[35548] in North American Network Operators' Group
Re: tcp,guardent,bellovin
daemon@ATHENA.MIT.EDU (Jim Duncan)
Mon Mar 12 22:38:02 2001
Message-Id: <200103130334.WAA27479@rtp-msg-core-1.cisco.com>
From: Jim Duncan <jnduncan@cisco.com>
To: nanog@merit.edu
Cc: "Steven M. Bellovin" <smb@research.att.com>
In-Reply-To: Message from Rafi Sadowsky <rafi-nanog@meron.openu.ac.il>
of "Tue, 13 Mar 2001 05:12:28 +0200." <Pine.GSO.4.31.0103130508560.9269-100000@meron.openu.ac.il>
Date: Mon, 12 Mar 2001 22:35:37 -0500
Errors-To: owner-nanog-outgoing@merit.edu
Rafi Sadowsky writes:
> No eavesdropping at all ? how can a TCP connection be hijacked if you're
> not on the connection path?
> (Or capable of diverting the connection past you -
> breaking routers/source_routing/<whatever>.... )
The attacker merely has to get his data into the TCP stream on the
victim host. No return traffic necessary. This means the attacker can
be _outside_ the victim's network if source address forgery isn't
prevented. This is _not_ new; same attack Mitnick used on Shimomura.
If you're on the path, you certainly don't need to guess the TCP ISN to
hijack a connection. This isn't new, either. :-)
By the way, Cisco stuff that has the fix we advertised in the security
advisory a couple of weeks ago is *NOT* vulnerable to the attack
announced by Guardent. The older stuff in IOS is not vulnerable either,
but some of our other products _are_ vulnerable. Of course, we already
announced that at http://www.cisco.com/warp/public/707/advisory.html .
I'll be along with a more official announcement, but I figured I'd
mention it here, too.
Jim
--
Jim Duncan, Product Security Incident Manager, Cisco Systems, Inc.
<http://www.cisco.com/warp/public/707/sec_incident_response.shtml>
E-mail: <jnduncan@cisco.com> Phone(Direct/FAX): +1 919 392 6209
