[LWN Logo]

From: Paul Rusty Russell <Paul.Russell@rustcorp.com.au>
To: lwn@lwn.net
Subject: Correction: network security vulnerability
Date: Thu, 07 Oct 1999 21:53:54 +0930


``Another network security vulnerability was found this week by Andrey
Savochkin.''

No.  There are three recent independent linux TCP network problems,
involving figuring out sequence numbers (randomized TCP sequence
numbers are used in the TCP handshake to be sure the incoming TCP
packets don't have a faked IP address).

1) Nergal: `Linux blind TCP spoofing, act II + others'
   BUGTRAQ: Sun, 1 Aug 1999 01:10:06 +0200

   In this case, an attacker could figure out the sequence number of a
   TCP connection using a `higher/lower' method, because a TCP bug
   made Linux send out packets only when the sequence number was too
   big.  This only worked on 2.0 kernels.

2) Bluefish: `[EuroHaCk] Linux 2.2.x ISN vulnerability (fwd)'
   BUGTRAQ: Mon, 27 Sep 1999 00:32:04 +0200

   In this case, a mistake in the kernel code caused the seed for the
   random sequence used to be the same for every connection, making
   them more far guessable than they should have been.  Alexey
   provided a one-line fix for 2.2/2.3:

	http://kernelnotes.org/lnxlists/linux-kernel/lk_9909_04/msg00664.html

3) Pete Zaitcev: `Memory corruption with 2.3.18'
   linux-kernel: Sat, 18 Sep 1999 13:15:38 -0700 (PDT)

   This bug in the random driver (the source of the TCP sequence
   numbers, among other things), was mistakenly thought to be the
   problem by some when the above post was forwarded to linux-kernel.
   It was not (an understandable mistake), but it added to the
   confusion.

Andrey's patch simply ensures that the IP ID's (each IP packet has a
16-bit ID field) are no longer simply incremented for each packet, but
some random wobble is included.  This field is usually used to
recognize related fragments of a packet, should the packet by split
inside the network, but the security concerns are more to do with
using it to determining how many packets have been sent: this was used
in exploit #1 above, but it wasn't the *cause* of the problem.

Randomizing IP IDs is mainly about trying to give as little
information as possible, rather than fixing any particular exploit.

I hope that clarifies,
Rusty.
--
Hacking time.