New
#1
Whitelisting IPs, block an IP, and repeating sequences
Long story short, my computer is, for the first time ever, failing scans by Security Metrics (to make sure I'm PCI compliant). I run Zone Alarm Extreme Security, and for some very odd reason, I fail the scan VERY badly when this software is enabled. When it's completely disabled, and I have Windows Firewall enabled, I fail, but nearly as bad. Anyway, I need to white list some IPs. The tech at Security Metrics said:
For the worm vulnerabilities and port 256, 257 and 258 this is an indicator that we were not able to perform assessment fully. If you whitelist our IP range this will likely fix the issue. Our IP range is 204.238.82.16-48.
How do I whitelist IPs in Windows 7? (I'm NOT going to run ZA when I do my next scan. Too many false positives show up.)
Next, I got this in my scan results:
"Description: initial TCP sequence number is predictable
dpcxxxxxxxxxx.direcpc.comxx.xx.xxx.xxxJun 06 09:14:46 2011newSeverity: Area
of Concern CVE: CVE-1999-0077 5.0918new11Impact: A remote attacker could
hijack an existing session or create a new session using an arbitrary source
IP address. If services which use address-based authentication mechanisms
are enabled on the server, the attacker could execute arbitrary commands.
Background: The Transmission Control Protocol (TCP) is the protocol used by
services such as telnet, ftp, and smtp to establish a connection between a
client and a server. Every TCP packet includes a sequence number in the
header to ensure that all packets are received at the destination and
re-assembled in the correct order. The sequence numbering begins with an
initial sequence number which is chosen by the server and sent to the client
when the connection is established. Thus, sequence numbers also help to
verify the identity of the client, since only the intended client has
knowledge of the initial sequence number. Resolution The Solution described
in [ftp://ftp.isi.edu/in-notes/rfc1948.txt] RFC1948 was developed to
sufficiently randomize initial sequence numbers so they cannot be predicted.
Check [http://www.cert.org/advisories/CA-2001- 09.html] CERT Advisory
2001-09 to see whether your vendor has released a patch which implements
this Solution. If your operating system is vulnerable and there is no patch
available, it would be advisable to upgrade your operating system. Most
modern operating systems are not affected by this vulnerability. Windows NT
users should apply service pack 6a and install the patch referenced in
[http://www.microsoft.com/technet/securi ty/bulletin/ms99-046.mspx]
Microsoft Security Bulletin 99-046. Vulnerability Details: Service: nmap TCP
Sequence Prediction: Difficulty=20 (Good luck!)"I asked about that, and got this response:
In regards to the predictable sequence number we have replicated the vulnerability below:
~$ sudo hping3 -S -Q xx.xx.xxx.xxx-p 80
[sudo] password for isaac:
HPING xx.xx.xxx.xxx(eth1 xx.xx.xxx.xxx): S set, 40 headers + 0 data bytes
877548774 +877548774
878700774 +1152000
880300774 +1600000
881260774 +960000
883500774 +2240000
882220774 +4293687295
884588774 +2368000
886124774 +1536000
887468774 +1344000
889068774 +1600000
890348774 +1280000
892332774 +1984000
893420774 +1088000
894316774 +896000
895276774 +960000
896364774 +1088000
898028774 +1664000
899628774 +1600000
901164774 +1536000
902828774 +1664000
904428774 +1600000
905772774 +1344000
As you can see some of the sequence numbers are repeating.
Okay, so they're repeating. How the heck do I fix it????? (I thought that's what Security Metrics "support" was for.)
Last, how do I close port 1433?
If I've posted in the wrong forum, or if I'd be better posting at another forum, please let me know. Any help anyone could give me would be most appreciated.
Quote