发布时间 :2000-12-19 00:00:00
修订时间 :2008-09-05 16:22:11

[原文]FreeBSD 4.1.1 and earlier, and possibly other BSD-based OSes, uses an insufficient random number generator to generate initial TCP sequence numbers (ISN), which allows remote attackers to spoof TCP connections.

[CNNVD]BSD Weak初始序列号漏洞(CNNVD-200012-185)

        FreeBSD 4.1.1及其早期版本以及可能其他基于BSD的Oses使用不充足随机数生成器产生初始TCP序列号(ISN),远程攻击者伪造TCP连接。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:freebsd:freebsd:4.1.1FreeBSD 4.1.1
cpe:/o:freebsd:freebsd:2.0FreeBSD 2.0
cpe:/o:freebsd:freebsd:3.0FreeBSD 3.0
cpe:/o:freebsd:freebsd:4.0FreeBSD 4.0
cpe:/o:freebsd:freebsd:4.1FreeBSD 4.1

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

BSD Weak初始序列号漏洞
高危 设计错误
2000-12-19 00:00:00 2005-10-20 00:00:00
        FreeBSD 4.1.1及其早期版本以及可能其他基于BSD的Oses使用不充足随机数生成器产生初始TCP序列号(ISN),远程攻击者伪造TCP连接。

- 公告与补丁

        FreeBSD has corrected the problem and released patches for 4.x and 3.x versions.
        FreeBSD FreeBSD 3.x
        FreeBSD FreeBSD 4.0
        FreeBSD FreeBSD 4.1
        FreeBSD FreeBSD 4.1.1

- 漏洞信息

BSD Weak initial Sequence Number Vulnerability
Design Error 1766
Yes No
2000-10-05 12:00:00 2009-07-11 03:56:00
First published in HERT advisory #00003 posted to Bugtraq by Pascal Bouchareine <>.

- 受影响的程序版本

FreeBSD FreeBSD 4.1.1
FreeBSD FreeBSD 4.1
FreeBSD FreeBSD 4.0
FreeBSD FreeBSD 3.x
FreeBSD FreeBSD 2.x

- 漏洞讨论

During the TCP three-way handshake (connection initiation), the host to which the connection request was sent is responsible for generation of the "initial TCP sequence number". This number is used to verify that the final part of the connection initiation (final ACK) is completed by the correct host (ie, only the host that originally made the request should respond with that sequence number + 1).

Traditionally, remote (outside of LAN) TCP connection spoofing has been possible due to guessable initial sequence numbers. Their predictability is a result of their generation algorithms. 4.4BSD-Lite2 and derived operating systems (such as FreeBSD) contain code that attempts to add "randomness" to the generation of initial sequence numbers. Unfortunately the initial sequence numbers generated by vulnerable BSD-based operating systems are predictable if certain circumstances are met. To quote the FreeBSD advisory on this issue,

"the pseudo-random number generator used is a simple linear congruent generator , and based on observations of a few initial sequence values from legitimate connections with a server, an attacker can guess with high probability the value which will be used for the next connection."

If an attacker can watch several legitimate connections establish between his host and the target, it becomes possible to anticipate future initial sequence numbers. With this capability, an attacker can carry out attacks against host address based authentication on the victim server. However, in order to successfully exploit this, the host being spoofed must be down or non-responsive to SYN-ACKs it does not expect to recieve. There must also be a service or application in use on the target server that uses only host address authentication (which is what would be made vulnerable by spoofing..)

An example of how this can be exploited, in conjunction with an application that uses host-address based authentication is as follows:

Berkeley "r-services": If a victim is running these services and .rhosts authentication is in use, it may be possible for an attacker to use this vulnerability to spoof connections from trusted hosts (which will not require authentication..). The address used (spoofed) would have to be that of a host trusted by the user and in their .rhosts file. It would also have to be down or non-responsive, something the attacker could accomplish with a denial of service attack. If successful, the hacker could add a host under his control to the victim users' .rhosts file, allowing him to login unauthenticated (via password) with a legitimate (and non-blind) tcp connection.

FreeBSD is confirmed as being vulnerable, it is not verified whether other BSDs are or not.

- 漏洞利用


- 解决方案

FreeBSD has corrected the problem and released patches for 4.x and 3.x versions.

FreeBSD FreeBSD 3.x

FreeBSD FreeBSD 4.0

FreeBSD FreeBSD 4.1

FreeBSD FreeBSD 4.1.1

- 相关参考