port numbers
=======
The Cisco IOS IP Service Level Agreement (IP SLA) feature contains a
denial of service (DoS) vulnerability. The vulnerability is triggered
when malformed UDP packets are sent to a vulnerable device. The
vulnerable UDP port numbers depend on the device configuration.
Default ports are not used for the vulnerable UDP IP SLA operation or
for the UDP responder ports.
Cisco has released free software updates that address this
vulnerability.
or data corruption. These attacks rely on the attacker's ability to
guess or know the five-tuple (Protocol, Source Address, Destination
Address, Source Port, Destination Port) that identifies the transport
protocol instance to be attacked. This document describes a number
of simple and efficient methods for the selection of the client port
number, such that the possibility of an attacker guessing the exact
value is reduced. While this is not a replacement for cryptographic
methods for protecting the transport-protocol instance, the
aforementioned port selection algorithms provide improved security
with very little effort and without any key management overhead. The
algorithms described in this document are local policies that may be
device.
The default port assignment for SQL*Net is TCP port 1521. This is the
value used by Oracle for SQL*Net. Please note the "class-map" command
can be used in the Cisco ASA or Cisco PIX to apply SQL*Net inspection
to a range of different port numbers. A TCP three-way handshake is
needed to exploit this vulnerability. The requirement of a TCP three way
handshake significantly reduces the possibility of exploitation using
packets with spoofed source addresses.
This vulnerability is documented in Cisco Bug ID CSCsw51809 and has
Description
===========
Amit Klein of Trusteer reported that insufficient randomness is used to
calculate the TRXID values and the UDP source port numbers
(CVE-2008-1637). Thomas Biege of SUSE pointed out that a prior fix to
resolve this issue was incomplete, as it did not always enable the
stronger random number generator for source port selection
(CVE-2008-3217).
NOTE WELL: This update causes BIND to choose a new, random UDP port for
each new query; this may cause problems for some network configurations,
particularly if firewall(s) block incoming UDP packets on particular
ports. The avoid-v4-udp-ports and avoid-v6-udp-ports options should be
used to avoid selecting random port numbers within a blocked range.
NOTE WELL: If a port number is specified via the query-source or
query-source-v6 options to BIND, randomized port selection will not be
used. Consequently it is strongly recommended that these options not
be used to specify fixed port numbers.
explore the network topography (DNS scan) and services available
(port scan) on the inside of (behind) that firewall). As this
vulnerability is only exploitable post-authentication, and better
more specific port scanning tools are freely available, we consider
this vulnerability to be of very low severity. It has been fixed by
restricting the allowable POP port numbers (with an administrator
configuration override available) (CVE-2010-1637).
The updated packages have been patched to correct this issue.
_______________________________________________________________________
authentication challenges when operating in hostap mode, which may be
insecure.
* The IPv4, IPv6 and TCP/UDP protocol implementations rely on a quality
random number generator to produce unpredictable IP packet identifiers,
initial TCP sequence numbers and outgoing port numbers. During the
first 300 seconds after booting, it may be easier for an attacker to
execute IP session hijacking, OS fingerprinting, idle scanning, or in
some cases DNS cache poisoning and blind TCP data injection attacks.
* The kernel RPC code uses arc4random(9) to retrieve transaction
stream data transfer, reliability, efficient flow control, full-duplex
operation, and multiplexing.
When TCP connections are terminated in Cisco IOS Software, they are
allocated a transmission control block (TCB). All allocated TCBs,
associated TCP port numbers, and the TCP state are displayed in the
output of the "show tcp brief all" command-line interface (CLI) command.
Cisco IOS Software version 15.1(2)T contains a vulnerability that could
cause an embryonic TCP connection to remain in SYNRCVD or SYNSENT
state without a further TCP state transition. Examining the output of
There are three general types of SNMP operations: "get" requests to
request information, "set" requests that modify the configuration of
a remote device, and "trap" messages that provide a monitoring
function. SNMP requests and traps are transported over User Datagram
Protocol (UDP) and are received at the assigned destination port
numbers 161 and 162, respectively.
SNMPv3 provides secure access to devices by authenticating and
encrypting packets over the network. RFC2574 defines
the use of HMAC-MD5-96 and HMAC-SHA-96 as the possible authentication
protocols for SNMPv3.
Here is the text of the original advisory:
Amit Klein discovered that pdns-recursor, a caching DNS resolver, uses
a weak random number generator to create DNS transaction IDs and UDP
source port numbers. As a result, cache poisoning attacks were
simplified. (CVE-2008-1637)
In the light of recent DNS-related developments (documented in DSAs
1603, 1604, 1605), we recommend that this update is installed as an
additional safety measure. (The lack of source port randomization was
> fixed, many times by many others.
> -----
Note that this conveniently ignores the option to use randomized port
numbers... No, it is a pretty fix, but it sure does help.
tim
Description
===========
Amit Klein of Trusteer reported that insufficient randomness is used to
calculate the TRXID values and the UDP source port numbers.
Impact
======
A remote attacker could send malicious answers to insert arbitrary DNS
the alternate command show udp can be used instead. The output is
identical to the show ip sockets command.
The device is vulnerable if the Local Port column (fifth from the
left) in the output of show ip sockets contains any of the port
numbers listed in the example below.
Router#show ip sockets
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 192.168.100.1 49 192.168.100.2 49 0 0 11 0
17 0.0.0.0 0 192.168.100.2 53 0 0 211 0
existing text, and then move on to the next section.
Therefore I'm requesting feedback on all the sections through Section
3.1.2.3. -- this includes the introduction sections, the basic
check on the TCP segment size (Section 3) and the discussion of port
numbers (Section 3.1 with all its subsections).
Please submit comments by Friday March 5th, 2010, so that we can move
on to the next sections in a timely manner.
P.S.: It would be best if you subscribe the TCP WG mailing-list at:
Debian-specific: no
CVE Id(s) : CVE-2008-1637
Amit Klein discovered that pdns-recursor, a caching DNS resolver, uses a
weak random number generator to create DNS transaction IDs and UDP
source port numbers. As a result, cache poisoning attacks were
simplified. (CVE-2008-1637)
For the stable distribution (etch), these problems have been fixed in
version 3.1.4-1+etch1.
|
