Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Version 2.2 - CVE-2002-1463

    General pfSense Questions
    6
    9
    3005
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Mike_OF last edited by

      Hi All,

      Had to upgrade my "No known issues" 2.1.5 to 2.2 because as the EOL 8.x FreeBSD base was causing us to now fail PCI scans. This issue has been replaced with a failure due to CVE-2002-1463 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1463.

      "Description: TCP/IP Initial Sequence Number (ISN) Reuse Weakness

      Synopsis: The remote device seems to generate predictable TCP Initial Sequence Numbers.

      Impact: The remote host seems to generate Initial Sequence Numbers (ISN) in a weak manner which seems to solely depend on the source and dest port of the TCP packets.

      An attacker may exploit this flaw to establish spoofed connections to the remote host."

      There any known fix available for this?

      1 Reply Last reply Reply Quote 0
      • K
        kejianshi last edited by

        Didn't see pfsense or bsd in the list:

        Symantec Raptor Firewall 6.5 and 6.5.3, Enterprise Firewall 6.5.2 and 7.0, VelociRaptor Models 500/700/1000 and 1100/1200/1300, and Gateway Security 5110/5200/5300 generate easily predictable initial sequence numbers (ISN), which allows remote attackers to spoof connections.

        1 Reply Last reply Reply Quote 0
        • M
          Mike_OF last edited by

          Looks like the scanner is now detecting the OS as OpenBSD 4.0 so may be just assuming that it's vulnerable. Which is a bit ####.

          I've now tested it with NMAP and am getting a difficulty > 250 so the scanner really looks to be wrong.

          I'll query it with the testing company and come back if they have any evidence of vulnerability to back up their fail stamp, in the mean time apologies for the noise.

          1 Reply Last reply Reply Quote 0
          • K
            kejianshi last edited by

            Cool - I'm not the expert of all here, by far.
            However, I didn't see that there was a recent CVE related to the strength of the randomness of TCP Initial Sequence Numbers for Free BSD for 10.1 or pfsense.

            So yeah - I was wondering if there wasn't a mistake.

            1 Reply Last reply Reply Quote 0
            • jimp
              jimp Rebel Alliance Developer Netgate last edited by

              If you have port forwards or some other traffic forwarded to something else that is vulnerable, it could be flagging that and not the firewall itself.

              Remember: Upvote with the šŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • C
                cdburgess75 last edited by

                I got that too, but only after installing haproxy

                1 Reply Last reply Reply Quote 0
                • C
                  cmb last edited by

                  @Mike_OF:

                  Looks like the scanner is now detecting the OS as OpenBSD 4.0 so may be just assuming that it's vulnerable. Which is a bit ####.

                  Yes, that's why. False positive, as OS identification isn't very accurate when you don't have any closed ports that reply. It is indeed a bit "####".Ā  :)

                  1 Reply Last reply Reply Quote 0
                  • W
                    walbog last edited by

                    Yes, that's why. False positive, as OS identification isn't very accurate when you don't have any closed ports that reply.

                    From the description of the original poster mike_of: i'm almost certain, it's a nessus-message…. thats why...Ā  ;)

                    Everythings forever until it is no more.

                    1 Reply Last reply Reply Quote 0
                    • C
                      cmb last edited by

                      @walbog:

                      From the description of the original poster mike_of: i'm almost certain, it's a nessus-message…. thats why...Ā  ;)

                      Well, that too. ;) Yeah it is Nessus. Not that any other vulnerability scanner is better in that regard, they all seem to report their fair share of absurdity.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post