A security hole in one of the Internet”s most basic protocols — discovered by security consulting firm Guardent, Inc. — leaves the door open for potentially devastating network attacks that would be difficult to defend against, detect, or trace.
Guardent senior research scientist Tim Newsham discovered a weakness in the Transmission Control Protocol (TCP) which allows computers to communicate with each other. Specifically, the flaw lies in the sequence of TCP Initial Sequence Numbers (ISN), used to maintain session information between network devices. Malicious users could utilize the hole to hijack TCP-based sessions on the Internet or on corporate networks.
TCP is supposed to generate random ISNs each time it enables a link between two computers. But according to Guardent, while testing a new piece of networking equipment for a client, Newsham discovered that the numbers are not as random as experts thought.
“It is now known that these numbers are guessable on many platforms, with a high degree of accuracy,” Guardent said Monday. “The ability to accurately guess sequence numbers, combined with readily available session information, allows for a variety of sophisticated attacks on computer networks. These attacks can cause significant harm and would go undetected by current security software.”
Guardent said attacks exploiting the weakness could take multiple forms, including:
- Launching new forms of Denial of Service (DoS) attacks that cut individual Web server connections and make applications and networks appear unreliable; this type of DoS attack is far more subtle than DoS attacks like those which brought down eBay and Yahoo! last year because it does not rely on overloading networks by flooding them with traffic
- Information poisoning attacks which insert false information into data streams intended for publication, i.e. bogus news reports or fraudulent stock prices
- Session hijacking — taking over a user”s connection to a computer system, thus allowing the hijacker to operate under the user”s identity in applications to which that user has access, like financial applications, Internet infrastructure management, etc.
According to Jerry Brady, vice president of Research and Development at Guardent, the weakness stems from the age of the protocol and also from vendors choosing to emphasize performance over security.
“The kinds of problems that you face in security protocols like that change over time,” Brady said. “There was a point in time where weaker security techniques were chosen, purely on the basis of performance.”
Brady also said that the increasing speed of networks has contributed to the problem because networks are asked to generate more ISNs in a shorter period of time.
Guardent took the unusual step of releasing the information to the public before a fix for the flaw had been created. However, while it has publicized the existence of the flaw it has also taken steps to ensure that its research on the subject does not fall into the wrong hands. The firm is keeping the details of the research confidential and is only making it available to legitimate network equipment vendors, operating system vendors and government agencies which sign non-disclosure agreements. The firm has also shared the information with the Computer Emergency Response Team (CERT) based at Carnegie-Mellon University.
“There”s always been a great deal of controversy on disclosure,” Brady said. “What we tried to take is a fair middle ground where we disclosed all the information necessary to fix the problem to all vendors that could fix the problem.”
Dan McCall, co-founder and executive vice president of Guardent, added that the company faced a different situation in this case because it wasn”t the product of a single client that was affected by the flaw but rather a flaw that affected the entire industry.
“We published a widespread public media advisory that contains no technical information,” Brady said. “What the general public got probably wouldn”t bring them any closer to building an attack tool.”
However, a fix for the problem is likely to take some time, as software on each machine susceptible to the flaw — from Web servers and e-mail servers to routers and workstations — will require patches. In many cases, though, vendors already have fixes that are readily available — they just need to be implemented.
“There are clearly ways to fix this,” Brady said. “The problem is probably around how much energy people put towards this. It”s a problem that could be large if nobody handles it.”
Brady also suggested that organizations concerned about security should employ encryption and Virtual Private Networks.
Security Flaws Found in Popular DNS Software