Vulnerability Name: CVE-2000-0328 (CCN-139) Assigned: 1995-01-01 Published: 1995-01-01 Updated: 2018-10-12 Summary: Windows NT 4.0 generates predictable random TCP initial sequence numbers (ISN), which allows remote attackers to perform spoofing and session hijacking. CVSS v3 Severity: 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): LowIntegrity (I): NoneAvailibility (A): None
CVSS v2 Severity: 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N 3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): NoneAvailibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N 3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): NoneAvailibility (A): None
Vulnerability Type: CWE-Other Vulnerability Consequences: Bypass Security References: Source: CCNTCP uses weak initial sequence numbers IRIX TCP/IP Initial Sequence Numbers IP denial-of-service fixes and tunings Weak TCP Sequence Numbers in Sonicwall SOHO Firewall 2 security problem Quantum SNAP server Predictable TCP ISN in Packeteer PacketShaper CVE-1999-0077 CVE-2000-0328 CVE-2000-0916 CVE-2001-0288 CVE-2001-0328 CVE-2001-0751 CVE-2001-1104 CVE-2007-2782 FreeBSD IP Spoofing Packeteer PacketShaper TCP ISN Generation Weakness SGI IRIX Multiple Vulnerabilities HP-UX running Apache, Remote Arbitrary Code Execution, Cross Site Scripting (XSS) (HPSBUX02262) IP Spoofing Attacks and Hijacked Terminal Connections Statistical Weaknesses in TCP/IP Initial Sequence Numbers Microsoft - Improve TCP Initial Sequence Number Randomness FreeBSD TCP Sequence Number Vulnerability Cisco IOS Software TCP Initial Sequence Number Improvements Cisco Multiple Vulnerabilities in CBOS Security Advisory: More Multiple Vulnerabilities in CBOS Cisco IOS Software TCP Initial Sequence Number Randomization Improvements Multiple TCP/IP implementations may use statistically predictable initial sequence numbers Windows NT Service Packs Microsoft Security Bulletin MS99-046: Frequently Asked Questions Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise Malformed RPC Request Can Cause Service Failure 15 August 2001 Cumulative Patch for IIS Trusting Domains Do Not Verify Domain Membership of SIDs in Authorization Data Cumulative Patch for Internet Information Services (Q319733) Cumulative Patch for Internet Information Service (Q327696) Cumulative Patch for Internet Information Service (811114) Patch Available to Improve TCP Initial Sequence Number Randomness Predictable TCP Initial Sequence Numbers Multiple Vendor TCP/IP ISN Sequence Prediction Weakness Packeteer PacketShaper TCP ISN Prediction SonicWALL SOHO Firewall Predictable TCP Sequence Aztech DSL600EU Router TCP Sequence Prediction Web Interface Access PacketShaper Portmaster Predictable TCP Initial Sequence Number Vulnerability BSD Weak initial Sequence Number Vulnerability Packeteer PacketShaper ISN TCP Packet Spoofing Vulnerability Multiple Vendor TCP Initial Sequence Number Statistical Vulnerability SonicWALL SOHO Firewall Predictable TCP Initial Sequence Number Vulnerability Quantum Snap Server Predictable TCP Sequence Number Vulnerability 604 NT Predictable TCP Sequence Number Vulnerability NetScreen ScreenOS Predictable Initial TCP Sequence Number Vulnerability Linux Predictable TCP Initial Sequence Number Vulnerability 19990824 NT Predictable Initial TCP Sequence numbers - changes observed with SP4 Simple Active Attack Against TCP MS99-046 tcp-seq-predict(139) Unpredictable TCP Sequence Numbers in SP4 How to Prevent Predictable TCP/IP Initial Sequence Numbers Vulnerable Configuration: Configuration 1 :cpe:/o:microsoft:windows_nt:4.0:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_nt:4.0:sp1:*:*:*:*:*:* OR cpe:/o:microsoft:windows_nt:4.0:sp2:*:*:*:*:*:* OR cpe:/o:microsoft:windows_nt:4.0:sp3:*:*:*:*:*:* OR cpe:/o:microsoft:windows_nt:4.0:sp4:*:*:*:*:*:* OR cpe:/o:microsoft:windows_nt:4.0:sp5:*:*:*:*:*:* Configuration CCN 1 :cpe:/o:ibm:aix:*:*:*:*:*:*:*:* OR cpe:/o:windriver:bsdos:*:*:*:*:*:*:*:* OR cpe:/o:hp:hp-ux:*:*:*:*:*:*:*:* OR cpe:/o:sgi:irix:*:*:*:*:*:*:*:* OR cpe:/o:linux:linux_kernel:*:*:*:*:*:*:*:* OR cpe:/o:sun:solaris:*:*:*:*:*:*:*:* OR cpe:/o:ibm:os2:*:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_95:*:*:*:*:*:*:*:* OR cpe:/a:data_general:dg_ux:*:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_nt:4.0:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_98:*:*:*:*:*:*:*:* OR cpe:/a:novell:netware:*:*:*:*:*:*:*:* OR cpe:/o:sco:unix:*:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_98se:*:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_2000:*:*:*:*:*:*:*:* OR cpe:/o:cisco:ios:*:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_me:*:*:*:*:*:*:*:* OR cpe:/o:compaq:tru64:*:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows:xp:*:*:*:*:*:*:* OR cpe:/o:apple:mac_os:*:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows:2003_server:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_vista:*:*:*:*:*:*:*:* OR cpe:/a:packeteer:packetshaper:7.3.0g2:*:*:*:*:*:*:* OR cpe:/a:packeteer:packetshaper:7.5.0g1:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_7:*:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_server_2008:r2:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_server_2012:*:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_8:*:*:*:*:*:*:*:* Vulnerability Name: CVE-2000-0328 (CCN-3168) Assigned: 1999-08-25 Published: 1999-08-25 Updated: 1999-08-25 Summary: Microsoft Windows NT introduced a new method of generating TCP sequence numbers, designed to close a hole in previous versions of Windows NT. Earlier versions allowed these numbers to be easily guessed. However, it has been shown that systems using SP4 to SP6 are just as vulnerable to sequence number prediction attacks as earlier service packs. CVSS v3 Severity: 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): LowAvailibility (A): None
CVSS v2 Severity: 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): NoneAvailibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): PartialAvailibility (A): None
Vulnerability Consequences: Bypass Security References: Source: CCNNT Predictable Initial TCP Sequence numbers - changes observed with SP4 CVE-2000-0328 Microsoft - Improve TCP Initial Sequence Number Randomness Microsoft Security Bulletin MS99-046: Frequently Asked Questions Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise Malformed RPC Request Can Cause Service Failure 15 August 2001 Cumulative Patch for IIS Trusting Domains Do Not Verify Domain Membership of SIDs in Authorization Data Cumulative Patch for Internet Information Services (Q319733) Cumulative Patch for Internet Information Service (811114) Patch Available to Improve TCP Initial Sequence Number Randomness Leading Security testers NTA Monitor Discover Security Flaw in Microsoft NT4 SP4 NT Predictable TCP Sequence Number Vulnerability nt-sequence-prediction-sp4(3168) Vulnerable Configuration: Configuration CCN 1 :cpe:/o:microsoft:windows_nt:4.0:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_nt:3.5.1:sp4:*:*:*:*:*:* OR cpe:/o:microsoft:windows_nt:3.5.1:sp5:*:*:*:*:*:* OR cpe:/o:microsoft:windows_nt:4.0:*:terminal_server:*:*:*:*:* OR cpe:/o:microsoft:windows_nt:4.0:sp6:*:*:*:*:*:* OR cpe:/o:microsoft:windows_2000:*:*:*:*:*:*:*:* BACK
microsoft windows nt 4.0
microsoft windows nt 4.0 sp1
microsoft windows nt 4.0 sp2
microsoft windows nt 4.0 sp3
microsoft windows nt 4.0 sp4
microsoft windows nt 4.0 sp5
ibm aix *
windriver bsdos *
hp hp-ux *
sgi irix *
linux linux kernel *
sun solaris *
ibm os2 *
microsoft windows 95 *
data_general dg ux *
microsoft windows nt 4.0
microsoft windows 98 *
novell netware *
sco unix *
microsoft windows 98se *
microsoft windows 2000 *
cisco ios *
microsoft windows me *
compaq tru64 *
microsoft windows xp
apple mac os *
microsoft windows 2003_server
microsoft windows vista *
packeteer packetshaper 7.3.0g2
packeteer packetshaper 7.5.0g1
microsoft windows 7 *
microsoft windows server 2008
microsoft windows server 2008 - r2
microsoft windows server 2012
microsoft windows 8 *
microsoft windows nt 4.0
microsoft windows nt 3.5.1 sp4
microsoft windows nt 3.5.1 sp5
microsoft windows nt 4.0
microsoft windows nt 4.0 sp6
microsoft windows 2000 *
Denotes that component is vulnerable