Fundamental flaw found in TCP

Research and testing from three organizations has led to a security warning regarding the protocol that is the basis for the Internet itself.

Two research papers released by BindView Corp. of Houston and Guardent Inc. of Waltham, Mass. point fingers at the initial sequence numbers (ISN) in the TCP (transmission control protocol) and declare the method in which the ISNs are generated as being predictable and a security vulnerability.

According to Jeffrey Havrilla, an Internet security analyst at Pittsburgh-based Computer Emergency Response Team (CERT) Coordination Centre, which issued a security warning about the vulnerability in May, research has found vulnerabilities in the TCP protocol prior to this discovery that would allow hackers to hijack or spoof an Internet transmission. This new vulnerability is, in fact, an extension of the old one.

An ISN number is the header of a TCP data packet that has increments of a certain amount each time a new packet is sent out on the TCP connection, Havrilla said. The danger is in the way the number is generated. It is possible that a hacker would guess the next number in the sequence and exploit it for malicious purposes.

“What the new vulnerability is, is a new technique for trying to guess what initial sequence number is on a remote system,” Havrilla said.

Even though operating system vendors have tried to make the ISN as difficult to predict as possible, there is still enough statistical non-variability to set off alarm bells. There is a significantly small range of numbers that could be generated as the next number in the sequence.

“A remote attacker, given today’s technology, would have little trouble on certain platforms and certain systems generating a number of good guesses to try and either hijack or spoof a TCP connection,” Havrilla said.

But before alarm bells are triggered, don’t panic. While there is a potential danger, there has yet to be a single report of a hacker using this method to make an attack, Havrilla said. According to Scott Blake, director of security product strategy at BindView, and Timothy Newsham, senior research scientist at Guardent, neither report detailed how exactly a hacker would go about exploiting the ISN weakness.

A number of conditions must be met before a hacker could use the vulnerability, Havrilla said. For one, the hacker must be able to see the TCP packets in transmission.

According to Newsham, it would require some experience to write code that would be able to take advantage of the ISN weakness, however for a hacker inexperienced in this area, it’s not an impossibility. While an experienced person would take less than a day to figure out the code, a less experienced person could still write it in about a week, he said.

“It’s a subtle problem, although the effects aren’t particularly subtle,” Blake said. And it’s a problem that is stronger with some operating systems (OS) than others because each OS has its own random number generator. For instance, Linux and OpenBSD have the best randomization of ISN sequences, he said.

So now that the ISN vulnerability is known, what’s the solution?

“The ultimate solution is if there were widespread encryption at the networking level, a lot of these problems never would have arisen in the first place,” Newsham said. “That’s not to say the flaw wouldn’t have been there, but it wouldn’t be possible for someone to abuse [it].”