URGENT – TCP Sequencing vulnerabilities

[punga]

I manage a server for a government client who continually scans their network for weakness. For some reason, recently, their scans came up with a medium vulnerability referring to TCP Sequencing. Here is a copy of the report:
[quote]Risk Level: Medium tcppred
Platforms: Windows 2003: Any version, Windows: XP, AIX: Any version, Mac OS: Any version, Windows 2000: Any version, Windows: 98 Second Edition, SCO Unix: Any version, Windows: 98, Novell NetWare: Any version, Compaq Tru64 UNIX: Any version, Windows: Me, Cisco IOS: Any version, Solaris: Any version, Linux: Any version, IRIX: Any version, HP-UX: Any version, BSD: Any version, DG/UX: Any version, Windows: 95, OS/2: Any version, Windows NT: 4.0
Description: The TCP sequence was found to be predictable. When the TCP sequence is predictable, an attacker can send packets that are forged to appear to come from a trusted computer. These forged packets can compromise services, such as rsh and rlogin, because their authentication is based on IP addresses. Attackers can also perform session hijacking to gain access to unauthorized information.
[/quote]

I’m having a lot of trouble finding out how to fix this issue, either on Apple’s website or via google searching. Lots of papers (dating back 10 years) about it, but no specific steps on how to resolve it for OS X server. The report they sent me includes lots of links to MS and other UNIX related patches, but nothing for OS X. Its critical that I resolve this very soon or they will disconnect the server from the network.

Some specifics:

Intel X-Serve (specific model escapes me right now because I’m not onsite)
Mac OS X Server 10.4.10
Previously configured to comply (mostly) with Common Criteria standards, although a recent call to Apple about an unrelated security audit log issue suggested that the Intel Macs are not certified for Common Criteria, so that could be related.

Does anyone know how to fix this issue or could give me some insight? I can give more specifics if you need them.

Shawn Punga
Senior Macintosh Consultant

MacLab

[punga]

if there is an CVE-ID associated with this, I’m not sure what it is. However, I can send you the complete report offline if that will help. (Don’t want to post up the complete content here for obvious reasons)

It mentions various things including CERT Advisory CA-1995-01. Further research and discussions with some govt.-cyber security experts leads me to believe that this is an ancient issue (10+ years) that has been addressed by all major OSs. Am I to believe that Apple reintroduced the issue in a recent update (security and OS updates have been installed recently)? Or do I need to find some documentation that proves this isn’t really an issue?

BTW, Joel, I had a class w/you a few years ago at MBS in Gaithersburg for the 10.2 Tech. Coordinator test. Thanks for all the good work you guys do here on AFP548.

Shawn

[Camelot]

Even though Mac OS X is not listed as a vulnerable OS (Mac OS is, but Mac OS X is not), you can still tune your system to deal with TCP sequencing problems as well as other performance and security enhancements by implementing rfc1948 support.

http://www.faqs.org/rfcs/rfc1948.html

To enable this on Mac OS X, just:

[code]sysctl -w net.inet.tcp.strict_rfc1948=1[/code]

or add the setting to /etc/sysctl.conf.

[Author]

Posts