SecureScoutLogo.jpg
NT Predictable TCP Sequence Number Vulnerability



Go to Vulnerabilities List

General Info

TC: 12031
Description: Microsoft Windows NT4 applies a predictable TCP sequence number that issues an algorithm. This can assist an attacker attempting to initiate connections to other machines by spoofing an address onto the NT host.
The method implemented by Microsoft starting from NT4 SP4 to fix the issue is easier to predict than the previous one, offering to the attacker a much more reduced number of increment combinations (0, 2, 4, 6, 8, 10, 12 and 14). In addition, TCP/IP stacks ignore invalid sequence numbers which facilitate this exploit.
TC Impact: Attack


Specific Operations and Actions:

Vulnerability Publication: August 24, 1999
Advisory Copyright: Roy Hill
Summary: A remote attacker can launch blind attacks on your vulnerable network and keep his ID hidden.
Risk: Medium
CVSS 2.0 metrics: Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: None
Integrity Impact: Partial
Availability Impact: Partial
CVSS 2.0 Base Score: 6.4
Vulnerability Impact: Attack
Host Impact: Prediction of ISN number sequences allows attacker to launch IP address spoofing and session hijacking attacks.
Nature of Remediation: Apply service pack to operating system.
Step required to fix the reported vulnerability:

***** Solution type: Upgrade Software *****

Microsoft has released a patch addressing this issue.
See references for more details on how to upgrade.


Glossary and References :

References:
* BUGTRAQ: 19990824 NT Predictable Initial TCP Sequence numbers - changes observed with SP4
http://www.securityfocus.com/templates/archive.pike?list=1&msg=4.1.19990824165629.00abcb40@192.168.124.1
* MS: MS99-046
http://www.microsoft.com/technet/security/bulletin/ms99-046.asp
* BID: 604
http://www.securityfocus.com/bid/604
* XF: nt-sequence-prediction-sp4
http://xforce.iss.net/xforce/xfdb/3168
* XF: tcp-seq-predict
http://xforce.iss.net/xforce/xfdb/139
* MISC:
http://www.securityfocus.com/archive/1/25194
* CERT-VN: VU#498440
http://www.kb.cert.org/vuls/id/498440
* MISC:
http://www.ietf.org/rfc/rfc0793.txt
* MISC: Defending Against Sequence Number Attacks:
http://www.ietf.org/rfc/rfc1948.txt

CVE Link: CVE-2000-0328
 CVE Compatible

Glossary: Spoofing
TCP

© 2003-2010 NexantiS Corporation (www.securescout.com)
SecureScout is a trademark of NexantiS
All Rights Reserved
All products names referenced herein are trademarks of their respective companies

SecureScout products are certified:
CVE Compatible
SANS TOP 20 Compatible
CVSS Compatible (Common Vulnerability Scoring System)