Project

General

Profile

Feature #474

tcp_strong_iss should be 2 instead of 1

Added by Rob Clark almost 10 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Start date:
2010-12-08
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:

Description

I found at least two related security issues:

1. /usr/sbin/ndd -get /dev/tcp tcp_strong_iss
1

Read: http://lcamtuf.coredump.cx/oldtcp/tcpseq.html

nano /etc/default/inetinit
set it to 2


2. Nmap finds open ports:

  1. nmap -sS -sU -T4 -O -A -v -v -PE -PP -PS21,22,23,25,80,113,31339 -PA80,113,443,10042 -PO --fuzzy --osscan-guess --script all xxx.xxx.xxx.xxx
    ...
    Not shown: 999 filtered ports, 996 open|filtered ports
    PORT STATE SERVICE VERSION
    53/tcp closed domain
    53/udp closed domain
    111/udp open rpcbind 2-4 (rpc #100000)
    123/udp open ntp NTP v4 (unsynchronized)
    500/udp closed isakmp
    ...
    OS details: Sun OpenSolaris 2009.06, Sun OpenSolaris snv_130, Sun Solaris 8 (SPARC), Sun Solaris 9
    TCP/IP fingerprint:
    OS:SCAN(V=5.35DC1%D=12/8%OT=%CT=53%CU=53%PV=Y%DS=1%DC=D%G=N%M=000C29%TM=4CF
    OS:FFC45%P=i686-pc-windows-windows)SEQT5(R=Y%DF=N%T=40%W=0%S=Z%A=S+%F
    OS:=AR%O=%RD=0%Q=)T6T7U1(R=Y
    OS:%DF=N%T=FF%IPL=70%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE
    ...
#1

Updated by Rob Clark almost 10 years ago

PS: Set tcp_strong_iss=2 was approved here: http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=4625629 , opened 9 years ago :( .

#2

Updated by Albert Lee almost 10 years ago

That page is beautiful, thank you for finding it. However, it seems to show that the algorithm used for tcp_strong_iss=2 has a significantly more predictable distribution for a given peer address than tcp_strong_iss=1. This is fixable, though...

svc:/network/rpc/bind:default is unavoidable for NFS clients but may not have to be enabled by default.
I'm not sure why the NTP client needs to be continuously listening.

#3

Updated by Albert Lee almost 10 years ago

  • Tracker changed from Bug to Feature
  • Project changed from OpenIndiana Distribution to illumos gate
  • Category deleted (Security)
#4

Updated by Albert Lee almost 10 years ago

  • Priority changed from High to Normal

I split the rpc/bind issue to #490, as these really aren't related.

#5

Updated by Rob Clark almost 10 years ago

Albert Lee wrote:

That page is beautiful, thank you for finding it. However, it seems to show that the algorithm used for tcp_strong_iss=2 has a significantly more predictable distribution for a given peer address than tcp_strong_iss=1. This is fixable, though...

svc:/network/rpc/bind:default is unavoidable for NFS clients but may not have to be enabled by default.
I'm not sure why the NTP client needs to be continuously listening.

.

... seems to show that the algorithm used ...

http://lcamtuf.coredump.cx/oldtcp/tcpseq.html#solaris
The THIRD photo in section 'tcpseq.html#solaris' is bigger and fuzzier than even the Linux section 'tcpseq.html#linux'.

"... R1, which affects search speed and does not have significant meaning for the generated results as long as any points can be found." AND "larger R2 radius indicates a stronger attractor structure while a smaller R2 indicates a more dispersed structure
".

Solaris 7's R1 is bigger than any other OSes and it's R2 is the smallest, except for MacOS which has a puny R1; thus it (S7, not neccesarily OI) is "best" (when we set tcp_strong_iss=2), according to the Page I quoted; we should test this.

It is 'not correct' for us to compare "OpenIndiana" (which was never tested) with OLD versions of "Solaris" but my point is
we need to be certain that we don't have this issue. When we boot do we have the OpenSolaris Bug about the "random seed"?

The "highest score" on that Page ( http://lcamtuf.coredump.cx/oldtcp/tcpseq.html ) is:

Operating system: Solaris 7 (tcp_strong_iss=2)
R1 radius: 1000000
Attack feasibility: 0.00%
Avg. number of elements: 762 / n/a
Average R2: 208
Average error: n/a

... seems to show that the algorithm used for tcp_strong_iss=2 has a significantly
more predictable distribution for a given peer address than tcp_strong_iss=1 ...

Only IF we altered what 'algorithm 1' does OR "tcp_strong_iss=2" on OpenIndiana
is no where near as secure as "tcp_strong_iss=2" on "Solaris 7". IIUC.

Rob

#6

Updated by Dan McDonald over 6 years ago

  • Subject changed from [SEC] Nmap finds "Open Ports" and tcp_strong_iss should be 2 instead of 1 to tcp_strong_iss should be 2 instead of 1
  • Difficulty set to Medium
  • Tags set to needs-triage

I am narrowing this bug's scope to just the default setting of tcp_strong_iss.

#7

Updated by Electric Monk over 6 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

git commit 6400a6be1817a40f3dbefdd3df7b7d87bcebef30

commit  6400a6be1817a40f3dbefdd3df7b7d87bcebef30
Author: Dan McDonald <danmcd@omniti.com>
Date:   2014-07-18T22:59:38.000Z

    474 tcp_strong_iss should be 2 instead of 1
    Reviewed by: Sebastien Roy <sebastien.roy@delphix.com>
    Reviewed by: Saso Kiselkov <skiselkov.ml@gmail.com>
    Reviewed by: Garrett D'Amore <garrett@damore.org>
    Approved by: Robert Mustacchi <rm@joyent.com>

#8

Updated by Electric Monk over 6 years ago

git commit 680047a5d0ef56480110f0de516145ba0efd5caa

commit  680047a5d0ef56480110f0de516145ba0efd5caa
Author: Dan McDonald <danmcd@omniti.com>
Date:   2014-07-18T23:07:35.000Z

    474 tcp_strong_iss should be 2 instead of 1 (missing file)

#9

Updated by Rob Clark over 6 years ago

Thanks for fixing that Security Hole I reported 3 years ago.

Also available in: Atom PDF