Vulnerabilities > CVE-2002-1463 - Unspecified vulnerability in Symantec products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
symantec
nessus
exploit available

Summary

Symantec Raptor Firewall 6.5 and 6.5.3, Enterprise Firewall 6.5.2 and 7.0, VelociRaptor Models 500/700/1000 and 1100/1200/1300, and Gateway Security 5110/5200/5300 generate easily predictable initial sequence numbers (ISN), which allows remote attackers to spoof connections.

Exploit-Db

descriptionLinux kernel 2.2 Predictable TCP Initial Sequence Number Vulnerability. CVE-1999-0077 ,CVE-2000-0916,CVE-2001-0162,CVE-2001-0163,CVE-2001-0288,CVE-2001-0328...
idEDB-ID:19522
last seen2016-02-02
modified1999-09-27
published1999-09-27
reporterStealth and S. Krahmer
sourcehttps://www.exploit-db.com/download/19522/
titleLinux kernel 2.2 Predictable TCP Initial Sequence Number Vulnerability

Nessus

  • NASL familyGeneral
    NASL idRAPTOR_ISN.NASL
    descriptionThe remote host seems to generate Initial Sequence Numbers (ISN) in a weak manner which seems to solely depend on the source and dest port of the TCP packets. An attacker may exploit this flaw to establish spoofed connections to the remote host. The Raptor Firewall and Novell NetWare are known to be vulnerable to this flaw, although other network devices may be vulnerable as well.
    last seen2020-06-01
    modified2020-06-02
    plugin id11057
    published2002-08-02
    reporterThis script is Copyright (C) 2002-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/11057
    titleTCP/IP Initial Sequence Number (ISN) Reuse Weakness
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # Script audit and contributions from Carmichael Security
    #      Erik Anderson <[email protected]> (nb: domain no longer exists)
    #      Added link to the Bugtraq message archive
    #
    
    include("compat.inc");
    
    if(description)
    {
     script_id(11057);
     script_version("1.36");
    
     script_cve_id("CVE-2002-1463");
     script_bugtraq_id(5387, 8652);
    
     script_name(english:"TCP/IP Initial Sequence Number (ISN) Reuse Weakness");
    
     script_set_attribute(attribute:"synopsis", value:
    "The remote device seems to generate predictable TCP Initial Sequence
    Numbers." );
     script_set_attribute(attribute:"description", value:
    "The remote host seems to generate Initial Sequence Numbers (ISN) in a weak
    manner which seems to solely depend on the source and dest port of the TCP 
    packets.
    
    An attacker may exploit this flaw to establish spoofed connections to the 
    remote host.
    
    The Raptor Firewall and Novell NetWare are known to be vulnerable to this 
    flaw, although other network devices may be vulnerable as well." );
     script_set_attribute(
      attribute:"see_also", 
      value:"https://seclists.org/bugtraq/2002/Aug/60"
     );
     script_set_attribute(
      attribute:"see_also", 
      value:"http://securityresponse.symantec.com/avcenter/security/Content/2002.08.05.html"
     );
     script_set_attribute(
      attribute:"solution", 
      value:
    "If you are using a Raptor Firewall, install the TCP security hotfix
    described in Symantec's advisory.  Otherwise, contact your vendor for
    a patch." );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"plugin_publication_date", value: "2002/08/02");
     script_set_attribute(attribute:"vuln_publication_date", value: "1995/01/01");
     script_cvs_date("Date: 2019/03/06 18:38:55");
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_end_attributes();
    
     script_summary(english:"checks for ISN");
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2002-2019 Tenable Network Security, Inc.");
     script_family(english:"General");
     script_require_keys("Settings/ThoroughTests");
     exit(0);
    }
    
    include('global_settings.inc');
    if ( ! thorough_tests ) exit(0);
    if ( TARGET_IS_IPV6 ) exit(0);
    if(islocalhost())exit(0);
    
     port = get_host_open_port();
     if(!port)exit(0);
    
      ip1 = forge_ip_packet(
            ip_hl   :5,
            ip_v    :4,
            ip_tos  :0,
            ip_len  :20,
            ip_id   :rand(),
            ip_off  :0,
            ip_ttl  :64,
            ip_p    :IPPROTO_TCP,
            ip_src  :compat::this_host()
            );
    
    
      ip2 = forge_ip_packet(
            ip_hl   :5,
            ip_v    :4,
            ip_tos  :0,
            ip_len  :20,
            ip_id   :rand(),
            ip_off  :0,
            ip_ttl  :64,
            ip_p    :IPPROTO_TCP,
            ip_src  :compat::this_host()
            );
    	
      s1 = rand();
      s2 = rand();	
      tcp1 = forge_tcp_packet(ip:ip1,
                                   th_sport: 1500,
                                   th_dport: port,
                                   th_flags:TH_SYN,
                                   th_seq: s1,
                                   th_ack: 0,
                                   th_x2: 0,
                                   th_off: 5,
                                   th_win: 8192,
                                   th_urp: 0);
    			       
    			       
     tcp2 = forge_tcp_packet(ip:ip1,
                                   th_sport: 1500,
                                   th_dport: port,
                                   th_flags:TH_SYN,
                                   th_seq: s2,
                                   th_ack: 0,
                                   th_x2: 0,
                                   th_off: 5,
                                   th_win: 0,
                                   th_urp: 0);			       
    s1 = s1 + 1;
    s2 = s2 + 1;
    
    filter = string("tcp and src " , get_host_ip() , " and dst port ", 1500);
    r1 = send_packet(tcp1, pcap_active:TRUE, pcap_filter:filter);
    
    if(r1)
    {
      # Got a reply - extract the ISN
      isn1 = get_tcp_element(tcp:r1, element:"th_seq");
      ack1  = get_tcp_element(tcp:r1, element:"th_ack");
      if(!(ack1 == s1))exit(0);
      if(!isn1)exit(0); # port closed
      rst1 = forge_tcp_packet(ip:ip1,
      				th_sport:1500,
    				th_dport: port,
    				th_flags: TH_RST,
    				th_seq: ack1,
    				th_ack:0,
    				th_x2: 0,
    				th_off: 5,
    				th_win: 0,
    				th_urp: 0);
      send_packet(rst1, pcap_active:FALSE);			
      r2 = send_packet(tcp2, pcap_active:TRUE, pcap_filter:filter);
      if(r2)
      {
       # Send the second request
       isn2 = get_tcp_element(tcp:r2, element:"th_seq");
       ack2 = get_tcp_element(tcp:r2, element:"th_ack");
       if(!(ack2 == s2))exit(0);
       if(!isn2)exit(0); # port closed
      
       if(isn1 == isn2)security_hole(0);
      }
    }
    
  • NASL familyF5 Networks Local Security Checks
    NASL idF5_BIGIP_SOL68401558.NASL
    descriptionAttackers in a privileged network position may be able to obtain TCP sequence numbers (SEQ) from the BIG-IP system for a short period of time (up to 4 seconds) that will be reused in future connections with the same source and destination port and IP numbers.
    last seen2020-05-03
    modified2016-11-03
    plugin id94480
    published2016-11-03
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94480
    titleF5 Networks BIG-IP : BIG-IP virtual server TCP sequence numbers vulnerability (K68401558)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from F5 Networks BIG-IP Solution K68401558.
    #
    # The text description of this plugin is (C) F5 Networks.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(94480);
      script_version("2.7");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/07");
    
      script_cve_id("CVE-2002-1463");
    
      script_name(english:"F5 Networks BIG-IP : BIG-IP virtual server TCP sequence numbers vulnerability (K68401558)");
      script_summary(english:"Checks the BIG-IP version.");
    
      script_set_attribute(
        attribute:"synopsis",
        value:"The remote device is missing a vendor-supplied security patch."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "Attackers in a privileged network position may be able to obtain TCP
    sequence numbers (SEQ) from the BIG-IP system for a short period of
    time (up to 4 seconds) that will be reused in future connections with
    the same source and destination port and IP numbers."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://support.f5.com/csp/article/K14779"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://support.f5.com/csp/article/K68401558"
      );
      script_set_attribute(
        attribute:"solution",
        value:
    "Upgrade to one of the non-vulnerable versions listed in the F5
    Solution K68401558."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_access_policy_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_advanced_firewall_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_acceleration_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_security_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_visibility_and_reporting");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_global_traffic_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_link_controller");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_local_traffic_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_policy_enforcement_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2003/06/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/11/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/03");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"F5 Networks Local Security Checks");
    
      script_dependencies("f5_bigip_detect.nbin");
      script_require_keys("Host/local_checks_enabled", "Host/BIG-IP/hotfix", "Host/BIG-IP/modules", "Host/BIG-IP/version", "Settings/ParanoidReport");
    
      exit(0);
    }
    
    
    include("f5_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    version = get_kb_item("Host/BIG-IP/version");
    if ( ! version ) audit(AUDIT_OS_NOT, "F5 Networks BIG-IP");
    if ( isnull(get_kb_item("Host/BIG-IP/hotfix")) ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/hotfix");
    if ( ! get_kb_item("Host/BIG-IP/modules") ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/modules");
    
    sol = "K68401558";
    vmatrix = make_array();
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    # AFM
    vmatrix["AFM"] = make_array();
    vmatrix["AFM"]["affected"  ] = make_list("12.0.0","11.5.0-11.6.1");
    vmatrix["AFM"]["unaffected"] = make_list("12.1.0","12.0.0HF1","11.6.1HF1");
    
    # AM
    vmatrix["AM"] = make_array();
    vmatrix["AM"]["affected"  ] = make_list("12.0.0","11.5.0-11.6.1");
    vmatrix["AM"]["unaffected"] = make_list("12.1.0","12.0.0HF1","11.6.1HF1");
    
    # APM
    vmatrix["APM"] = make_array();
    vmatrix["APM"]["affected"  ] = make_list("12.0.0","11.5.0-11.6.1");
    vmatrix["APM"]["unaffected"] = make_list("12.1.0","12.0.0HF1","11.6.1HF1");
    
    # ASM
    vmatrix["ASM"] = make_array();
    vmatrix["ASM"]["affected"  ] = make_list("12.0.0","11.5.0-11.6.1");
    vmatrix["ASM"]["unaffected"] = make_list("12.1.0","12.0.0HF1","11.6.1HF1");
    
    # AVR
    vmatrix["AVR"] = make_array();
    vmatrix["AVR"]["affected"  ] = make_list("12.0.0","11.5.0-11.6.1");
    vmatrix["AVR"]["unaffected"] = make_list("12.1.0","12.0.0HF1","11.6.1HF1");
    
    # GTM
    vmatrix["GTM"] = make_array();
    vmatrix["GTM"]["affected"  ] = make_list("12.0.0","11.5.0-11.6.1");
    vmatrix["GTM"]["unaffected"] = make_list("12.1.0","12.0.0HF1","11.6.1HF1");
    
    # LC
    vmatrix["LC"] = make_array();
    vmatrix["LC"]["affected"  ] = make_list("12.0.0","11.5.0-11.6.1");
    vmatrix["LC"]["unaffected"] = make_list("12.1.0","12.0.0HF1","11.6.1HF1");
    
    # LTM
    vmatrix["LTM"] = make_array();
    vmatrix["LTM"]["affected"  ] = make_list("12.0.0","11.5.0-11.6.1");
    vmatrix["LTM"]["unaffected"] = make_list("12.1.0","12.0.0HF1","11.6.1HF1");
    
    # PEM
    vmatrix["PEM"] = make_array();
    vmatrix["PEM"]["affected"  ] = make_list("12.0.0","11.5.0-11.6.1");
    vmatrix["PEM"]["unaffected"] = make_list("12.1.0","12.0.0HF1","11.6.1HF1");
    
    
    if (bigip_is_affected(vmatrix:vmatrix, sol:sol))
    {
      if (report_verbosity > 0) security_hole(port:0, extra:bigip_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = bigip_get_tested_modules();
      audit_extra = "For BIG-IP module(s) " + tested + ",";
      if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);
      else audit(AUDIT_HOST_NOT, "running any of the affected modules");
    }