From: Paul Rusty Russell <Paul.Russell@rustcorp.com.au> To: lwn@lwn.net Subject: Correction: network security vulnerability Date: Thu, 07 Oct 1999 21:53:54 +0930 ``Another network security vulnerability was found this week by Andrey Savochkin.'' No. There are three recent independent linux TCP network problems, involving figuring out sequence numbers (randomized TCP sequence numbers are used in the TCP handshake to be sure the incoming TCP packets don't have a faked IP address). 1) Nergal: `Linux blind TCP spoofing, act II + others' BUGTRAQ: Sun, 1 Aug 1999 01:10:06 +0200 In this case, an attacker could figure out the sequence number of a TCP connection using a `higher/lower' method, because a TCP bug made Linux send out packets only when the sequence number was too big. This only worked on 2.0 kernels. 2) Bluefish: `[EuroHaCk] Linux 2.2.x ISN vulnerability (fwd)' BUGTRAQ: Mon, 27 Sep 1999 00:32:04 +0200 In this case, a mistake in the kernel code caused the seed for the random sequence used to be the same for every connection, making them more far guessable than they should have been. Alexey provided a one-line fix for 2.2/2.3: http://kernelnotes.org/lnxlists/linux-kernel/lk_9909_04/msg00664.html 3) Pete Zaitcev: `Memory corruption with 2.3.18' linux-kernel: Sat, 18 Sep 1999 13:15:38 -0700 (PDT) This bug in the random driver (the source of the TCP sequence numbers, among other things), was mistakenly thought to be the problem by some when the above post was forwarded to linux-kernel. It was not (an understandable mistake), but it added to the confusion. Andrey's patch simply ensures that the IP ID's (each IP packet has a 16-bit ID field) are no longer simply incremented for each packet, but some random wobble is included. This field is usually used to recognize related fragments of a packet, should the packet by split inside the network, but the security concerns are more to do with using it to determining how many packets have been sent: this was used in exploit #1 above, but it wasn't the *cause* of the problem. Randomizing IP IDs is mainly about trying to give as little information as possible, rather than fixing any particular exploit. I hope that clarifies, Rusty. -- Hacking time.