Summary

• Cisco IOS^® Software contains a flaw that permits the successful prediction of TCP Initial Sequence Numbers.

  This vulnerability is present in all released versions of Cisco IOS software running on Cisco routers and switches. It only affects the security of TCP connections that originate or terminate on the affected Cisco device itself; it does not apply to TCP traffic forwarded through the affected device in transit between two other hosts.

  To remove the vulnerability, Cisco is offering free software upgrades for all affected platforms. The defect is described in DDTS record CSCds04747.

  Workarounds are available that limit or deny successful exploitation of the vulnerability by filtering traffic containing forged IP source addresses at the perimeter of a network or directly on individual devices.

  This notice will be posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20010301-ios-tcp-isn-random.

Affected Products

• This section provides details on affected products.

  Vulnerable Products

  The vulnerability is present in all Cisco routers and switches running affected releases of Cisco IOS Software.

  To determine the software running on a Cisco product, log in to the device and issue the command "show version" to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS (tm)". On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name. Other Cisco devices will not have the "show version" command or will give different output.

  The following example identifies a Cisco product running IOS release 12.0(3) with an installed image name of C2500-IS-L:

  Cisco Internetwork Operating System Software IOS (TM)
  
  2500 Software (C2500-IS-L), Version 12.0(3), RELEASE SOFTWARE

  Cisco devices that may be running an affected IOS software release include, but are not limited to:

  • 800, 1000, 1005, 1400, 1600, 1700, 2500, 2600, 3600, MC3810, 4000, 4500, 4700, 6200, 6400 NRP, 6400 NSP series Cisco routers.
    
  • ubr900 and ubr920 universal broadband routers.
    
  • Catalyst 2900 ATM, 2900XL, 2948g, 3500XL, 4232, 4840g, 5000 RSFC series switches.
    
  • 5200, 5300, 5800 series access servers.
    
  • Catalyst 6000 MSM, 6000 Hybrid Mode, 6000 Native Mode, 6000 Supervisor Module, Catalyst ATM Blade.
    
  • RSM, 7000, 7010, 7100, 7200, ubr7200, 7500, 10000 ESR, and 12000 GSR series Cisco routers.
    
  • DistributedDirector.
    
  • Catalyst 8510CSR, 8510MSR, 8540CSR, 8540MSR series switches.
    

  Products Confirmed Not Vulnerable

  Cisco products that do not run Cisco IOS software and are not affected by the vulnerabilities described in this notice include, but are not limited to:

  • Cisco PIX firewall.
    
  • Cisco 600 family of routers running CBOS.
    
  • Host-based network management or access management products.
    
  • Cisco IP Telephony and telephony management software (except those that are hosted on a vulnerable IOS platform).
    
  • Voice gateways and convergence products (except those that are hosted on a vulnerable IOS platform).
    

  No other Cisco products are currently known to be affected by these vulnerabilities.

Details

• To provide reliable delivery in the Internet, the Transmission Control Protocol (TCP) makes use of a sequence number in each packet to provide orderly reassembly of data after arrival, and to notify the sending host of the successful arrival of the data in each packet.

  TCP sequence numbers are 32-bit integers in the circular range of 0 to 4,294,967,295. The host devices at both ends of a TCP connection exchange an Initial Sequence Number (ISN) selected at random from that range as part of the setup of a new TCP connection. After the session is established and data transfer begins, the sequence number is regularly augmented by the number of octets transferred, and transmitted to the other host. To prevent the receipt and reassembly of duplicate or late packets in a TCP stream, each host maintains a "window", a range of values close to the expected sequence number, in which the sequence number in an arriving packet must fall if it is to be accepted. Assuming a packet arrives with the correct source and destination IP addresses, source and destination port numbers, and a sequence number within the allowable window, the receiving host will accept the packet as genuine.

  This method provides reasonably good protection against accidental receipt of unintended data. However, to guard against malicious use, it should not be possible for an attacker to infer a particular number in the sequence. If the initial sequence number is not chosen randomly or if it is incremented in a non-random manner between the initialization of subsequent TCP sessions, then it is possible, with varying degrees of success, to forge one half of a TCP connection with another host in order to gain access to that host, or hijack an existing connection between two hosts in order to compromise the contents of the TCP connection. To guard against such compromises, ISNs should be generated as randomly as possible.

  This defect, documented as DDTS CSCds04747, has been corrected by providing an improved method for generating TCP Initial Sequence Numbers.

Workarounds

• There is no specific configurable workaround to directly address the possibility of predicting a TCP Initial Sequence Number. To prevent malicious use of this vulnerability from inside the network, ensure that transport that makes interception and modification detectable, if not altogether preventable, is in use as appropriate. Examples include using IPSEC or SSH to the Cisco device for interactive session, MD5 authentication to protect BGP sessions, strong authentication for access control, and so on.

  Malicious use of this vulnerability from a position outside the administrative boundaries of the network can be mitigated, if not prevented entirely, by using access control lists to prevent the injection of packets with forged source or destination IP addresses.

Fixed Software

• The following table summarizes the IOS software releases that are known to be affected, and the earliest estimated dates of availability for the recommended fixed versions. Dates are always tentative and subject to change.

  Each row of the table describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix and the anticipated date of availability for each are listed in the "Rebuild", "Interim", and "Maintenance" columns. A device running any release in the given train that is earlier the release in a specific column (less than the earliest fixed release) is known to be vulnerable, and it should be upgraded at least to the indicated release or a later version (greater than the earliest fixed release label).

  When selecting a release, keep in mind the following definitions:

  Maintenance

  Most heavily tested and highly recommended release of any label in a given row of the table.

  Rebuild

  Constructed from the previous maintenance or major release in the same train, it contains the fix for a specific defect. Although it receives less testing, it contains only the minimal changes necessary to effect the repair.

  Interim

  Built at regular intervals between maintenance releases and receive less testing. Interims should be selected only if there is no other suitable release that addresses the vulnerability, and interim images should be upgraded to the next available maintenance release as soon as possible. Interim releases are not available via manufacturing, and usually they are not available for customer download from CCO without prior arrangement with the Cisco TAC.

  In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco TAC for assistance as shown later in this notice.

  More information on IOS release names and abbreviations is available at http://www.cisco.com/warp/public/620/1.html.

  Train	Description of Image or Platform	Availability of Fixed Releases*
  11.0-based Releases		Rebuild	Interim**	Maintenance
  11.0	Major release for all platforms	11.1(22a)
  		2001-Mar-19
  11.1-based Releases		Rebuild	Interim**	Maintenance
  11.1	Major release for all platforms	11.1(24a)
  		2001-Mar-19
  11.1AA	ED release for access servers: 1600, 3200, and 5200 series.	Unavailable
  		Upgrade recommended to 12.1(7), available 2001-Feb-26
  11.1CA	Platform-specific support for 7500, 7200, 7000, and RSP	11.1(36)CA1
  		2001-Mar-02
  11.1CC	ISP train: added support for FIB, CEF, and NetFlow on 7500, 7200, 7000, and RSP	11.1(36)CC1
  		2001-Mar-02
  11.1CT	Added support for Tag Switching on 7500, 7200, 7000, and RSP	12.0(11)ST2
  		2001-Feb-26
  11.1IA	Distributed Director only	11.1(28a)IA1
  		2001-Mar-02
  11.2-based Releases		Rebuild	Interim**	Maintenance
  11.2	Major release, general deployment	11.2(25a)		11.2(25)
  		2001-Mar-05		Available
  11.2BC	Platform-specific support for IBM networking, CIP, and TN3270 on 7500, 7000, and RSP	Unavailable
  		Upgrade recommended to 12.1(7), available 2001-Feb-26
  11.2F	Feature train for all platforms	Unavailable
  		Upgrade recommended
  11.2GS	Early deployment release to support 12000 GSR	Unavailable
  		Upgrade recommended to 12.0(15)S1, available 2001-Feb-26
  11.2P	New platform support	11.2(25a)P		11.2(25)P
  		2001-Mar-05		Available
  11.2SA	Catalyst 2900XL switch only	Unavailable
  		Upgrade recommended to 12.0WC
  11.2WA3	LightStream 1010 ATM switch		12.0(10)W(18b)	12.0(13W5(19b)
  			Available	Available
  11.2(4)XA	Initial release for the 1600 and 3600	11.2(25a)P		11.2(25)P
  		2001-Mar-05		Available
  11.2(9)XA	Initial release for the 5300 and digital modem support for the 3600	11.2(25a)P		11.2(25)P
  		2001-Mar-05		Available
  11.3-based Releases		Rebuild	Interim**	Maintenance
  11.3	Major release for all platforms	11.3(11b)
  		2001-Mar-05
  11.3AA	ED for dial platforms and access servers: 5800, 5200, 5300, 7200	11.3(11a)AA
  		2001-Mar-05
  11.3DA	Early deployment train for ISP DSLAM 6200 platform	Unavailable
  		Upgrade recommended to 12.1(5)DA1, available 2001-Mar-19
  11.3DB	Early deployment train for ISP/Telco/PTT xDSL broadband concentrator platform, (NRP) for 6400	Unavailable
  		Upgrade recommended to 12.1(4)DB1, available 2001-Feb-28
  11.3HA	Short-lived ED release for ISR 3300 (SONET/SDH router)	Vulnerable
  11.3MA	MC3810 functionality only	11.3(1)MA8
  		2001-Mar-19
  11.3NA	Voice over IP, media convergence, various platforms	Unavailable
  		Upgrade recommended to 12.1(7), available 2001-Feb-26
  11.3T	Early deployment major release, feature-rich for early adopters	11.3(11b)T1
  		2001-Mar-05
  11.3WA4	LightStream 1010		12.0(10)W(18b)	12.0(13W5(19b)
  			Available	Available
  11.3(2)XA	Introduction of ubr7246 and 2600	11.3(11b)T1
  		2001-Mar-05
  12.0-based Releases		Rebuild	Interim**	Maintenance
  12.0	General deployment release for all platforms			12.0(15)
  				Available
  12.0DA	xDSL support: 6100, 6200	Unavailable
  		Upgrade recommended to 12.1(5)DA1, available 2001-Mar-19
  12.0DB	General deployment release for all platforms	Unavailable
  		Upgrade recommended to 12.1(4)DB1, available 2001-Feb-28
  12.0DC	General deployment release for all platforms	Unavailable
  		Upgrade recommended to 12.1(4)DC2, available 2001-Feb-28
  12.0S	Core/ISP support: GSR, RSP, c7200	12.0(14)S1	12.0(14.6)S
  		Available	Available
  12.0SC	Cable/broadband ISP: ubr7200	12.0(15)SC1
  		2001-Mar-05
  12.0SL	10000 ESR: c10k	12.0(14)SL1
  		2001-Feb-26
  12.0ST	General deployment release for all platforms	12.0(11)ST2
  		2001-Feb-26
  12.0SX	Early Deployment (ED)	12.0(5c)E8
  		2001-Feb-26
  12.0T	Early Deployment(ED): VPN, Distributed Director, various platforms	Unavailable
  		Upgrade recommended to 12.1(7), available 2001-Feb-26
  12.0W5	Catalyst switches: cat8510c, cat8540c, ls1010, cat8510m, cat8540m			12.0(13)W5(19c)
  				2001-Mar-14
  	Catalyst switches: cat5atm, cat2948g-L3, cat4232			12.0(14)W5(20)
  				2001-Mar-02
  	Catalyst switches: c6msm			12.0(13)W5(19c)
  				2001-Mar-14
  12.0WT	Catalyst switches: cat4840g	12.0(13)WT6(1)
  		2001-Mar-15
  12.0XA	Early Deployment (ED): limited platforms	Unavailable
  		Upgrade recommended to 12.1(7), available 2001-Feb-26
  12.0XB	Short-lived early deployment release	Unavailable
  		Upgrade recommended to 12.1(7), available 2001-Feb-26
  12.0XC	Early Deployment (ED): limited platforms	Unavailable
  		Upgrade recommended to 12.1(7), available 2001-Feb-26
  12.0XD	Early Deployment (ED): limited platforms	Unavailable
  		Upgrade recommended to 12.1(7), available 2001-Feb-26
  12.0XE	Early Deployment (ED): limited platforms	Unavailable
  		Upgrade recommended to 12.1(5)E8, available 2001-Mar-05
  12.0XF	Early Deployment (ED): limited platforms	Unavailable
  		Upgrade recommended to 12.1(7), available 2001-Feb-26
  12.0XG	Early Deployment (ED): limited platforms	Unavailable
  		Upgrade recommended to 12.1(7), available 2001-Feb-26
  12.0XH	Early Deployment (ED): limited platforms	12.0(4)XH5
  		2001-Mar-12
  12.0XI	Early Deployment (ED): limited platforms	Unavailable
  		Upgrade recommended to 12.1(7), available 2001-Feb-26
  12.0XJ	Early Deployment (ED): limited platforms	Unavailable
  		Upgrade recommended to 12.1(7), available 2001-Feb-26
  12.0XK	Early Deployment (ED): limited platforms	12.0(7)XK4
  		2001-Mar-26
  12.0XL	Early Deployment (ED): limited platforms	12.0(4)XH5		12.1(7)
  		2001-Mar-12
  12.0XM	Early Deployment (ED): limited platforms	12.0(5)XM1
  		2001-Mar-05
  12.0XN	Early Deployment (ED): limited platforms
  12.0XP	Early Deployment (ED): limited platforms	Unavailable
  		Upgrade recommended to 12.1WC, available 2001-APR-12
  12.0XQ	Short-lived early deployment release	Unavailable
  		Upgrade recommended to 12.1(7), available 2001-Feb-26
  12.0XR	Short-lived early deployment release	Unavailable
  		Upgrade recommended to 12.1(5)T5, available 2001-Mar-05
  12.0XS	Short-lived early deployment release	Unavailable
  		Upgrade recommended to 12.1(5)E8, available 2001-Mar-5
  12.0XU	Early Deployment (ED): limited platforms	Unavailable
  		Upgrade recommended to 12.1WC, available 2001-APR-12
  12.0XV	Short-lived early deployment release	Unavailable
  		Upgrade recommended to 12.1(5)T5, available 2001-Mar-05
  12.1-based and Later Releases		Rebuild	Interim**	Maintenance
  12.1	General deployment release for all platforms	12.1(5c)		12.1(7)
  		2001-Feb-20		Available
  12.1AA	Dial support			12.1(7)AA
  				2001-Mar-12
  12.1DA	xDSL support: 6100, 6200	12.1(5)DA1		12.1(6)DA
  		2001-Feb-28		2001-Feb-26
  12.1CX	Core/ISP support: GSR, RSP, c7200			12.1(4)CX
  				2001-Mar-13
  12.1DB	General deployment release for all platforms	12.1(4)DB1		12.1(5)DB
  		2001-Mar-05		2001-Mar-19
  12.1DC	General deployment release for all platforms	12.1(4)DC2		12.1(5)DC
  		2001-Mar-05		2001-Mar-19
  12.1E	Core/ISP support: GSR, RSP, c7200	12.1(5c)E8	12.1(5.6)E	12.1(6)E
  		2001-Mar-5		2001-Mar-12
  12.1EC	Core/ISP support: GSR, RSP, c7200	12.1(5)EC1	12.1(4.5)EC	12.1(6)EC
  		2001-Feb-26		2001-Mar-26
  12.1EX	Core/ISP support: GSR, RSP, c7200	12.1(5c)EX
  		2001-Mar-12
  12.1EY	Cat8510c, Cat8510m, Cat8540c, Cat8540m, LS1010	Not Vulnerable
  12.1T	Early Deployment(ED): VPN, Distributed Director, various platforms	12.1(5)T5
  		2001-Mar-05
  12.1XA	Early Deployment (ED): limited platforms	12.1(5)T5
  		2001-Mar-05
  12.1XB	Early Deployment (ED): limited platforms	12.1(5)T5
  		2001-Mar-05
  12.1XC	Early Deployment (ED): limited platforms	12.1(5)T5
  		2001-Mar-05
  12.1XD	Early Deployment (ED): limited platforms	12.1(5)T5
  		2001-Mar-05
  12.1XE	Early Deployment (ED): limited platforms	12.1(5)T5
  		2001-Mar-05
  12.1XF	Early Deployment (ED): 811 and 813 (c800 images)	12.1(2)XF3
  		2001-Mar-05
  12.1XG	Early Deployment (ED): 800, 805, 820, and 1600	12.1(3)XG3
  		Available
  12.1XH	Early Deployment (ED): limited platforms	12.1(2)XH5
  		2001-Mar-12
  12.1XI	Early Deployment (ED): limited platforms	12.1(3a)XI6
  		2001-Mar-19
  12.1XJ	Early Deployment (ED): limited platforms			Indeterminate
  				Unscheduled
  12.1XK	Early Deployment (ED): limited platforms	12.1(5)T5
  		2001-Mar-05
  12.1XL	Early Deployment (ED): limited platforms	12.1(3)XL1
  		2001-Mar-05
  12.1XM	Short-lived early deployment release	12.1(5)XM1
  		2001-Feb-28
  12.1XP	Early Deployment (ED): 1700 and SOHO	12.1(3)XP3
  		2001-Mar-05
  12.1XQ	Short-lived early deployment release	12.1(3)XQ3
  		2001-Mar-12
  12.1XR	Short-lived early deployment release	12.1(5)XR1
  		2001-Feb-20
  12.1XS	Short-lived early deployment release			12.1(5)XS
  				2001-Mar-12
  12.1XT	Early Deployment (ED): 1700 series	12.1(3)XT1
  		Available
  12.1XU	Early Deployment (ED): limited platforms	12.1(5)XU1
  		2001-Feb-15
  12.1XV	Short-lived early deployment release	12.1(5)XV1
  		2001-Mar-12
  12.1XW	Short-lived early deployment release	12.1(5)XW2
  		2001-Mar-06
  12.1XX	Short-lived early deployment release	12.1(5)XX3
  		2001-Mar-06
  12.1XY	Short-lived early deployment release	12.1(5)XY4
  		2001-Mar-06
  12.1XZ	Short-lived early deployment release	12.1(5)XZ2
  		2001-Mar-06
  12.1YA	Short-lived early deployment release	12.1(5)YA1
  		2001-Mar-06
  12.1YB	Short-lived early deployment release			12.1(5)YB
  				2001-Feb-13
  12.1YC	Short-lived early deployment release	12.1(5)YC1
  		2001-Feb-26
  12.1YD	Short-lived early deployment release			12.1(5)YD
  				2001-Mar-12
  Notes
  * All dates are estimated and subject to change. ** Interim releases are subjected to less rigorous testing than regular maintenance releases, and may have serious bugs.

Exploitation and Public Announcements

• The general case of this vulnerability in TCP is well-known to the information system security community. Details specific to TCP connections to or from Cisco products do not appear to be widely known and the topic does not appear to have been widely discussed.

  Cisco is not aware of instances in which this vulnerability has been used maliciously. However, there are numerous off-the-shelf programs and scripts available which can demonstrate the vulnerability and which could be modified to exploit it with malicious intent. Various security scanning programs have been known to provide positive test results for this vulnerability on Cisco devices.

  This vulnerability was discovered internally. Two customers reported the vulnerability while a fix was still in progress.

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20010301-ios-tcp-isn-random

Revision History

• Revision 1.3	2004-January-07	Corrected typo in software table for IOS 11.2SA
  Revision 1.2	2001-March-07	Revised software tale with correct version numbers
  Revision 1.1	2001-March-02	Revised software table with correct version numbers
  Revision 1.0	2001-March-01	Initial public release

  Show Less

---