Vigil@nce - Linux kernel: prediction of IPv4 fragments and TCP sequences
August 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker could predict identifiers used in IPv4 fragments, and
TCP sequence numbers, in order to create a denial of service or to
inject data.
Severity: 1/4
Creation date: 23/08/2011
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
When the payload of an IPv4 packet is too large, it is fragmented
in several packets. The Identification (16 bit) field of the IPv4
header is used to associate fragments.
The Sequence Number of the TCP header is used during the
initialization of the session, and is then used to reorder the
transported data.
However, the Identification and Sequence Number fields are set
from a truncated MD4, which may be predicted.
An attacker could therefore predict identifiers used in IPv4
fragments, and TCP sequence numbers, in order to create a denial
of service or to inject data.
This vulnerability is similar to VIGILANCE-VUL-10859
(https://vigilance.fr/tree/1/10859).
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-prediction-of-IPv4-fragments-and-TCP-sequences-10941