usenet news recipients:

   * cust-security-announce@cisco.com
   * bugtraq@securityfocus.com
   * first-teams@first.org (including CERT/CC)
   * cisco@spot.colorado.edu
   * cisco-nsp@puck.nether.net
   * comp.dcom.sys.cisco
   * Various internal Cisco mailing lists

Future updates of this notice, if any, will be placed on Cisco's Worldwide
Web server, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
URL given above for any updates.

Revision History

 Revision 1.0 2001-Feb-28 Initial public release

Cisco Product Security Incident Procedures

The page at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml contains
instructions for reporting security vulnerabilities in Cisco products,
obtaining assistance with customer security incidents, registering to
receive security information from Cisco, and making press inquiries
regarding Cisco Security Advisories. This document is Cisco's complete
public statement regarding this product security vulnerability.

  ------------------------------------------------------------------------
Copyright 2001 by Cisco Systems, Inc. This notice may not be redistributed
in any form without the advance knowledge and consent of the Cisco Product
Security Incident Response Team.
  ------------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2

iQEVAwUBOp2o8WiN3BRdFxkbAQHUrAf8DepzMORLA18EtKj6Ep3YZTB93O1yXaic
saH03AKTHjmmBRuPFHo2ePlEZv1l/JoirbgBtoV52KJP84CHLbkKAJsWk6lDllku
IE1jPOJDIY+u5nUWncECakR2AJJpP362UdLL+zeMsm26b/FJihhXwlQ04RXr1EVg
75q+lY7NpdSya31KwTjg0mXv2vTOvFXyMjqjWaauM998yyErWGFb5LRauaXRS7LW
xZFjHk7kZvmzjaTYZRqHcB1A7YKjNFKgCu5bk50LCMl719XXuPX64SmSPSTA6Ak5
nEWDQ0JnHSvLOAcpMNFKA6rTEpCjCwrU2zGf2klnxhUoexpjKy/i/A==
=0GPV
-----END PGP SIGNATURE-----



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:30 EDT