[ale] TCP Sequence Number Approximation Vulnerability

Lightner, Jeff jlightner at water.com
Wed Mar 16 11:19:27 EDT 2011


The problem is often the CVE is fairly generic (as this one seems to be) so one has to find the specific vendor's equivalent security issue and mitigation.   Many of those may be referenced in the CVE but many may not be. 

>From what the OP wrote it sounded almost as if this is an appliance of some sort in which case standard remediation, even if known, might not work.  He'd have to get it from the vendor.   Given it has a 2.4.x kernel (I'm assuming that is what he meant when he said "running 2.4.24") it is apt to be very old and may be out of support by the vendor that made it.

Also on some distros (e.g. RHEL) you get false positives because scanning tools key on base package versions from upstream and ignore the vendor specific release information that would indicate the issue has been addressed.   I've seen this with more than one RHEL package - they put the name of the base package such as BIND 9.3.6 on the package but then extend that with their own release info so it is actually something like 9.3.6-12.3.9el5.  When you check RedHat's site for the CVE it will show that has backported bug and security fixes that address what the scanning tool was complaining about but since the scanner only looked at base package version it sees it as matching a known vulnerability.   That is to say the scanning tools aren't actually checking to see if you have the vulnerability - they are checking to see if what you have is reported to have the vulnerability but only at a very basic level.

Sometimes if you can't fix such things the best you can do is prevent scanning tools from determining information such as what version of a package you are running.  We've had to do this with more than one package.
(Of course you should really only do that if you've verified the package you have actually addresses the vulnerability - as is often said by many "security by obfuscation" doesn't work.)

-----Original Message-----
From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of chip
Sent: Wednesday, March 16, 2011 10:25 AM
To: Atlanta Linux Enthusiasts
Subject: Re: [ale] TCP Sequence Number Approximation Vulnerability

They should be able to provide you with a specific CVE or similar that
you can then reference for information about patches, work-around,
etc..

--chip

On Wed, Mar 16, 2011 at 8:43 AM, Chris Fowler
<cfowler at outpostsentinel.com> wrote:
> A security scan on a device running 2.4.24 came up with 'TCP Sequence
> Number Approximation Vulnerability'.  Is this fixed in a later kernel.
>
> I've googled and am confused.  Most posts say it does not matter but I
> do not control the bank running the scanning tool that is spewing FUD.
>
> Thanks,
> Chris
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



-- 
Just my $.02, your mileage may vary,  batteries not included, etc....

_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
 
Proud partner. Susan G. Komen for the Cure.
 
Please consider our environment before printing this e-mail or attachments.
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------



More information about the Ale mailing list