Flaw Uncovered in TCP

By Thor Olavsrud,
InternetNews.com

A security hole in one of the Internet’s most basic protocols —
discovered by security consulting firm Guardent Inc. — leaves the
door open for potentially devastating network attacks that would be
difficult to defend against, detect or trace.

Guardent senior research scientist Tim Newsham discovered a
weakness in the Transmission Control Protocol (TCP) which allows
computers to communicate with each other. Specifically, the flaw
lies in the sequence of TCP Initial Sequence Numbers (ISN), used to
maintain session information between network devices. Malicious
users could utilize the hole to hijack TCP-based sessions on the
Internet or on corporate networks.

TCP is supposed to generate random ISNs each time it enables a
link between two computers. But according to Guardent, while
testing a new piece of networking equipment for a client, Newsham
discovered that the numbers are not as random as experts
thought.

“It is now known that these numbers are guessable on many
platforms, with a high degree of accuracy,” Guardent said Monday.
“The ability to accurately guess sequence numbers, combined with
readily available session information, allows for a variety of
sophisticated attacks on computer networks. These attacks can cause
significant harm and would go undetected by current security
software.”

Guardent said attacks exploiting the weakness could take
multiple forms, including:

• Launching new forms of Denial of Service (DoS) attacks that cut
  individual Web server connections and make applications and
  networks appear unreliable; this type of DoS attack is far more
  subtle than DoS attacks like those which brought down eBay and
  Yahoo! last year because it does not rely on overloading networks
  by flooding them with traffic
• Information poisoning attacks which insert false information
  into data streams intended for publication, i.e. bogus news reports
  or fraudulent stock prices
• Session hijacking — taking over a user’s connection to a
  computer system, thus allowing the hijacker to operate under the
  user’s identity in applications to which that user has access, like
  financial applications, Internet infrastructure management,
  etc.

According to Jerry Brady, vice president of Research and
Development at Guardent, the weakness stems from the age of the
protocol and also from vendors choosing to emphasize performance
over security.

“The kinds of problems that you face in security protocols like
that change over time,” Brady said. “There was a point in time
where weaker security techniques were chosen, purely on the basis
of performance.”

Brady also said that the increasing speed of networks has
contributed to the problem because networks are asked to generate
more ISNs in a shorter period of time.

Guardent took the unusual step of releasing the information to
the public before a fix for the flaw had been created. However,
while it has publicized the existence of the flaw it has also taken
steps to ensure that its research on the subject does not fall into
the wrong hands. The firm is keeping the details of the research
confidential and is only making it available to legitimate network
equipment vendors, operating system vendors and government agencies
which sign non-disclosure agreements. The firm has also shared the
information with the Computer Emergency Response Team (CERT) based
at Carnegie-Mellon University.

“There’s always been a great deal of controversy on disclosure,”
Brady said. “What we tried to take is a fair middle ground where we
disclosed all the information necessary to fix the problem to all
vendors that could fix the problem.”

Dan McCall, co-founder and executive vice president of Guardent,
added that the company faced a different situation in this case
because it wasn’t the product of a single client that was affected
by the flaw but rather a flaw that affected the entire
industry.

“We published a widespread public media advisory that contains
no technical information,” Brady said. “What the general public got
probably wouldn’t bring them any closer to building an attack
tool.”

However, a fix for the problem is likely to take some time, as
software on each machine susceptible to the flaw — from Web
servers and e-mail servers to routers and workstations — will
require patches. In many cases, though, vendors already have fixes
that are readily available — they just need to be implemented.

“There are clearly ways to fix this,” Brady said. “The problem
is probably around how much energy people put towards this. It’s a
problem that could be large if nobody handles it.”

Brady also suggested that organizations concerned about security
should employ encryption and Virtual Private Networks.