Vulnérabilité IPCOP 1.4 rc5

Forum traitant de la distribution sécurisée montante nommée IP cop et basée sur la distribution Smoothwall. C'est à l'heure actuelle le forum le plus actif du site.

Modérateur: modos Ixus

Publier une réponse

Vulnérabilité IPCOP 1.4 rc5

Messagepar gregs50 » 27 Sep 2004 17:03

Juste un p'tit mot pour apporter ma contribution ...

voilà ce que j'ai trouvé comme vulnérabilité sur IPCOP 1.4 rc5 en faisant un audit sur qualys

******************************************************************
******************************************************************
Vulnerability: Multiple Vendor TCP Sequence Number Approximation Vulnerability
Qualys ID : 82054 CVE ID : CAN-2004-0230
Port : N/A
Diagnosis:
TCP provides stateful communications between hosts on a network. TCP sessions are established by a three-way handshake and use random 32-bit sequence and acknowledgement numbers to ensure the validity of traffic. A vulnerability was reported that may permit TCP sequence numbers to be more easily approximated by remote attackers. This issue affects products released by multiple vendors.

The cause of the vulnerability is that affected implementations will accept TCP sequence numbers within a certain range, known as the acknowledgement range, of the expected sequence number for a packet in the session. This is determined by the TCP window size, which is negotiated during the three-way handshake for the session. Larger TCP window sizes may be set to allow for more throughput, but the larger the TCP window size, the more probable it is to guess a TCP sequence number that falls within an acceptable range. It was initially thought that guessing an acceptable sequence number was relatively difficult for most implementations given random distribution, making this type of attack impractical. However, some implementations may make it easier to successfully approximate an acceptable TCP sequence number, making these attacks possible with a number of protocols and implementations.

This is further compounded by the fact that some implementations may support the use of the TCP Window Scale Option, as described in RFC 1323, to extend the TCP window size to a maximum value of 1 billion.

This vulnerability will permit a remote attacker to inject a SYN or RST packet into the session, causing it to be reset and effectively allowing for denial of service attacks. An attacker would exploit this issue by sending a packet to a receiving implementation with an approximated sequence number and a forged source IP address and TCP port.

There are a few factors that may present viable target implementations, such as those which depend on long-lived TCP connections, those that have known or easily guessed IP address endpoints and those implementations with easily guessed TCP source ports. It has been noted that Border Gateway Protocol (BGP) is reported to be particularly vulnerable to this type of attack, due to the use of long-lived TCP sessions and the possibility that some implementations may use the TCP Window Scale Option. As a result, this issue is likely to affect a number of routing platforms.

Another factor to consider is the relative difficulty of injecting packets into TCP sessions, as a number of receiving implementations will reassemble packets in order, dropping any duplicates. This may make some implementations more resistant to attacks than others.

It should be noted that while a number of vendors have confirmed this issue in various products, investigations are ongoing and it is likely that many other vendors and products will turn out to be vulnerable as the issue is investigated further.

Consequences: Successful exploitation of this issue could lead to denial of service attacks on the TCP based services of target hosts. Other consequences may also result, such as man-in-the-middle attacks.
Solution:
Please first check the results section below for the port number on which this vulnerability was detected. If that port number is known to be used for port-forwarding, then it is the backend host that is really vulnerable.

Various implementations and products including Check Point, Cisco, Cray Inc, Hitachi, Internet Initiative Japan, Inc (IIJ), Juniper Networks, NEC, Polycom, and Yamaha are currently undergoing review. Contact the vendors to obtain more information about affected products and fixes. NISCC Advisory 236929 - Vulnerability Issues in TCP details the vendor patch status as of the time of the advisory, and identifies resolutions and workarounds.

The Internet Engineering Task Force (IETF) has developed an Internet-Draft titled Transmission Control Protocol Security Considerations that addresses this issue.

Workaround:

The following BGP-specific workaround information has been provided.

For BGP implementations that support it, the TCP MD5 Signature Option should be enabled. Passwords that the MD5 checksum is applied to should be set to strong values and changed on a regular basis.

Secure BGP configuration instructions have been provided for Cisco and Juniper at these locations:


http://www.cymru.com/Documents/secure-bgp-template.html


http://www.qorbit.net/documents/junos-bgp-template.pdf

NISCC has provided
Best Practices Guidelines for BGP.



******************************************************************
******************************************************************


Rien d'allarment mais bon c'était pour mettre ma p'tite pierre !!!
sinon j'suis content de cette nouvelle version pour dire mes routeur et modem sont parti dans un placard !!! lol

Je continue les tests.....



ma config : PII 350,4Go DD, 256+32 Mo Ram + green (3COM) + RED (Speedtouch USB Manta)
Dernière édition par gregs50 le 29 Sep 2004 02:26, édité 1 fois au total.
Avatar de l’utilisateur
gregs50
Aspirant
Aspirant
 
Messages: 111
Inscrit le: 10 Mars 2004 01:00
Haut

Messagepar gregs50 » 29 Sep 2004 02:26

up :lol:

tout le monde s'en fou ????
:P
Avatar de l’utilisateur
gregs50
Aspirant
Aspirant
 
Messages: 111
Inscrit le: 10 Mars 2004 01:00
Haut

Messagepar Gesp » 29 Sep 2004 11:13

Un peu
Various implementations and products including Check Point, Cisco, Cray Inc, Hitachi, Internet Initiative Japan, Inc (IIJ), Juniper Networks, NEC, Polycom, and Yamaha are currently undergoing review.


On ne sent pas trop concerné là

It has been noted that Border Gateway Protocol (BGP) is reported to be particularly vulnerable to this type of attack, due to the use of long-lived TCP sessions and the possibility that some implementations may use the TCP Window Scale Option.


On utilise pas BGP.

Je ne dis pas qu'il n'y a pas une faille théorique mais dans ce cas tout le monde est quasiment concerné.
La portée d'un tel audit est difficile à évaluer. Surtout qu'il est très probable que ce soit un message qui est en réponse à chaque test sans même qu'un test particulier détecte la supposée vulnérabilité.
En tout ca, on ne voit pas de résultat de test donc c'est très FUD
Avatar de l’utilisateur
Gesp
Amiral
Amiral
 
Messages: 4481
Inscrit le: 29 Déc 2002 01:00
Haut
Publier une réponse

Retour vers IPCop

Qui est en ligne ?

Utilisateur(s) parcourant actuellement ce forum : Aucun utilisateur inscrit et 1 invité

Powered by boolaz