Version 2.2 - CVE-2002-1463



  • Hi All,

    Had to upgrade my "No known issues" 2.1.5 to 2.2 because as the EOL 8.x FreeBSD base was causing us to now fail PCI scans. This issue has been replaced with a failure due to CVE-2002-1463 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1463.

    "Description: TCP/IP Initial Sequence Number (ISN) Reuse Weakness

    Synopsis: The remote device seems to generate predictable TCP Initial Sequence Numbers.

    Impact: The remote host seems to generate Initial Sequence Numbers (ISN) in a weak manner which seems to solely depend on the source and dest port of the TCP packets.

    An attacker may exploit this flaw to establish spoofed connections to the remote host."

    There any known fix available for this?



  • Didn't see pfsense or bsd in the list:

    Symantec Raptor Firewall 6.5 and 6.5.3, Enterprise Firewall 6.5.2 and 7.0, VelociRaptor Models 500/700/1000 and 1100/1200/1300, and Gateway Security 5110/5200/5300 generate easily predictable initial sequence numbers (ISN), which allows remote attackers to spoof connections.



  • Looks like the scanner is now detecting the OS as OpenBSD 4.0 so may be just assuming that it's vulnerable. Which is a bit ####.

    I've now tested it with NMAP and am getting a difficulty > 250 so the scanner really looks to be wrong.

    I'll query it with the testing company and come back if they have any evidence of vulnerability to back up their fail stamp, in the mean time apologies for the noise.



  • Cool - I'm not the expert of all here, by far.
    However, I didn't see that there was a recent CVE related to the strength of the randomness of TCP Initial Sequence Numbers for Free BSD for 10.1 or pfsense.

    So yeah - I was wondering if there wasn't a mistake.


  • Rebel Alliance Developer Netgate

    If you have port forwards or some other traffic forwarded to something else that is vulnerable, it could be flagging that and not the firewall itself.



  • I got that too, but only after installing haproxy



  • @Mike_OF:

    Looks like the scanner is now detecting the OS as OpenBSD 4.0 so may be just assuming that it's vulnerable. Which is a bit ####.

    Yes, that's why. False positive, as OS identification isn't very accurate when you don't have any closed ports that reply. It is indeed a bit "####".  :)



  • Yes, that's why. False positive, as OS identification isn't very accurate when you don't have any closed ports that reply.

    From the description of the original poster mike_of: i'm almost certain, it's a nessus-message…. thats why...  ;)



  • @walbog:

    From the description of the original poster mike_of: i'm almost certain, it's a nessus-message…. thats why...  ;)

    Well, that too. ;) Yeah it is Nessus. Not that any other vulnerability scanner is better in that regard, they all seem to report their fair share of absurdity.