Hey there,
we´ve been using ipfire for a couple of years now, never had an issue.
Now we need an pci compliant check for creditcard payments(Basically a port scan from an external source). Last years check went through without issues, this year spat out the “Predictable TCP Initial Sequence Numbers Vulnerability”…
Along with some more information:
Details
Kategorie TCP/IP
CVE CVE-1999-0077,CVE-2000-0328,CVE-2000-0916,CVE-2001-0328
CVSS-Basisscore 7.5
Beschreibung Predictable TCP Initial Sequence Numbers Vulnerability
Host XXXX
Bedrohung -
Auswirkung -
Lösung -
PCI-konform Nein
PCI-Details -
Grund -
PCI-Details high
Port -
Hostname XXXX
Host-Betriebssystem -
Ergebnis
Constant changes in initial sequence numbers observed in 22 out of 23 events.
[ Sent Packets Results ]
Packet 1 : TIME[1598275523.153856] SEQ[1441366980] CHANGE[N/A] VARIATION[N/A]
Packet 2 : TIME[1598275523.158843] SEQ[1508402811] CHANGE[67035831] VARIATION[N/A]
Packet 3 : TIME[1598275523.163844] SEQ[1575438642] CHANGE[67035831] VARIATION[0]
Packet 4 : TIME[1598275523.168843] SEQ[1642474473] CHANGE[67035831] VARIATION[0]
Packet 5 : TIME[1598275523.173843] SEQ[1709510304] CHANGE[67035831] VARIATION[0]
Packet 6 : TIME[1598275523.178843] SEQ[1776546135] CHANGE[67035831] VARIATION[0]
Packet 7 : TIME[1598275523.183842] SEQ[1843581966] CHANGE[67035831] VARIATION[0]
Packet 8 : TIME[1598275523.193844] SEQ[1910617797] CHANGE[67035831] VARIATION[0]
Packet 9 : TIME[1598275523.198842] SEQ[1977653628] CHANGE[67035831] VARIATION[0]
Packet 10 : TIME[1598275523.203843] SEQ[2044689459] CHANGE[67035831] VARIATION[0]
Packet 11 : TIME[1598275523.208845] SEQ[2111725290] CHANGE[67035831] VARIATION[0]
Packet 12 : TIME[1598275523.223844] SEQ[2178761121] CHANGE[67035831] VARIATION[0]
Packet 13 : TIME[1598275523.228152] SEQ[2245796952] CHANGE[67035831] VARIATION[0]
Packet 14 : TIME[1598275523.233844] SEQ[2312832783] CHANGE[67035831] VARIATION[0]
Packet 15 : TIME[1598275523.238848] SEQ[2379868614] CHANGE[67035831] VARIATION[0]
Packet 16 : TIME[1598275523.243845] SEQ[2446904445] CHANGE[67035831] VARIATION[0]
Packet 17 : TIME[1598275523.248851] SEQ[2513940276] CHANGE[67035831] VARIATION[0]
Packet 18 : TIME[1598275523.253844] SEQ[2580976107] CHANGE[67035831] VARIATION[0]
Packet 19 : TIME[1598275523.258845] SEQ[2648011938] CHANGE[67035831] VARIATION[0]
Packet 20 : TIME[1598275523.263846] SEQ[2715047769] CHANGE[67035831] VARIATION[0]
Packet 21 : TIME[1598275523.268291] SEQ[2782083600] CHANGE[67035831] VARIATION[0]
Packet 22 : TIME[1598275523.273850] SEQ[2849119431] CHANGE[67035831] VARIATION[0]
Packet 23 : TIME[1598275523.278846] SEQ[2916155262] CHANGE[67035831] VARIATION[0]
Packet 24 : TIME[1598275523.283847] SEQ[2983191093] CHANGE[67035831] VARIATION[0]
CVSS-Basisscore 7.5 - - AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporärer CVSS-Score 5.8 - E:POC/RL:W/RC:UC
Schweregrad 2
Kategorie TCP/IP
CVE ID
CVE-1999-0077
CVE-2000-0328
CVE-2000-0916
CVE-2001-0328
Verkäuferreferenz
MS99-046
cisco-sa-20010301
Bugtraq ID
604
1766
2682
Aktualisierungsdatum 04.06.2019
Bedrohung This server uses TCP/IP implementation that respects the “64K rule”, or a “time dependent rule” for generating TCP sequence numbers. Unauthorized users can predict sequence numbers when two hosts are communicating, and connect to your server from any source IP address. The only difference with a legitimate connection is that the attacker will not see the replies sent back to the authorized user whose IP was forged.
Auswirkung The Initial Sequence Number (ISN) used in TCP/IP sessions should be as random as possible in order to prevent attacks such as IP address spoofing and session hijacking.
If the ISN of an existing or future TCP connection can be determined within some practical range, a malicious agent may be able to close or hijack the TCP connections. If the ISNs of future connections of a system are guessed exactly, an agent may be able to “complete” a TCP three-way handshake, establish a phantom connection, and spoof TCP packets delivered to a victim.
XXXXX
Lösung You may need to upgrade your Operating System to change the behavior of your TCP/IP stack regarding this problem.
This cert advisory describes how to fix this issue : CA-2001-09
XXXXXX
For Microsoft systems you can apply this patch : MS99-046: How to Prevent Predictable TCP/IP Initial Sequence Numbers
XXXXX
For Cisco IOS systems you can apply this patch : cisco-sa-20010301-ios-tcp-isn-random: Cisco IOS Software TCP Initial Sequence Number Randomization Improvements
So, i really don´t know what to make of this, or how to get rid of it… the mentioned CVE is basically 20 years old and should not exist in the current Kernels.
On the other hand, the packet trace shows that there is no variation in between the packets.
The Firewall was updated to core 147 before the check, once again, without any issues.
Would be really great if someone could help me out here.
Cheers.