Users login

Create an account »


Users login

Home » Hacking News » Cisco IOS Software TCP Initial Sequence Number

Cisco IOS Software TCP Initial Sequence Number

by Phiber on March 1st, 2001 Cisco IOS software contains a flaw that permits the successful prediction of TCP Initial Sequence Numbers.

This vulnerability is present in all released versions of Cisco IOS software running on Cisco routers and switches. It only affects the security of TCP connections that originate or terminate on the affected Cisco device itself; it does not apply to TCP traffic forwarded through the affected device in transit between two other hosts.

To remove the vulnerability, Cisco is offering free software upgrades for
all affected platforms. The defect is described in DDTS record CSCds04747.

Workarounds are available that limit or deny successful exploitation of the vulnerability by filtering traffic containing forged IP source addresses at the perimeter of a network or directly on individual devices.

Affected Products

The vulnerability is present in all Cisco routers and switches running
affected releases of Cisco IOS Software.

To determine the software running on a Cisco product, log in to the device and issue the command "show version" to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS (tm)". On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name. Other Cisco devices will not have the "show version" command or will give different output.


Forged packets can be injected into a network from a location outside its
boundary so that they are trusted as authentic by the receiving host, thus resulting in a failure of integrity. Such packets could be crafted to gain access or make some other modification to the receiving system in order to attain some goal, such as gaining unauthorized interactive access to a system or compromising stored data.

- From a position within the network where it is possible to receive the
return traffic (but not necessarily in a position that is directly in the
traffic path), a greater range of violations is possible. For example, the
contents of a message could be diverted, modified, and then returned to the traffic flow again, causing a failure of integrity and a possible failure
of confidentiality.

NOTE: Any compromise using this vulnerability is only possible for TCP
sessions that originate or terminate on the affected Cisco device itself.
It does not apply to TCP traffic that is merely forwarded through the

Fixes and other info available in the whole advisory.

Download this advisory

Visit Cisco Systems

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »