Another flaw exposed in TCP

Another security flaw has emerged with communications based on Transmission Control Protocol (TCP) that could be used to “hijack” a user’s session on the Internet or a corporate network, a computer security services company announced Monday.

Tim Newsham, a senior research scientist with Waltham, Mass.-based Guardent Inc., discovered the TCP vulnerability, the company said in a statement. Newsham’s research exposes a weakness in the generation of TCP’s ISNs (Initial Sequence Numbers), which are used to maintain session information between network devices. ISNs are used as a handshake between two machines, identifying legitimate packet traffic.

The numbers are randomly generated, but they can be guessed with a high rate of accuracy, the company said. Sequence numbers coupled with session information could provide network access and then offer a launch pad to conduct sophisticated network attacks. A hacker could launch DoS (denial of service) attacks to cut off individual Web server connections, commence an information poisoning attack to taint legitimate data and hijack a user’s session on a computer system.

Guardent has no hard evidence the vulnerability has been used by hackers, said Jerry Brady, Guardent’s vice-president of research and development. This is not the first time that ISN weaknesses have been discovered, he said. Improvements to TCP were made in 1989 and again in 1995 to ensure more secure TCP sessions, Brady said.

Cisco Systems Inc. on March 1 announced a similar flaw in its Internetwork Operating System (IOS) software that could compromise traffic sent to and from its routers and switches [see story – Flaw revealed in Cisco IOS software]. Cisco had no evidence that the vulnerability had been exploited.

Guardent has shared its information on the vulnerability with the Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University in Pittsburgh, network equipment vendors, operating system vendors and government agencies, the company said.

Guardent can be reached at