--- David Frechette <[EMAIL PROTECTED]> wrote:
> Hello, > > Recently I'm receiving the following 2 notifications > in the report of a single host: > > 12213: > "The remote host might be vulnerable to a sequence > number approximation bug, which may allow an attacker > to send spoofed RST packets to the remote host and > close established connections." > > 4259: > "The TCP initial sequence number of the remote host > are incremented by random positive values. > Good!" > > IMHO, these notifications are contradictory. I've > rescanned the system multiple times, but these 2 > notification keep showing up. Is there an explanation > for this? Yes. Read the cross-reference the first one mentions. The latter purely relates to how the ISN is calculated and if it could be guessed. If it could, then one could perform a blind spoof attack to take advantage of IP-level access controls (e.g. a service relying upon host.allow entries). The prior refers to the ability to send an RST packet to an established TCP connection because of how implementations deal with window sizes and allowed ranges of RST values. This mainly affects long-lived services, such as BGP, that maintain a long TCP connection and suffer from having it drop. Is the nmap plugin (14259 btw) statement good? If you don't know what ISN calculations are and the difference between that and the 12213 plugin, then no; it requires a priori information. Once you understand ISNs and what the output is stating, then IMHO, it's a good statement. 12213 reference: http://www.securityfocus.com/bid/10183/solution ISN reference: http://www.faqs.org/rfcs/rfc1948.html > Thanks in advance, Hope this helped and that I wasn't being condescending, Jon __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
