FW: Tivoli - backupHi all,
today I obtained this mail (translated) from one of our customer. I am not
networking guru so much, I only know that IDS is some kind of network
monitoring and analyzing tool but I don't know exactly what and how the IDS
sonds working. These messages are reported somewhere on firewall and TSM
comunication was interpreted as potential hijacking (by customer's people).
Can you anybody give me some advice what is goung about and what to do or
tell our customer representatives?
Any help will be appreciate.
Tomas
-----Original Message-----
Sent: Thursday, July 10, 2003 9:58 AM
Subject: Tivoli - backup
During backup by TSM we obtained this messages from IDS sonds: IP
hijacking allows attackers to execute commands into someone's session
(TCP_Hijacking_Tool)
We know that it is not hijacking, but it is not standard behavior. Can we
do something with TSM comunications to get it out?
This is detailed view of problem:
IP hijacking allows attackers to execute commands into someone's session
(TCP_Hijacking_Tool)
About this signature or vulnerability
RealSecure Server Sensor, RealSecure Network Sensor:
This signature detects the use of a TCP hijacking tool on your network.
This indicates an attacker's attempt to determine the TCP sequence and
acknowledgement numbers that two hosts are using in a communication session.
False positives </false_positive.htm>
RealSecure Network Sensor, RealSecure Server Sensor: Though unlikely, it
is possible that a random TCP packet might show the same pattern as used by
a hijacking tool. It is important to examine the context in which this event
is seen.
Default risk level
High
Sensors that have this signature
RealSecure Server Sensor: 7.0, RealSecure Network Sensor: 7.0, RealSecure
Network Sensor: 2.5, RealSecure Server Sensor: 5.5
Systems affected
Any application: Any version
Type
Suspicious Activity
Vulnerability description
A number of publicly available tools exist to facilitate the hijacking of
TCP sessions. Using such tools, an attacker can determine the TCP sequence
and acknowledgement numbers that two hosts are using in a communication
session. This information could enable the attacker to take over the
legitimate network connection of an authorized user and inject commands into
the session. This is particularly serious because most forms of one-time
passwords do not prevent this access.
Most of these hijacking tools generate specific packets that can be
detected by an intrusion detection system.
How to remove this vulnerability
Use encrypted IP or encrypted login programs if possible, and contact your
vendor for patches to correct TCP sequence prediction vulnerabilities.
References
CERT Advisory CA-1995-01
IP Spoofing Attacks and Hijacked Terminal Connections
<http://www.cert.org/advisories/CA-1995-01.html>
ISS X-Force
IP hijacking allows attackers to execute commands into someone's session
<http://www.iss.net/security_center/static/629.php>
Jirka Havelka
|