• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: NT Predictable TCP Sequence Number Vulnerability

Severity: MODERATE

Description:

Windows NT 4 uses predictable TCP sequence number generating algorithms that could allow an attacker to set up connections to other machines with a spoofed source address of the NT host.

Windows NT4.0 until and including SP3 used a predictable means of generating initial TCP sequence numbers, incerementing it by one every millisecond. Alerted to this problem, they changed the method in SP4. However, the new method is in fact easier to predict than the previous one: Now there only 8 possible increments, (0, 2, 4, 6, 8, 10, 12, and 14) and the fact that most TCP/IP stacks will ignore invalid sequence numbers makes this easy to exploit - obtain a valid sequence number, and send 8 packets to the target, each with one of the possible next sequence numbers.

Affected Products:

• Microsoft Windows NT 4.0
• Microsoft Windows NT 4.0 SP1
• Microsoft Windows NT 4.0 SP2
• Microsoft Windows NT 4.0 SP3
• Microsoft Windows NT 4.0 SP4
• Microsoft Windows NT 4.0 SP5
• Microsoft Windows NT Enterprise Server 4.0
• Microsoft Windows NT Enterprise Server 4.0 SP1
• Microsoft Windows NT Enterprise Server 4.0 SP2
• Microsoft Windows NT Enterprise Server 4.0 SP3
• Microsoft Windows NT Enterprise Server 4.0 SP4
• Microsoft Windows NT Enterprise Server 4.0 SP5
• Microsoft Windows NT Server 4.0
• Microsoft Windows NT Server 4.0 SP1
• Microsoft Windows NT Server 4.0 SP2
• Microsoft Windows NT Server 4.0 SP3
• Microsoft Windows NT Server 4.0 SP4
• Microsoft Windows NT Server 4.0 SP5
• Microsoft Windows NT Terminal Server 4.0
• Microsoft Windows NT Terminal Server 4.0 SP1
• Microsoft Windows NT Terminal Server 4.0 SP2
• Microsoft Windows NT Terminal Server 4.0 SP3
• Microsoft Windows NT Terminal Server 4.0 SP4
• Microsoft Windows NT Terminal Server 4.0 SP5
• Microsoft Windows NT Workstation 4.0
• Microsoft Windows NT Workstation 4.0 SP1
• Microsoft Windows NT Workstation 4.0 SP2
• Microsoft Windows NT Workstation 4.0 SP3
• Microsoft Windows NT Workstation 4.0 SP4
• Microsoft Windows NT Workstation 4.0 SP5

References:

• Microsoft: Frequently Asked Questions: Microsoft Security Bulletin (MS99-046)
• NTA Monitor: Leading Security Testers NTA Monitor discover security flaw in Microsoft NT4 SP4

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.