Re: TCPIP Vulnerability Fix in Service Tools

Hello Brad,

Am 12.01.2023 um 18:34 schrieb Brad Stone <bvstone@xxxxxxxxx>:

Here is a link to the IBM document that they used:

https://www.ibm.com/support/pages/tcp-sequence-number-approximation-based-denial-service-cve-2004-0230

From the description I'd say: This is a very theoretical attack vector. Did those guys actually read what's written on there?

Description: TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.

Some of these "security guys" sometimes have lost common sense. They focus purely on "There's a security issue you didn't address!!!1111". Generating boss-panick but fail a basic reality check: What's the impact and how likely is it that this impact happens? Ask an insurance agent about that topic! They know perfectly well about the concept! :-)

First: The worst thing that can happen is that an existing TCP connection is forced to be reset. OMG! Wir werden alle störben!!

The only long lived TCP (!) connections from or on an IBM i I can think of are 5250 emulation sessions (telnet). I guess there are virtually no shops exposing 5250 to the internet. Yes, pub400 is an exception. If those sessions are routed through a VPN tunnel, there's no direct exposure of TCP packets on the internet. I guess that's how most IBM i are accessed nowadays from outside the local network.

:wq! PoC