HP ILO 1.93 (and older) Predictable TCP Initial Sequence Numbers Vulnerability

askotamm — Tue, 13 Jan 2009 13:09:27 GMT

Qualys security scanner reports HP ILO 1 ips as vulnerable to "Predictable TCP Initial Sequence Numbers Vulnerability", which breaks PCI DSS compliance ( https://www.pcisecuritystandards.org/security_standards/pci_pa_dss.shtml ) according to Qualys.

The impact is, that servers with HP ILO 1 can not be used in Payment Card Industry DSS compliant environments. Can someone report this as a bug?

more information:
--
2 Predictable TCP Initial Sequence Numbers Vulnerability
QID: 82005 CVSS Base: 7.5 PCI FAILED
Category: TCP/IP CVSS Temporal: 5.4
CVE ID: CVE-1999-0077, CVE-2000-0328, CVE-2000-0916, CVE-2001-0328
Vendor Reference: -
Bugtraq ID: 2682
Modified: 06/06/2008
Edited: No
THREAT:
This server uses TCP/IP implementation that respects the "64K rule", or a "time dependent rule" for generating TCP sequence numbers. Unauthorized users can
predict sequence numbers when two hosts are communicating, and connect to your server from any source IP address. The only difference with a legitimate
connection is that the attacker will not see the replies sent back to the authorized user whose IP was forged.
IMPACT:
Some services, such as rsh or rlogin, may base their authentication on the source IP address. Since malicious users can forge the IP address of a trusted host, they
can bypass authentication protocol. This problem may pose severe threats to any server offering Berkeley "r" services (rlogin, rsh, etc.) or any source IP-based
authentication.
If you do not provide such services, this problem is not critical. If you do use this kind of authentication protocol, unauthorized remote users can execute
commands, and completely compromise your system. Therefore, this vulnerability can be considered dangerous and critical.
SOLUTION:
You may need to upgrade your Operating System to change the behavior of your TCP/IP stack regarding this problem.
This cert advisory describes how to fix this issue : CA-2001-09 (http://www.cert.org/advisories/CA-2001-09.html)
For Microsoft systems you can apply this patch : MS99-046 (http://support.microsoft.com/default.aspx?scid=kb;en-us;Q243835&sd=tech): How to Prevent
Predictable TCP/IP Initial Sequence Numbers
For Cisco IOS systems you can apply this patch : cisco-sa-20010301-ios-tcp-isn-random
(http://www.cisco.com/warp/public/707/cisco-sa-20010301-ios-tcp-isn-random.shtml): Cisco IOS Software TCP Initial Sequence Number Randomization
Improvements
COMPLIANCE:
Not Applicable
RESULTS:
Constant changes in initial sequence numbers observed in 22 out of 23 events.
[ Sent Packets Results ]
Packet 1 : TIME[1231344785.981295] SEQ[15149442] CHANGE[N/A] VARIATION[N/A]
Packet 2 : TIME[1231344785.988236] SEQ[15149449] CHANGE[7] VARIATION[N/A]
Packet 3 : TIME[1231344785.995231] SEQ[15149456] CHANGE[7] VARIATION[0]
Packet 4 : TIME[1231344786. 2236] SEQ[15149463] CHANGE[7] VARIATION[0]
Packet 5 : TIME[1231344786. 9229] SEQ[15149470] CHANGE[7] VARIATION[0]
Packet 6 : TIME[1231344786. 16228] SEQ[15149477] CHANGE[7] VARIATION[0]
Packet 7 : TIME[1231344786. 23225] SEQ[15149484] CHANGE[7] VARIATION[0]
Packet 8 : TIME[1231344786. 30224] SEQ[15149491] CHANGE[7] VARIATION[0]
Packet 9 : TIME[1231344786. 37224] SEQ[15149498] CHANGE[7] VARIATION[0]
Packet 10 : TIME[1231344786. 44222] SEQ[15149505] CHANGE[7] VARIATION[0]
Packet 11 : TIME[1231344786. 51222] SEQ[15149512] CHANGE[7] VARIATION[0]
Payment Card Industry (PCI) Technical Report page 200
Packet 12 : TIME[1231344786. 58220] SEQ[15149519] CHANGE[7] VARIATION[0]
Packet 13 : TIME[1231344786. 65220] SEQ[15149526] CHANGE[7] VARIATION[0]
Packet 14 : TIME[1231344786. 72219] SEQ[15149533] CHANGE[7] VARIATION[0]
Packet 15 : TIME[1231344786. 79218] SEQ[15149540] CHANGE[7] VARIATION[0]
Packet 16 : TIME[1231344786. 86216] SEQ[15149547] CHANGE[7] VARIATION[0]
Packet 17 : TIME[1231344786. 93216] SEQ[15149554] CHANGE[7] VARIATION[0]
Packet 18 : TIME[1231344786.100217] SEQ[15149561] CHANGE[7] VARIATION[0]
Packet 19 : TIME[1231344786.107218] SEQ[15149568] CHANGE[7] VARIATION[0]
Packet 20 : TIME[1231344786.114213] SEQ[15149575] CHANGE[7] VARIATION[0]
Packet 21 : TIME[1231344786.121212] SEQ[15149582] CHANGE[7] VARIATION[0]
Packet 22 : TIME[1231344786.128210] SEQ[15149589] CHANGE[7] VARIATION[0]
Packet 23 : TIME[1231344786.135210] SEQ[15149596] CHANGE[7] VARIATION[0]
Packet 24 : TIME[1231344786.142208] SEQ[15149603] CHANGE[7] VARIATION[0]
Constant changes in initial sequence numbers observed in 21 out o
f 23 events.
Packet 1 : TIME[1231344839.390171] SEQ[15202848] CHANGE[N/A] VARIATION[N/A]
Packet 2 : TIME[1231344839.398113] SEQ[15202856] CHANGE[8] VARIATION[N/A]
Packet 3 : TIME[1231344839.405109] SEQ[15202863] CHANGE[7] VARIATION[1]
Packet 4 : TIME[1231344839.412108] SEQ[15202870] CHANGE[7] VARIATION[0]
Packet 5 : TIME[1231344839.419107] SEQ[15202877] CHANGE[7] VARIATION[0]
Packet 6 : TIME[1231344839.426107] SEQ[15202884] CHANGE[7] VARIATION[0]
Packet 7 : TIME[1231344839.433106] SEQ[15202891] CHANGE[7] VARIATION[0]
Packet 8 : TIME[1231344839.440104] SEQ[15202898] CHANGE[7] VARIATION[0]
Packet 9 : TIME[1231344839.447107] SEQ[15202905] CHANGE[7] VARIATION[0]
Packet 10 : TIME[1231344839.454102] SEQ[15202912] CHANGE[7] VARIATION[0]
Packet 11 : TIME[1231344839.461101] SEQ[15202919] CHANGE[7] VARIATION[0]
Packet 12 : TIME[1231344839.468111] SEQ[15202926] CHANGE[7] VARIATION[0]
Packet 13 : TIME[1231344839.475101] SEQ[15202933] CHANGE[7] VARIATION[0]
Packet 14 : TIME[1231344839.482098] SEQ[15202940] CHANGE[7] VARIATION[0]
Packet 15 : TIME[1231344839.489096] SEQ[15202947] CHANGE[7] VARIATION[0]
Packet 16 : TIME[1231344839.496095] SEQ[15202954] CHANGE[7] VARIATION[0]
Packet 17 : TIME[1231344839.503094] SEQ[15202961] CHANGE[7] VARIATION[0]
Packet 18 : TIME[1231344839.510093] SEQ[15202968] CHANGE[7] VARIATION[0]
Packet 19 : TIME[1231344839.517100] SEQ[15202975] CHANGE[7] VARIATION[0]
Packet 20 : TIME[1231344839.524091] SEQ[15202982] CHANGE[7] VARIATION[0]
Packet 21 : TIME[1231344839.531089] SEQ[15202989] CHANGE[7] VARIATION[0]
Packet 22 : TIME[1231344839.538089] SEQ[15202996] CHANGE[7] VARIATION[0]
Packet 23 : TIME[1231344839.545088] SEQ[15203003] CHANGE[7] VARIATION[0]
Packet 24 : TIME[1231344839.552088] SEQ[15203010] CHANGE[7] VARIATION[0]

topic HP ILO 1.93 (and older) Predictable TCP Initial Sequence Numbers Vulnerability in Server Management - Remote Server Management

HP ILO 1.93 (and older) Predictable TCP Initial Sequence Numbers Vulnerability