| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « Sep | ||||||
| 1 | 2 | 3 | 4 | 5 | ||
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | 30 | |||
A client of mine contacted me about a recent qualys vulnerability scan where they listed, UDP constant IP id field fingerprint vulnerability.
From the report they list the following explanation.
“Normally, the IP Identification field is intended to be a reasonably unique value, and is used to reconstruct fragmented packets. It has been reported that in some versions of the Linux kernel IP stack implementation as well as other operating systems, UDP packets are transmitted with a constant IP Identification field of 0.
IMPACT:
By exploiting this vulnerability, a malicious user can discover the operating system and approximate kernel version of the host. This information can then be used in further attacks against the host.”
Hmm.. how is this a vulnerability? The same scan shows OS fingerprint identification was successful for other TCP services. NMAP reveals that these tcp ports also return all zeros in the IP ID field. The OS is identified as linux in TCP scans, yet Qualys doesn’t classify this as a vulnerability.
Is it a vulnerability that an attacker may know that you’re running linux? This is information. I would define an actual vulnerability as something that can be exploited, i.e. buffer overflow, race conditions, man-in-the-middle, SQL injection.
This is information. Something that you can use to find vulnerabilities. In fact if the ip id field of all udp non-fragmented packets is always 0 then this is also information that can be used to secure the system. An IDS signature could be written that alert me when there are non-zero values in this field. This could be a sign that someone is using the ip id field to tunnel information, i.e. a covert channel. Now the vulnerabilty is a security feature.
Qualys fix your scan report, reclasify this as information, just like the OS identification TCP fingerprinting portion of your report, cause that’s all this is, information that an attacker already knows.
You must be logged in to post a comment.