Vulnerabilities > CVE-2002-1463 - Unspecified vulnerability in Symantec products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Symantec Raptor Firewall 6.5 and 6.5.3, Enterprise Firewall 6.5.2 and 7.0, VelociRaptor Models 500/700/1000 and 1100/1200/1300, and Gateway Security 5110/5200/5300 generate easily predictable initial sequence numbers (ISN), which allows remote attackers to spoof connections.
Vulnerable Configurations
Exploit-Db
| description | Linux kernel 2.2 Predictable TCP Initial Sequence Number Vulnerability. CVE-1999-0077 ,CVE-2000-0916,CVE-2001-0162,CVE-2001-0163,CVE-2001-0288,CVE-2001-0328... |
| id | EDB-ID:19522 |
| last seen | 2016-02-02 |
| modified | 1999-09-27 |
| published | 1999-09-27 |
| reporter | Stealth and S. Krahmer |
| source | https://www.exploit-db.com/download/19522/ |
| title | Linux kernel 2.2 Predictable TCP Initial Sequence Number Vulnerability |
Nessus
NASL family General NASL id RAPTOR_ISN.NASL description The remote host seems to generate Initial Sequence Numbers (ISN) in a weak manner which seems to solely depend on the source and dest port of the TCP packets. An attacker may exploit this flaw to establish spoofed connections to the remote host. The Raptor Firewall and Novell NetWare are known to be vulnerable to this flaw, although other network devices may be vulnerable as well. last seen 2020-06-01 modified 2020-06-02 plugin id 11057 published 2002-08-02 reporter This script is Copyright (C) 2002-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11057 title TCP/IP Initial Sequence Number (ISN) Reuse Weakness code # # (C) Tenable Network Security, Inc. # # Script audit and contributions from Carmichael Security # Erik Anderson <[email protected]> (nb: domain no longer exists) # Added link to the Bugtraq message archive # include("compat.inc"); if(description) { script_id(11057); script_version("1.36"); script_cve_id("CVE-2002-1463"); script_bugtraq_id(5387, 8652); script_name(english:"TCP/IP Initial Sequence Number (ISN) Reuse Weakness"); script_set_attribute(attribute:"synopsis", value: "The remote device seems to generate predictable TCP Initial Sequence Numbers." ); script_set_attribute(attribute:"description", value: "The remote host seems to generate Initial Sequence Numbers (ISN) in a weak manner which seems to solely depend on the source and dest port of the TCP packets. An attacker may exploit this flaw to establish spoofed connections to the remote host. The Raptor Firewall and Novell NetWare are known to be vulnerable to this flaw, although other network devices may be vulnerable as well." ); script_set_attribute( attribute:"see_also", value:"https://seclists.org/bugtraq/2002/Aug/60" ); script_set_attribute( attribute:"see_also", value:"http://securityresponse.symantec.com/avcenter/security/Content/2002.08.05.html" ); script_set_attribute( attribute:"solution", value: "If you are using a Raptor Firewall, install the TCP security hotfix described in Symantec's advisory. Otherwise, contact your vendor for a patch." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2002/08/02"); script_set_attribute(attribute:"vuln_publication_date", value: "1995/01/01"); script_cvs_date("Date: 2019/03/06 18:38:55"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english:"checks for ISN"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2002-2019 Tenable Network Security, Inc."); script_family(english:"General"); script_require_keys("Settings/ThoroughTests"); exit(0); } include('global_settings.inc'); if ( ! thorough_tests ) exit(0); if ( TARGET_IS_IPV6 ) exit(0); if(islocalhost())exit(0); port = get_host_open_port(); if(!port)exit(0); ip1 = forge_ip_packet( ip_hl :5, ip_v :4, ip_tos :0, ip_len :20, ip_id :rand(), ip_off :0, ip_ttl :64, ip_p :IPPROTO_TCP, ip_src :compat::this_host() ); ip2 = forge_ip_packet( ip_hl :5, ip_v :4, ip_tos :0, ip_len :20, ip_id :rand(), ip_off :0, ip_ttl :64, ip_p :IPPROTO_TCP, ip_src :compat::this_host() ); s1 = rand(); s2 = rand(); tcp1 = forge_tcp_packet(ip:ip1, th_sport: 1500, th_dport: port, th_flags:TH_SYN, th_seq: s1, th_ack: 0, th_x2: 0, th_off: 5, th_win: 8192, th_urp: 0); tcp2 = forge_tcp_packet(ip:ip1, th_sport: 1500, th_dport: port, th_flags:TH_SYN, th_seq: s2, th_ack: 0, th_x2: 0, th_off: 5, th_win: 0, th_urp: 0); s1 = s1 + 1; s2 = s2 + 1; filter = string("tcp and src " , get_host_ip() , " and dst port ", 1500); r1 = send_packet(tcp1, pcap_active:TRUE, pcap_filter:filter); if(r1) { # Got a reply - extract the ISN isn1 = get_tcp_element(tcp:r1, element:"th_seq"); ack1 = get_tcp_element(tcp:r1, element:"th_ack"); if(!(ack1 == s1))exit(0); if(!isn1)exit(0); # port closed rst1 = forge_tcp_packet(ip:ip1, th_sport:1500, th_dport: port, th_flags: TH_RST, th_seq: ack1, th_ack:0, th_x2: 0, th_off: 5, th_win: 0, th_urp: 0); send_packet(rst1, pcap_active:FALSE); r2 = send_packet(tcp2, pcap_active:TRUE, pcap_filter:filter); if(r2) { # Send the second request isn2 = get_tcp_element(tcp:r2, element:"th_seq"); ack2 = get_tcp_element(tcp:r2, element:"th_ack"); if(!(ack2 == s2))exit(0); if(!isn2)exit(0); # port closed if(isn1 == isn2)security_hole(0); } }NASL family F5 Networks Local Security Checks NASL id F5_BIGIP_SOL68401558.NASL description Attackers in a privileged network position may be able to obtain TCP sequence numbers (SEQ) from the BIG-IP system for a short period of time (up to 4 seconds) that will be reused in future connections with the same source and destination port and IP numbers. last seen 2020-05-03 modified 2016-11-03 plugin id 94480 published 2016-11-03 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94480 title F5 Networks BIG-IP : BIG-IP virtual server TCP sequence numbers vulnerability (K68401558) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from F5 Networks BIG-IP Solution K68401558. # # The text description of this plugin is (C) F5 Networks. # include("compat.inc"); if (description) { script_id(94480); script_version("2.7"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/07"); script_cve_id("CVE-2002-1463"); script_name(english:"F5 Networks BIG-IP : BIG-IP virtual server TCP sequence numbers vulnerability (K68401558)"); script_summary(english:"Checks the BIG-IP version."); script_set_attribute( attribute:"synopsis", value:"The remote device is missing a vendor-supplied security patch." ); script_set_attribute( attribute:"description", value: "Attackers in a privileged network position may be able to obtain TCP sequence numbers (SEQ) from the BIG-IP system for a short period of time (up to 4 seconds) that will be reused in future connections with the same source and destination port and IP numbers." ); script_set_attribute( attribute:"see_also", value:"https://support.f5.com/csp/article/K14779" ); script_set_attribute( attribute:"see_also", value:"https://support.f5.com/csp/article/K68401558" ); script_set_attribute( attribute:"solution", value: "Upgrade to one of the non-vulnerable versions listed in the F5 Solution K68401558." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_access_policy_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_advanced_firewall_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_acceleration_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_security_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_visibility_and_reporting"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_global_traffic_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_link_controller"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_local_traffic_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_policy_enforcement_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/06/09"); script_set_attribute(attribute:"patch_publication_date", value:"2016/11/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/03"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"F5 Networks Local Security Checks"); script_dependencies("f5_bigip_detect.nbin"); script_require_keys("Host/local_checks_enabled", "Host/BIG-IP/hotfix", "Host/BIG-IP/modules", "Host/BIG-IP/version", "Settings/ParanoidReport"); exit(0); } include("f5_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); version = get_kb_item("Host/BIG-IP/version"); if ( ! version ) audit(AUDIT_OS_NOT, "F5 Networks BIG-IP"); if ( isnull(get_kb_item("Host/BIG-IP/hotfix")) ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/hotfix"); if ( ! get_kb_item("Host/BIG-IP/modules") ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/modules"); sol = "K68401558"; vmatrix = make_array(); if (report_paranoia < 2) audit(AUDIT_PARANOID); # AFM vmatrix["AFM"] = make_array(); vmatrix["AFM"]["affected" ] = make_list("12.0.0","11.5.0-11.6.1"); vmatrix["AFM"]["unaffected"] = make_list("12.1.0","12.0.0HF1","11.6.1HF1"); # AM vmatrix["AM"] = make_array(); vmatrix["AM"]["affected" ] = make_list("12.0.0","11.5.0-11.6.1"); vmatrix["AM"]["unaffected"] = make_list("12.1.0","12.0.0HF1","11.6.1HF1"); # APM vmatrix["APM"] = make_array(); vmatrix["APM"]["affected" ] = make_list("12.0.0","11.5.0-11.6.1"); vmatrix["APM"]["unaffected"] = make_list("12.1.0","12.0.0HF1","11.6.1HF1"); # ASM vmatrix["ASM"] = make_array(); vmatrix["ASM"]["affected" ] = make_list("12.0.0","11.5.0-11.6.1"); vmatrix["ASM"]["unaffected"] = make_list("12.1.0","12.0.0HF1","11.6.1HF1"); # AVR vmatrix["AVR"] = make_array(); vmatrix["AVR"]["affected" ] = make_list("12.0.0","11.5.0-11.6.1"); vmatrix["AVR"]["unaffected"] = make_list("12.1.0","12.0.0HF1","11.6.1HF1"); # GTM vmatrix["GTM"] = make_array(); vmatrix["GTM"]["affected" ] = make_list("12.0.0","11.5.0-11.6.1"); vmatrix["GTM"]["unaffected"] = make_list("12.1.0","12.0.0HF1","11.6.1HF1"); # LC vmatrix["LC"] = make_array(); vmatrix["LC"]["affected" ] = make_list("12.0.0","11.5.0-11.6.1"); vmatrix["LC"]["unaffected"] = make_list("12.1.0","12.0.0HF1","11.6.1HF1"); # LTM vmatrix["LTM"] = make_array(); vmatrix["LTM"]["affected" ] = make_list("12.0.0","11.5.0-11.6.1"); vmatrix["LTM"]["unaffected"] = make_list("12.1.0","12.0.0HF1","11.6.1HF1"); # PEM vmatrix["PEM"] = make_array(); vmatrix["PEM"]["affected" ] = make_list("12.0.0","11.5.0-11.6.1"); vmatrix["PEM"]["unaffected"] = make_list("12.1.0","12.0.0HF1","11.6.1HF1"); if (bigip_is_affected(vmatrix:vmatrix, sol:sol)) { if (report_verbosity > 0) security_hole(port:0, extra:bigip_report_get()); else security_hole(0); exit(0); } else { tested = bigip_get_tested_modules(); audit_extra = "For BIG-IP module(s) " + tested + ","; if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version); else audit(AUDIT_HOST_NOT, "running any of the affected modules"); }