Lucene search
This script is Copyright (C) 2002-2020 and is owned by Tenable, Inc. or an Affiliate thereof.CSCDS04747.NASLHistoryJun 05, 2002 - 12:00 a.m.
Cisco IOS TCP Sequence Prediction Connection Hijacking (CSCds04747)
2002-06-0500:00:00
This script is Copyright (C) 2002-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
79
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.025 Low
EPSS
Percentile
90.2%
Cisco IOS Software contains a flaw that permits the successful prediction of TCP Initial Sequence Numbers.
This vulnerability is present in all released versions of Cisco IOS software running on Cisco routers and switches. It only affects the security of TCP connections that originate or terminate on the affected Cisco device itself; it does not apply to TCP traffic forwarded through the affected device in transit between two other hosts.
This vulnerability is documented as Cisco bug ID CSCds04747.
#
# (C) Tenable Network Security, Inc.
#
# Script audit and contributions from Carmichael Security
# Erik Anderson <[email protected]> (nb: domain no longer exists)
# Added BugtraqID and CAN
#
include("compat.inc");
if(description)
{
script_id(10976);
script_version("1.26");
script_cve_id("CVE-2001-0288", "CVE-2001-0328");
script_bugtraq_id(2682);
script_name(english:"Cisco IOS TCP Sequence Prediction Connection Hijacking (CSCds04747)");
script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch." );
script_set_attribute(attribute:"description", value:
"Cisco IOS Software contains a flaw that permits the successful
prediction of TCP Initial Sequence Numbers.
This vulnerability is present in all released versions of Cisco IOS
software running on Cisco routers and switches. It only affects the
security of TCP connections that originate or terminate on the
affected Cisco device itself; it does not apply to TCP traffic
forwarded through the affected device in transit between two other
hosts.
This vulnerability is documented as Cisco bug ID CSCds04747." );
script_set_attribute(attribute:"solution", value:
"http://www.nessus.org/u?021e980a" );
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"plugin_publication_date", value: "2002/06/05");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/27");
script_set_attribute(attribute:"vuln_publication_date", value: "1995/01/01");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value: "cpe:/o:cisco:ios");
script_end_attributes();
script_summary(english:"Uses SNMP to determine if a flaw is present");
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2002-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"CISCO");
script_dependencies("snmp_sysDesc.nasl", "snmp_cisco_type.nasl");
script_require_keys("SNMP/community", "SNMP/sysDesc", "CISCO/model");
exit(0);
}
# The code starts here
ok=0;
os = get_kb_item("SNMP/sysDesc"); if(!os)exit(0);
hardware = get_kb_item("CISCO/model"); if(!hardware)exit(0);
# Check for the required operating system...
#----------------------------------------------------------------
# Is this IOS ?
if(!egrep(pattern:".*(Internetwork Operating|IOS).*", string:os))exit(0);
# 11.0
if(egrep(string:os, pattern:"(^|\s+)(11\.0\(([0-9]|[1-1][0-9]|2[0-1])\)|11\.0),"))ok=1;
# 11.1
if(egrep(string:os, pattern:"(^|\s+)(11\.1\(([0-9]|[1-1][0-9]|2[0-3])\)|11\.1),"))ok=1;
# 11.1AA
if(egrep(string:os, pattern:"(^|\s+)(11\.1\([0-9]*\)|11\.1)AA[0-9]*,"))ok=1;
# 11.1CA
if(egrep(string:os, pattern:"(^|\s+)((11\.1\(([0-9]|[1-2][0-9]|3[0-5])\)|11\.1)CA[0-9]*|11\.1\(36\)CA[0-0]),"))ok=1;
# 11.1CC
if(egrep(string:os, pattern:"(^|\s+)((11\.1\(([0-9]|[1-2][0-9]|3[0-5])\)|11\.1)CC[0-9]*|11\.1\(36\)CC[0-0]),"))ok=1;
# 11.1CT
if(egrep(string:os, pattern:"(^|\s+)(11\.1\([0-9]*\)|11\.1)CT[0-9]*,"))ok=1;
# 11.1IA
if(egrep(string:os, pattern:"(^|\s+)((11\.1\(([0-9]|[1-1][0-9]|2[0-7])\)|11\.1)IA[0-9]*|11\.1\(28\)IA[0-0]),"))ok=1;
# 11.2
if(egrep(string:os, pattern:"(^|\s+)(11\.2\(([0-9]|[1-1][0-9]|2[0-4])\)|11\.2),"))ok=1;
# 11.2BC
if(egrep(string:os, pattern:"(^|\s+)(11\.2\([0-9]*\)|11\.2)BC[0-9]*,"))ok=1;
# 11.2F
if(egrep(string:os, pattern:"(^|\s+)(11\.2\([0-9]*\)|11\.2)F[0-9]*,"))ok=1;
# 11.2GS
if(egrep(string:os, pattern:"(^|\s+)(11\.2\([0-9]*\)|11\.2)GS[0-9]*,"))ok=1;
# 11.2P
if(egrep(string:os, pattern:"(^|\s+)(11\.2\(([0-9]|[1-1][0-9]|2[0-4])\)|11\.2)P[0-9]*,"))ok=1;
# 11.2SA
if(egrep(string:os, pattern:"(^|\s+)(11\.2\([0-9]*\)|11\.2)SA[0-9]*,"))ok=1;
# 11.2WA3
if(egrep(string:os, pattern:"(^|\s+)(11\.2\([0-9]*\)|11\.2)WA3[0-9]*,"))ok=1;
# 11.2XA
if(egrep(string:os, pattern:"(^|\s+)(11\.2\([0-9]*\)|11\.2)XA[0-9]*,"))ok=1;
# 11.3
if(egrep(string:os, pattern:"(^|\s+)(11\.3\(([0-9]|1[0-0])\)|11\.3),"))ok=1;
# 11.3AA
if(egrep(string:os, pattern:"(^|\s+)(11\.3\(([0-9]|1[0-0])\)|11\.3)AA[0-9]*,"))ok=1;
# 11.3DA
if(egrep(string:os, pattern:"(^|\s+)(11\.3\([0-9]*\)|11\.3)DA[0-9]*,"))ok=1;
# 11.3DB
if(egrep(string:os, pattern:"(^|\s+)(11\.3\([0-9]*\)|11\.3)DB[0-9]*,"))ok=1;
# 11.3HA
if(egrep(string:os, pattern:"(^|\s+)(11\.3\([0-9]*\)|11\.3)HA[0-9]*,"))ok=1;
# 11.3MA
if(egrep(string:os, pattern:"(^|\s+)((11\.3\([0-0]\)|11\.3)MA[0-9]*|11\.3\(1\)MA[0-7]),"))ok=1;
# 11.3NA
if(egrep(string:os, pattern:"(^|\s+)(11\.3\([0-9]*\)|11\.3)NA[0-9]*,"))ok=1;
# 11.3T
if(egrep(string:os, pattern:"(^|\s+)((11\.3\(([0-9]|1[0-0])\)|11\.3)T[0-9]*|11\.3\(11\)T[0-0]),"))ok=1;
# 11.3WA4
if(egrep(string:os, pattern:"(^|\s+)(11\.3\([0-9]*\)|11\.3)WA4[0-9]*,"))ok=1;
# 11.3XA
if(egrep(string:os, pattern:"(^|\s+)(11\.3\([0-9]*\)|11\.3)XA[0-9]*,"))ok=1;
# 12.0
if(egrep(string:os, pattern:"(^|\s+)(12\.0\(([0-9]|1[0-4])\)|12\.0),"))ok=1;
# 12.0DA
if(egrep(string:os, pattern:"(^|\s+)(12\.0\([0-9]*\)|12\.0)DA[0-9]*,"))ok=1;
# 12.0DB
if(egrep(string:os, pattern:"(^|\s+)(12\.0\([0-9]*\)|12\.0)DB[0-9]*,"))ok=1;
# 12.0DC
if(egrep(string:os, pattern:"(^|\s+)(12\.0\([0-9]*\)|12\.0)DC[0-9]*,"))ok=1;
# 12.0S
if(egrep(string:os, pattern:"(^|\s+)((12\.0\(([0-9]|1[0-3])\)|12\.0)S[0-9]*|12\.0\(14\)S[0-0]),"))ok=1;
# 12.0SC
if(egrep(string:os, pattern:"(^|\s+)((12\.0\(([0-9]|1[0-4])\)|12\.0)SC[0-9]*|12\.0\(15\)SC[0-0]),"))ok=1;
# 12.0SL
if(egrep(string:os, pattern:"(^|\s+)((12\.0\(([0-9]|1[0-3])\)|12\.0)SL[0-9]*|12\.0\(14\)SL[0-0]),"))ok=1;
# 12.0ST
if(egrep(string:os, pattern:"(^|\s+)((12\.0\(([0-9]|1[0-0])\)|12\.0)ST[0-9]*|12\.0\(11\)ST[0-1]),"))ok=1;
# 12.0SX
if(egrep(string:os, pattern:"(^|\s+)(12\.0\([0-9]*\)|12\.0)SX[0-9]*,"))ok=1;
# 12.0T
if(egrep(string:os, pattern:"(^|\s+)(12\.0\([0-9]*\)|12\.0)T[0-9]*,"))ok=1;
# 12.0W5
if(egrep(string:os, pattern:"(^|\s+)(12\.0\(([0-9]|1[0-2])\)|12\.0)W5[0-9]*,"))ok=1;
# 12.0WT
if(egrep(string:os, pattern:"(^|\s+)((12\.0\(([0-9]|1[0-2])\)|12\.0)WT[0-9]*|12\.0\(13\)WT[0-5]),"))ok=1;
# 12.0XA
if(egrep(string:os, pattern:"(^|\s+)(12\.0\([0-9]*\)|12\.0)XA[0-9]*,"))ok=1;
# 12.0XB
if(egrep(string:os, pattern:"(^|\s+)(12\.0\([0-9]*\)|12\.0)XB[0-9]*,"))ok=1;
# 12.0XC
if(egrep(string:os, pattern:"(^|\s+)(12\.0\([0-9]*\)|12\.0)XC[0-9]*,"))ok=1;
# 12.0XD
if(egrep(string:os, pattern:"(^|\s+)(12\.0\([0-9]*\)|12\.0)XD[0-9]*,"))ok=1;
# 12.0XE
if(egrep(string:os, pattern:"(^|\s+)(12\.0\([0-9]*\)|12\.0)XE[0-9]*,"))ok=1;
# 12.0XF
if(egrep(string:os, pattern:"(^|\s+)(12\.0\([0-9]*\)|12\.0)XF[0-9]*,"))ok=1;
# 12.0XG
if(egrep(string:os, pattern:"(^|\s+)(12\.0\([0-9]*\)|12\.0)XG[0-9]*,"))ok=1;
# 12.0XH
if(egrep(string:os, pattern:"(^|\s+)(12\.0\([0-9]*\)|12\.0)XH[0-9]*,"))ok=1;
# 12.0XI
if(egrep(string:os, pattern:"(^|\s+)(12\.0\([0-9]*\)|12\.0)XI[0-9]*,"))ok=1;
# 12.0XJ
if(egrep(string:os, pattern:"(^|\s+)(12\.0\([0-9]*\)|12\.0)XJ[0-9]*,"))ok=1;
# 12.0XK
if(egrep(string:os, pattern:"(^|\s+)(12\.0\([0-9]*\)|12\.0)XK[0-9]*,"))ok=1;
# 12.0XL
if(egrep(string:os, pattern:"(^|\s+)(12\.0\([0-9]*\)|12\.0)XL[0-9]*,"))ok=1;
# 12.0XM
if(egrep(string:os, pattern:"(^|\s+)(12\.0\([0-9]*\)|12\.0)XM[0-9]*,"))ok=1;
# 12.0XN
if(egrep(string:os, pattern:"(^|\s+)(12\.0\([0-9]*\)|12\.0)XN[0-9]*,"))ok=1;
# 12.0XP
if(egrep(string:os, pattern:"(^|\s+)(12\.0\([0-9]*\)|12\.0)XP[0-9]*,"))ok=1;
# 12.0XQ
if(egrep(string:os, pattern:"(^|\s+)(12\.0\([0-9]*\)|12\.0)XQ[0-9]*,"))ok=1;
# 12.0QR
if(egrep(string:os, pattern:"(^|\s+)(12\.0\([0-9]*\)|12\.0)QR[0-9]*,"))ok=1;
# 12.0XS
if(egrep(string:os, pattern:"(^|\s+)(12\.0\([0-9]*\)|12\.0)XS[0-9]*,"))ok=1;
# 12.0XU
if(egrep(string:os, pattern:"(^|\s+)(12\.0\([0-9]*\)|12\.0)XU[0-9]*,"))ok=1;
# 12.0XV
if(egrep(string:os, pattern:"(^|\s+)(12\.0\([0-9]*\)|12\.0)XV[0-9]*,"))ok=1;
# 12.1
if(egrep(string:os, pattern:"(^|\s+)(12\.1\([0-6]\)|12\.1),"))ok=1;
# 12.1AA
if(egrep(string:os, pattern:"(^|\s+)(12\.1\([0-6]\)|12\.1)AA[0-9]*,"))ok=1;
# 12.1DA
if(egrep(string:os, pattern:"(^|\s+)(12\.1\([0-5]\)|12\.1)DA[0-9]*,"))ok=1;
# 12.1CD
if(egrep(string:os, pattern:"(^|\s+)(12\.1\([0-3]\)|12\.1)CD[0-9]*,"))ok=1;
# 12.DB
if(egrep(string:os, pattern:"(^|\s+)(12\.\([0-4]\)|12\.)DB[0-9]*,"))ok=1;
# 12.1DC
if(egrep(string:os, pattern:"(^|\s+)(12\.1\([0-4]\)|12\.1)DC[0-9]*,"))ok=1;
# 12.1E
if(egrep(string:os, pattern:"(^|\s+)(12\.1\([0-5]\)|12\.1)E[0-9]*,"))ok=1;
# 12.1EC
if(egrep(string:os, pattern:"(^|\s+)(12\.1\([0-5]\)|12\.1)EC[0-9]*,"))ok=1;
# 12.1EX
if(egrep(string:os, pattern:"(^|\s+)(12\.1\([0-4]\)|12\.1)EX[0-9]*,"))ok=1;
# 12.1T
if(egrep(string:os, pattern:"(^|\s+)((12\.1\([0-4]\)|12\.1)T[0-9]*|12\.1\(5\)T[0-4]),"))ok=1;
# 12.1XA
if(egrep(string:os, pattern:"(^|\s+)(12\.1\([0-9]*\)|12\.1)XA[0-9]*,"))ok=1;
# 12.1XB
if(egrep(string:os, pattern:"(^|\s+)(12\.1\([0-9]*\)|12\.1)XB[0-9]*,"))ok=1;
# 12.1XC
if(egrep(string:os, pattern:"(^|\s+)(12\.1\([0-9]*\)|12\.1)XC[0-9]*,"))ok=1;
# 12.1XD
if(egrep(string:os, pattern:"(^|\s+)(12\.1\([0-9]*\)|12\.1)XD[0-9]*,"))ok=1;
# 12.1XE
if(egrep(string:os, pattern:"(^|\s+)(12\.1\([0-9]*\)|12\.1)XE[0-9]*,"))ok=1;
# 12.1XF
if(egrep(string:os, pattern:"(^|\s+)(12\.1\([0-9]*\)|12\.1)XF[0-9]*,"))ok=1;
# 12.1XG
if(egrep(string:os, pattern:"(^|\s+)(12\.1\([0-9]*\)|12\.1)XG[0-9]*,"))ok=1;
# 12.1XH
if(egrep(string:os, pattern:"(^|\s+)(12\.1\([0-9]*\)|12\.1)XH[0-9]*,"))ok=1;
# 12.1XI
if(egrep(string:os, pattern:"(^|\s+)(12\.1\([0-9]*\)|12\.1)XI[0-9]*,"))ok=1;
# 12.1XJ
if(egrep(string:os, pattern:"(^|\s+)(12\.1\([0-9]*\)|12\.1)XJ[0-9]*,"))ok=1;
# 12.1XK
if(egrep(string:os, pattern:"(^|\s+)(12\.1\([0-9]*\)|12\.1)XK[0-9]*,"))ok=1;
# 12.1XL
if(egrep(string:os, pattern:"(^|\s+)(12\.1\([0-9]*\)|12\.1)XL[0-9]*,"))ok=1;
# 12.1XM
if(egrep(string:os, pattern:"(^|\s+)(12\.1\([0-9]*\)|12\.1)XM[0-9]*,"))ok=1;
# 12.1XP
if(egrep(string:os, pattern:"(^|\s+)((12\.1\([0-2]\)|12\.1)XP[0-9]*|12\.1\(3\)XP[0-2]),"))ok=1;
# 12.1XQ
if(egrep(string:os, pattern:"(^|\s+)((12\.1\([0-2]\)|12\.1)XQ[0-9]*|12\.1\(3\)XQ[0-2]),"))ok=1;
# 12.1XR
if(egrep(string:os, pattern:"(^|\s+)((12\.1\([0-4]\)|12\.1)XR[0-9]*|12\.1\(5\)XR[0-0]),"))ok=1;
# 12.1XT
if(egrep(string:os, pattern:"(^|\s+)((12\.1\([0-2]\)|12\.1)XT[0-9]*|12\.1\(3\)XT[0-0]),"))ok=1;
# 12.1XU
if(egrep(string:os, pattern:"(^|\s+)((12\.1\([0-4]\)|12\.1)XU[0-9]*|12\.1\(5\)XU[0-0]),"))ok=1;
# 12.1XV
if(egrep(string:os, pattern:"(^|\s+)((12\.1\([0-4]\)|12\.1)XV[0-9]*|12\.1\(5\)XV[0-0]),"))ok=1;
# 12.1XW
if(egrep(string:os, pattern:"(^|\s+)((12\.1\([0-4]\)|12\.1)XW[0-9]*|12\.1\(5\)XW[0-1]),"))ok=1;
# 12.1XY
if(egrep(string:os, pattern:"(^|\s+)((12\.1\([0-4]\)|12\.1)XY[0-9]*|12\.1\(5\)XY[0-3]),"))ok=1;
# 12.1XZ
if(egrep(string:os, pattern:"(^|\s+)((12\.1\([0-4]\)|12\.1)XZ[0-9]*|12\.1\(5\)XZ[0-1]),"))ok=1;
# 12.1YA
if(egrep(string:os, pattern:"(^|\s+)((12\.1\([0-4]\)|12\.1)YA[0-9]*|12\.1\(5\)YA[0-0]),"))ok=1;
# 12.1YB
if(egrep(string:os, pattern:"(^|\s+)(12\.1\([0-4]\)|12\.1)YB[0-9]*,"))ok=1;
# 12.1YC
if(egrep(string:os, pattern:"(^|\s+)((12\.1\([0-4]\)|12\.1)YC[0-9]*|12\.1\(5\)YC[0-0]),"))ok=1;
# 12.1YD
if(egrep(string:os, pattern:"(^|\s+)(12\.1\([0-4]\)|12\.1)YD[0-9]*,"))ok=1;
#----------------------------------------------
if(ok)security_hole(port:161, proto:"udp");
Related
openvas
openvas
HP-UX Update for ARPA Transport HPSBUX00205
2009-05-05 00:00:00
HP-UX Update for ARPA Transport HPSBUX00205
2009-05-05 00:00:00
TCP/IP Predictable TCP Initial Sequence Number Vulnerability
2013-04-22 00:00:00
securityvulns
securityvulns
Advisory CA-2001-09
2001-05-03 00:00:00
f5
f5
K19063943 : TCP initial sequence number vulnerability CVE-2001-0328
2019-11-08 00:00:00
cvelist
cvelist
CVE-2001-0328
2001-05-24 04:00:00
CVE-2001-0288
2001-05-07 04:00:00
nessus
nessus
nvd
nvd
CVE-2001-0328
2001-06-27 04:00:00
CVE-2001-0288
2001-05-03 04:00:00
cve
cve
CVE-2001-0328
2001-06-27 04:00:00
CVE-2001-0288
2001-05-07 04:00:00
cert
cert
cisco
cisco
Cisco IOS Software TCP Initial Sequence Number Randomization Improvements
2001-03-01 02:00:00
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.025 Low
EPSS
Percentile
90.2%
Related for CSCDS04747.NASL