CVE-2004-0641
CVSS7.5
发布时间 :2004-08-05 00:00:00
修订时间 :2008-09-05 16:38:59
NMCPS    

[原文]Thomson SpeedTouch 510 ADSL Router with firmware GV8BAA3.270, and possibly earlier versions, generates predictable TCP Initial Sequence Numbers (ISNs), which allows remote attackers to spoof or hijack TCP connections.


[CNNVD]Thomson SpeedTouch Home ADSL Modem可预测TCP序列号漏洞(CNNVD-200408-015)

        
        Thompson SpeedTouch Home ADSL Modem是适合家庭使用的ADSL路由器。
        Thompson SpeedTouch Home ADSL Modem存在序列号可猜测问题,远程攻击者可以利用这个漏洞进行TCP通信伪造攻击。
        设备的TCP初始化序列号可以猜测,可导致攻击者通过伪造通信使ADSL Modem通信失败,或者劫持设备。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0641
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0641
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200408-015
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/16919
(VENDOR_ADVISORY)  XF  speedtouch-hijack-connection(16919)
http://www.securityfocus.com/bid/10881
(VENDOR_ADVISORY)  BID  10881
http://www.idefense.com/application/poi/display?id=120&type=vulnerabilities&flashstatus=true
(VENDOR_ADVISORY)  IDEFENSE  20040805 Thompson SpeedTouch Home ADSL Modem Predictable TCP ISN Generation
http://www.auscert.org.au/render.html?it=4299
(VENDOR_ADVISORY)  AUSCERT  ESB-2004.0504
http://secunia.com/advisories/12238/
(VENDOR_ADVISORY)  SECUNIA  12238

- 漏洞信息

Thomson SpeedTouch Home ADSL Modem可预测TCP序列号漏洞
高危 设计错误
2004-08-05 00:00:00 2005-10-20 00:00:00
远程  
        
        Thompson SpeedTouch Home ADSL Modem是适合家庭使用的ADSL路由器。
        Thompson SpeedTouch Home ADSL Modem存在序列号可猜测问题,远程攻击者可以利用这个漏洞进行TCP通信伪造攻击。
        设备的TCP初始化序列号可以猜测,可导致攻击者通过伪造通信使ADSL Modem通信失败,或者劫持设备。
        

- 公告与补丁

        厂商补丁:
        Thomnson
        --------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.speedtouch.com/

- 漏洞信息 (F33975)

iDEFENSE Security Advisory 2004-08-05.t (PacketStormID:F33975)
2004-08-06 00:00:00
iDefense Labs  idefense.com
advisory,remote,spoof,tcp
CVE-2004-0641
[点击下载]

iDEFENSE Security Advisory 08.05.04: Remote exploitation of a design error vulnerability in Thompson's SpeedTouch Home ADSL modem allows attackers to spoof TCP traffic on behalf of the device.

Thompson SpeedTouch Home ADSL Modem Predictable TCP ISN Generation

iDEFENSE Security Advisory 08.05.04:

I. BACKGROUND

The Thompson (formerly Alcatel) SpeedTouch is an ADSL router for home
and business providing a continuously available, "always on,"
connection. More information about the product can be found at
http://www.speedtouchdsl.com/.

II. DESCRIPTION

Remote exploitation of a design error vulnerability in Thompson's
SpeedTouch Home ADSL modem allows attackers to spoof TCP traffic on
behalf of the device.

The problem specifically exists due to the predictable nature of the TCP
Initial Sequence Number (ISN) generator on the device. The following
sanitized tcpdump output demonstrates the existence of the vulnerability
when 10 consecutive TCP connection requests are generated for the telnet
server (port 23) on the Thompson device:

48.3 host_a.1096   > host_b.telnet: S
48.3 host_b.telnet > host_a.1096: S 4081040897:4081040897(0) ack
48.3 host_a.1096   > host_b.telnet: R
48.4 host_a.1096   > host_b.telnet: S
48.4 host_b.telnet > host_a.1096: S 4081104897:4081104897(0) ack
48.4 host_a.1096   > host_b.telnet: R
48.6 host_a.1096   > host_b.telnet: S
48.6 host_b.telnet > host_a.1096: S 4081232897:4081232897(0) ack
48.6 host_a.1096   > host_b.telnet: R
48.7 host_a.1096   > host_b.telnet: S
48.7 host_b.telnet > host_a.1096: S 4081296897:4081296897(0) ack
48.7 host_a.1096   > host_b.telnet: R
48.9 host_a.1096   > host_b.telnet: S
48.9 host_b.telnet > host_a.1096: S 4081360897:4081360897(0) ack
48.9 host_a.1096   > host_b.telnet: R
49.0 host_a.1096   > host_b.telnet: S
49.0 host_b.telnet > host_a.1096: S 4081488897:4081488897(0) ack
49.0 host_a.1096   > host_b.telnet: R
49.2 host_a.1096   > host_b.telnet: S
49.2 host_b.telnet > host_a.1096: S 4081552897:4081552897(0) ack
49.2 host_a.1096   > host_b.telnet: R
49.3 host_a.1096   > host_b.telnet: S
49.3 host_b.telnet > host_a.1096: S 4081616897:4081616897(0) ack
49.3 host_a.1096   > host_b.telnet: R
49.5 host_a.1096   > host_b.telnet: S
49.5 host_b.telnet > host_a.1096: S 4081744897:4081744897(0) ack
49.5 host_a.1096   > host_b.telnet: R
49.6 host_a.1096   > host_b.telnet: S
49.6 host_b.telnet > host_a.1096: S 4081808897:4081808897(0) ack
49.6 host_a.1096   > host_b.telnet: R

In the above example, host_a is the querying host and host_b is the
Thompson device. A clear pattern in ISN generation can be seen as the
value increases by approximately 64,000 each millisecond.

III. ANALYSIS

Successful exploitation of weak ISNs for the purpose of connection
spoofing is not a trivial task. Successful exploitation allows an
attacker to generate traffic on behalf of the affected device. Such an
ability is most dangerous when trust paths exist between the affected
device and another remote system.

IV. DETECTION

iDEFENSE has verified the existence of this vulnerability in Thompson's
SpeedTouch firmware version GV8BAA3.270 (1003825). It is suspected that
earlier versions are susceptible to exploitation as well.

V. WORKAROUNDS

Untrusted traffic should be filtered at the network perimeter.

VI. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-0641 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VII. DISCLOSURE TIMELINE

06/08/04   Initial vendor contact - no response
06/08/04   iDEFENSE clients notified
06/18/04   Secondary vendor contact - no response
08/05/04   Public disclosure

VIII. CREDIT

The discoverer wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

IX. LEGAL NOTICES

Copyright © 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
    

- 漏洞信息

Thomson SpeedTouch Home ADSL Modem Predictable Initial TCP Sequence Number Vulnerability
Design Error 10881
Yes No
2004-08-05 12:00:00 2009-07-12 06:16:00
Discovery of this vulnerability is credited to an anonymous source.

- 受影响的程序版本

Thomson SpeedTouch 510 ADSL Router

- 漏洞讨论

A vulnerability is reported to exist in the algorithms used by Thomson SpeedTouch Home ADSL Modem to generate initial TCP sequence numbers. The ability to predict TCP sequence numbers may allow a remote attacker to inject packets into a vulnerable data stream, for example the telnet service on the affected modem.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站